Security policies enable organisations in the New EconomyInformation technology is well recognised as a business enabler, but the security component of the equation remains in the realm of system management. Organisations are failing to transfer responsibility for security from the IT department to the relevant manager, making security a reactive and generic process rather than a business tool.
Organisations, distracted by viruses and hackers, are overlooking other significant content security issues. Equally threatening to any business are breaches of confidentiality, exposure to legal liability such as sexual harassment and racial vilification claims, copyright infringement, damage to reputation, spam attacks, and degradation and loss of network service through misuse of e-mail and the Web.
Research indicates 79 per cent of organisations experience Internet and e-mail abuse by employees, including the downloading and transmission of pornography (CSI 2000 Computer Crime and Security Survey). With IDC predicting e-mail traffic to grow from 2.1 billion messages in 1998 to 7.8 billion messages in 2002, the threat will only increase.
As the frequency and types of threats increase and technology such as e-mail and the Internet become more crucial to an organisation, security becomes an enabling mechanism, not simply a protection device. Simply reacting to these threats, no matter how quickly, will not stop lawsuits from harassed workers or the distribution of intellectual property to competitors.
It seems obvious that as the threats facing organisations impact business rather than the network, and are associated with the actions of individuals not systems, responsibility for protection against these threats should lie with business managers, not the IT department. The IT department is unable to perform its duties without human resources, legal and management buy-in to establish policies that meet an organisation's specific needs. Yet the opposite is true and organisations are missing the opportunity to use security, and technology in general, as a differentiator in a competitive economy.
Technology for technology's sake, existing in a vacuum for no reason other than to allow businesses to claim they are secure, is useless. Security technology is simply the enforcement component of a three-pronged approach. The "three-e" approach requires an organisation to establish a policy that suits the way it does business, educate the workforce about the policy and the reasons for its existence, and enforce the policy. A content security policy should define what are acceptable media types for users to access, with variations for different users and, perhaps, time of day.
Yet according to a recent survey by Secure Computing magazine, two thirds of organisations either have no e-mail and Internet policy or have one that isn't enforced. According to the same survey, one in four companies see no need to educate users, while a further one in three leave it to a policy booklet. This attitude ignores the enabling role technology and security play in the New Economy and relegates security to the realms of system management as opposed to strategic business tool.
A policy is essential to avoid workplace incidents and issues as well as prevent any legal problems. For example, a 1979 Act bans anyone listening, recording, or intercepting messages carried on a telecommunication system without the sender's consent. Under this system, workers could challenge employers who monitor their e-mail and Internet use.
In this instance, the law does not adequately, and reasonably, protect an organisation's interests. However, a policy can protect employer interests and employee rights by explicitly stating that certain e-mails and browsing activity will not be accepted, and e-mail and Internet usage will be monitored to enforce this policy.
In terms of employee rights, it is important to also address privacy concerns in this sensitive environment. To this end, employees need to be aware that legislation referring to older technology does not adequately protect their interests in terms of having a safe workplace, or legal and productivity concerns.
Policies need to clearly spell out that monitoring a phone conversation and securing an organisation's network content are two entirely separate things. When phone conversations are listened to, those monitoring can understand the explicit nature of the conversation. However, with e-mail and the Internet, the context or exact nature of the content does not need to be determined to signal its inappropriateness.
The channel can enter the equation as a go-between consultant. Resellers can easily help configure and install any security system. It is deciding what to configure that baffles many organisations. This gives resellers the scope to transform a security implementation into a business consultancy role that spans the entire network. If resellers know the legal and business issues surrounding content security, they can help.
A basic policy is relatively easy to create. Customised policies depend entirely on an organisation's attitude and business needs. For example, a marketing organisation might need to have a more lenient e-mail policy than another company as it requires employees to send and receive a lot of images.
A basic policy allows an organisation to decide what file types and content to allow and ban from its network. With certain file types, such as Executables, a lot of organisations will automatically ban them because they are deemed to be malicious more often than not. VBScript, pornographic and nude images, videos and offensive language can all be automatically blocked and archived, or forwarded to the appropriate person. Files falling outside this jurisdiction can also still be managed through content security solutions. Pornographic images can be detected by policy-based software and acted on according to a pre-determined policy.
The channel has an integral role in the content security market in terms of being technology providers and business consultants. At the outset, they also need to be educators. As organisations realise security is needed to drive their organisations further and utilise contemporary technology, they will begin to consider it as a process, not a reaction, that they can control and manage. Tell them how to do it.
Alan Schaverien is managing director of Content Technologies, Asia Pacific. e-mail him at firstname.lastname@example.org