Convincing business executives to address information security issues can be a nightmare for some IT managers. Liz Tay speaks with management consultant Jed Simms, executive chairman of Capability Management, about communicating security risks in a business-savvy manner.
What are the security issues companies face?
We've got a barrage of issues. They [CEOs] have a mindset that just doesn't think about some types of risks. They can't conceive of people whose life is malicious hacking of networks, because it's not something they would ever do.
I used to be head of strategy for a bank, and was amazed when I learned that occasionally, a controller of ATMs (automatic teller machines) would go down so a group of ATMs would be disconnected from the mainframe and allow people to take some money out. People would find that out within half an hour and whole gangs of people would go with stolen cards and take money out. It's something that I'd never conceive of, that that sort of thing can happen.
I use that as an illustration that we need to educate senior management that there is this new world out there, and you can't just frighten [hackers] off using bits of hardware and equipment. And that's why this is a business issue.
Then you're talking about what degrees of freedom we're going to allow our people to have, and where we have to draw the boundaries, and we may have to redraw those, because sometimes we can draw them better.
In the case of one large organization, it had a lot of security to stop people from getting in with either illegal or unequipped devices, but once you're in, you could go virtually anywhere within the network. The company had a lot of outsource suppliers connected to the network, and because of security, it had to provide all the gear for them. But when we [implemented a system] where some areas are public, and some restricted, we had this far more gated network which actually led to the outsourced people coming with their own equipment, because they only had access to this little bit here.
So we reduced the cost for the company that was providing the network and actually increased its security by having a different way for it of doing business and how security and risk management were actually impeding how they make money.
What are the risks businesses face?
Through the whole transmission and management of information and the security of data access and transfer. You have people who may maliciously or inadvertently [infect the network]. One example is of a client's problems with people who were patching its PC or laptops. One woman connected to the network four PCs with essential patches the IT people didn't know about, and that's where a virus got into the whole company.
These people think they're saving a few thousand dollars by not using the official PCs, but cost the organization hundreds of thousands of dollars as a result. It's that risk awareness that is one of the hardest things to get organizations to understand.
Everyone talks risks, but they often talk about it in different ways - in terms of access and desktop management and all these other things - without really spelling out what the risk level is, and therefore what they need to do, or not do, to preserve the integrity of the network.
Do employees pose a great risk to an organization's data security?
We've done several surveys [on how disgruntled employees can compromise a company's security]. They come up with a whole range of avenues that they know are backdoor keys to certain databases.
There are mechanisms whereby you can sidestep the firewall, which may be put in for quite valid business reasons at the time, but of course companies don't look at what happens if someone leaves with that knowledge, and especially if they leave with bad feelings. That can create a real risk in the market.
There is a story about the Walker brothers who sold secrets to the Russians. They were in court because one of their ex-wives dobbed them in. [Laughs] so there's someone who had left and decided to get her revenge.
It's understanding that the risk may not be there today, but are you building it in for tomorrow.