It is quite disturbing how complacent some organisations are about information security.

It is quite disturbing how complacent some organisations are about information security. Ask a director to name his company’s most important asset, and he will probably say “people” or “information”. Ask him what it does to protect that information and the answer is likely to be “I don’t know”.

This response is alarming. Many directors still think that information security is something for the IT department, rather than an important management issue for the board.

This mind-set could soon change. High profile security breaches inflicted on global organisations by hackers have highlighted the vulnerability of information. Some organisations have had to deal with lost productivity and downtime caused by the Love Bug, Melissa and recent Anna Kournikova viruses.

Even if these incidents were not enough to make board members take information security seriously, the introduction of UK corporate governance requirements will. Making directors responsible for maintaining a system of internal controls to safeguard shareholder investment and the company’s assets, propels information security into the boardroom. Directors must ensure that they have implemented reasonable steps to protect their company’s information.

The single most significant step an organisation can take to protect its information and comply with corporate governance is to set up an information security policy. Before you can devise and implement it, you need to conduct a vulnerability risk assessment to establish where risk exists.

Internal risk
The explosive growth of the internet and electronic commerce has increased companies’ exposure to information security risks. Data and information are more vulnerable than ever before. But media coverage has focused on the threats posed by hackers and viruses, often overlooking a far more insidious threat – that from within an organisation itself. It is employees that pose the most serious risk to a company’s information, as shown by a recent Department of Trade and Industry report. This concluded that an organisation’s information is at far greater risk from its staff than from viruses or hackers.

Research shows that organisations spend 80% of their security budget on external information security measures, but only 20% on implementing effective internal security. All too often, IT managers fall into the trap of thinking that, by integrating defences to protect against external threats, they have addressed the security issue. They fail to take into account the real risk posed from within.

Within hours of employees joining a company, they frequently have access to valuable information, or to the systems that keep it flowing. Without the right controls in place, a member of staff could easily destroy or corrupt critical information.

While there are disgruntled employees who deliberately set out to destroy or damage data, some data loss incidents occur far more innocently. Staff may accidentally make an error that has disastrous consequences. In some incidents, lack of communication between the IT department and human resources is the cause of security breaches.

Typically, when a member of staff leaves a company, their passwords and e-mail access should be deleted. However, in many situations, their passwords remain live, and they continue to have access rights to the corporate network - usually because the IT department is unaware of their departure. Careful monitoring and regularly updating of staff’s data access rights, and revoking passwords for staff that leave are essential. Sensitive information can all too easily end up in the wrong hands. An effective information security policy ensures best practices in this area and reduces such internal risks.

More commonly, companies put policies in place that stipulate how much internet access staff have. This is becoming an increasingly popular move in light of the many cases where organisations have endured the humiliation of having to admit that obscene material has been downloaded onto some of their staff PCs. In fact, a survey by the Computer Security Institute (CSI) showed that, in 2000, 91% of organisations detected employee abuse of internet access privileges, such as downloading pornography or pirated software.

External threats
Traditionally, businesses have taken the threat from external risks more seriously than the internal one. Firewalls and regularly updated virus software play a role in fending off external attacks, but even these cannot provide complete protection against a security breach.

Few organisations are immune from attack, regardless of their size. In the UK, several government websites have been hacked, and there have been breaches in financial institutions’ security. Recently, we have also seen the well publicised Microsoft “hack” attack.

Even if a firewall is properly configured, security breaches are possible if security on the servers behind the perimeter defences is lax. Once again, this highlights why technology has failed so many organisations. Adoping a comprehensive approach to data security means working to eliminate all weak links in the chain.

Effective security
There are a number of guides that provide detailed information on how to create and implement an effective and on-going information security policy, such as Information Security Policies Made Easy by US security expert Charles Cresson Wood.

For a data security policy to be effective, it should not be treated simply as a “tick-box”. It must be something that you treat proactively, to comply with corporate governance.

Corporate governance makes the implementation of an information security policy a fundamental requirement. The stages for compliance are relatively straightforward: first conduct a vulnerability risk assessment, then ensure the policy has the full support and commitment of the directors; finally, implement the data security policy that is appropriate for the organisation, and, most importantly, educate staff on information policy and keep them updated about it.

David Blackman is marketing and channels director international, PentaSafe Security Technologies, Tel: 08700 765400, E.mail:

Creating effective information security

  • After the board and IT department have agreed the terms of the security policy, deploy it to each relevant member of staff.
  • Regularly update your policy to take account of new security risks and changes in hardware and applications, as well as staff changes.
  • Educate your staff on your information security policy. This is extremely important, as it cannot be effective if the end users are not aware of it or do not understand it.
  • Give end users guidelines on what constitutes a security breach, and use a questionnaire to check they understand these guidelines
  • Tell staff about any amendments or additions to your information security policy.
  • Regularly check, on an impromptu basis (again, questionnaires can be useful here), that your security policy remains fresh in employees’ minds and that it is working on all levels.

    Key Controls The UK Department of Trade and Industry publishes information on the code of practice for information security management, based on a compilation of the best information security practices in general use in many leading international companies. It also cites further, stronger, key controls, outside the scope of the code, which may be needed for especially valuable assets or to counter exceptionally high levels of security threat.

  • Information security policy document
  • Allocation of security responsibilities
  • Information security education and training
  • Reporting of security incidents
  • Virus controls
  • Business continuity planning process
  • Control of proprietary copying
  • Safeguarding of company records
  • Compliance with data protection legislation
  • Compliance with security policy