Information security: new threats, same concepts
As part of his preparation for an IT and information security seminar, Stewart Twynham explains how IT has created a new set of challenges from concepts that have actually been around for quite some time.
The storage and processing of information isn’t particularly new. Even in the time of Dickens, businesses kept records - and you probably only have to think back around 20 years to a time when many businesses and indeed whole industries were still 100% reliant on paper records.
Data Storage - the old fashioned way
So let’s go back in time and consider how a Widget Supply Company might have kept around 30,000 customer records just 20 years ago.
For a start, this volume isn’t going to fit into a single filing cabinet - it’ll be a room full of filing cabinets.
Given the sheer volume of data, someone is going to need to be in control. making sure files are organised correctly. And that person will probably need a backup for when they are on holiday.
And you can’t just let any member of staff just stroll in and mess things up. You’ll want to keep those important files under lock and key, taking care to give a spare key only to those that can be trusted.
Any staff member who does have access will also need training. They’ll need to know how to find information, how to file information, and how to record if a particular file has been taken so others don’t spend time looking for a file which has been checked out.
And what about fire or flood? Maybe you should think about keeping copies of important records in another room or another building. Or maybe the room itself should be one big fire safe?
And what about archiving? After several years, you may want to clear out old records. Do you just destroy them, or maybe you could archive them on microfiche or something similar for safe keeping?
The Widget Supply Scenario ties in perfectly with the modern world. It’s just that IT people simply love to make these concepts unapproachable.
A room full of filing cupboards - that’s something we’d call capacity planning.
Putting someone in charge is a form of management system. Keeping records under lock and key is the same thing as when your IT consultant talks about access control. And only giving a key to those that need one is the rule of least privilege.
We’ve touched on the importance of training, and we’ve even mentioned fire and flood - so we’re also talking about business continuity.
You see - nothing difficult there, even if IT people do like to make things sound difficult.
Of course, IT comes along and creates a whole new set of challenges - the biggest one being scale, or the lack of it.
Suddenly, 30,000 records can easily be processed on any old PC or laptop. Looking after those records is no longer someone’s full time job, so bang goes the management system. Accessing records is pretty simple, even if things are misfiled, they can be found with a simple search. So why bother with training?
Access control is usually one of the more complex components of any business application - usually because software developers make it so darn complicated with users, groups, active directory integration, permissions vs ownership and so on. In the absence of training, the chances are everyone uses the same settings - possibly even the same password - because that’s all they know how to do.
Technology also means that those 30,000 records are more portable and will fit comfortably onto a £10 USB memory stick. Or they could be carried out of the building on an iPod or mobile phone. And unlike paper, it’s possible to make a perfect copy of everything in seconds, so you’d probably never know.
And no security article would be complete without highlighting the impact of the internet. Making records accessible from your website is no different to cutting a hole in the wall where your filing cabinets are, and allowing your customers in from the street whenever they please. It doesn’t matter how small that hole in the wall might be, it’s obvious that you’d need to put a security guard on duty outside, some form of clerk inside, and probably keep a very close eye on who comes and goes.
Solving the challenges
One common trait among security experts is to get bogged down in technology. Talking technology is certainly within the comfort zone for the average IT consultant, since more often than not most businesses are looking for the “quick fix” - that mythical bit of software that’ll take away all security challenges in a stroke.
The bad news is that this piece of software doesn’t exist. The good news is that you’re probably more than equipped to solve many of the challenges yourself with a bit of help and guidance.
And that’s the theme for the upcoming security event - not to sell you some brand new piece of software or service, but to help you identify the risks within your business, and talk about some of the things you can do.
Further reading: Information security series
- Step 1 - Identify your assets
- Step 2 - Understanding the threats and vulnerabilities
- Step 3: Things that turn threats and potential loss into risk
- Step 4: The firewall
- Step 5: Tackling viruses and spam
- Step 6: Good housekeeping
- Step 7: Training, acceptable use policies and legislation
- Step 8: Domain name purchase and protection