The human factor is a key risk to IT security. A strict security policy and strong authentication are needed to counter it. Jan Valcke explains

If an organisation is to guard against the risks inherent in conducting business in today's digital economy, few would argue against the theoretical importance of a security policy for enterprise IT. But as the tools and techniques IT uses to protect against the latest threats change, companies need to adapt their policies on internet security. This includes considering the role of the current security policy, the existing security products, and the responsibilities of personnel. The human factor is very often the weakest link in the security chain.

Many organisations still think that responsibility for internet security lies solely with the IT department, so unless the security policy is enforced by senior management, it is worth less than the paper it is written on. With the risk inherent in the digital economy, a negligent response poses as much of a risk to the business as any malicious attack.

The responsibility realisation

Even among the more enlightened companies, many still prefer to trust in hardware and software to solve their problems, without considering the human element. Indeed, the results of a survey of information security professionals carried out last year by analyst firm IDC, found that the role of human behaviour in security has traditionally been overlooked by organisations. This is alarming, but, encouragingly, the survey also found this viewpoint is slowly changing. Organisations are beginning to see that technology is just an enabler for executing a security strategy. It is not per se the panacea for all security woes. Security needs to be a combination of products and people.

This realisation that the digital economy requires a new strategic approach is finally making its way to the boardroom. This is probably thanks to the increasing movement to working from home and the growing mobile workforce, combined with a growing awareness of the actual risks of working or browsing online. Five years ago, people were generally ignorant of the scale of malicious activity on the internet. Now, because so many individuals have experienced problems with malware, spyware and viruses on their home computers, they recognise just how widespread and serious the issue is and particularly the implications of it might affect their work desktop or work laptop.

An acceptance of the reality and the severity of potential risks creates an opportune time to consider the effectiveness of old-fashioned static approaches, such as 'Trustworthy Computing' (Microsoft's initiative to 'provide secure, private, and reliable computing experiences for everyone based on sound business practices') to stem the tide of malicious attacks. The traditional approach attempts to create a safe computing environment within which users can operate. But attaching security to a particular machine or network ignores a common shift in the way that people have become accustomed to work. Typically, they move around from one machine to another, and from one network to another. They work remotely, from home and from airport lounges, using different devices in different locations. When working this way, and accessing the web or remote networks, they – and their corporate superiors – are now waking up to the inherent security risks that this method of working poses.

“The digital economy requires a new strategic approach

Easy does it

So how can companies keep their assets safe and their employees' PCs free from malicious attacks when new working methods expose them to all manner of potential risks? One company that found a solution is Easy Computers, the UK's fastest growing supplier of IT products and services to consumers, small to medium sized businesses and the education sector. It is one example of a company that has addressed the issue of keeping its employees safe when working remotely, by considering the 'three Ps' of policy, products and people. From a security product perspective, it recently selected VASCO's VACMAN Middleware/Digipass GO3 strong authentication as a safe and easy way to give staff secure access to the company's network. This was after it found that its previous method of secure access, which mostly relied on static IP addresses, was simply too restrictive. Staff could not even log in at a cyber cafe to pick up their e-mails, and their productivity was affected.

The dynamic approach to internet security now begins with identifying the user as they log in, and then allows them to conduct transactions according to the limitations of their particular role – and in line with Easy Computer's security policy.

With this strong authentication method, everything is based on ensuring the user is who they say they are. Strong – two or three factor – authentication gets past the problem of static protection by combining 'something you know' (like a password or a pin) with 'something you have' (such as an authentication pass) and 'something you are' (like a biometric test for a fingerprint or voice pattern). Because strong authentication cleverly merges security-minded people with a security solution, it is often seen as the missing link in enterprise security. It can be easily bundled on an appliance with other network access control measures, such as content filtering and firewalling, to provide a compelling way to protect the enterprise. It works both ways too, both guarding against malicious attacks from outside and protecting the company's reputation by checking on what is going out.

Strong authentication in the context of overall security

If a company is to intertwine policy with products and people, a few key steps need to be taken. The first is that users should not be permitted to install software on their machines. IT is responsible for purchasing licences, keeping software up to date and for overall system stability. If a machine crashes, IT can reinstall the software. But if users have downloaded their own software, extensions or upgrades, with products that are not supported by IT, chaos ensues. It is critical that the security policy makes it clear that users do not have the right to add their preferred software.

“Some are still prepared to risk company security by doing things they might not try at home

Similarly, users' access to the internet should as far as possible be restricted to business usage. Filtering of content can police this to a certain extent, but it is not bullet proof. However, checking back through the log files shows where users have flouted the rules. Finally, with so many scare stories about company data getting into the wrong hands, it is important that internal data is not sent to external sources.

Authenticate and succeed

To optimise the effectiveness of a strong authentication solution, a company's security policy should specify what an individual or a particular role is able to do or access. For example, a salesperson should not be able to access the payroll application with details of colleagues' salaries, but the CFO can. The policy should also outline basic rules which every user should stick to. These should be management directives.

Behaviour is already starting to change as individuals recognise their personal responsibilities when working remotely or accessing the internet. But some are still prepared to risk company security by doing things they might not try at home, thinking the IT department will fix any problems. The use of peer-to-peer networks, such as Kazaar, is a case in point. It is very difficult to track, but easy to obtain illegal content through this medium. It of course falls foul of our first basic rule of enterprise security.

To protect the identity of users when they are online, a strong authentication solution should be provided. It will ensure that the user's identity is protected from phishing or man in the middle attacks, thus keeping identity, and key corporate data free from those with a malicious intent.

The final key requirement is for these policies to be backed up by management. Senior managers must sign up to them and be prepared to update and enforce them. Internet security is not just the responsibility of the IT department. We all have a critical role to play, and it is a role that is made easier by the intelligent adoption of policy, products, and security best practice.

Monster mayhem

Despite a seven page privacy statement on its website stressing its commitment to respecting the privacy of its users, was one of the latest websites to fall victim to hackers and 'lose' users' personal data.

In what has been described as 'one of the biggest internet security breaches in recent memory', names, addresses, phone numbers and email addresses of some 1.3 million jobseekers were stolen from the site.

Following notification of the problem on 17 August from internet security company Symantec Corp, Monster Worldwide, Inc. identified and shut down a rogue server. It then began the task of contacting and warning those people whose privacy had been breached.

However, Monster came under fire when it was reported that it allowed five days to elapse between receiving Symantec's warning and notifying affected users. Indeed, it was not until 22 August that Monster went public with the information, publishing a warning on its website designed to let visitors know to be vigilant about any phishing email that appeared to be from Monster.

Since then there have been fears that the theft of data could be worse than previously suspected. ‘Job seekers should now assume their personal data has been compromised,’ said Calum Macleod, European director for data vaulting and encryption specialists Cyber-Ark. ‘The worst part about the data hacking is that it could so easily have been avoided.’ he added.