Share this content

Step one: How secure is your company's information?

20th Aug 2005
Share this content

In this series of articles Stewart Twynham of Bawden Quinn uncovers the facts about information security, debunks a few of the myths, and provides some accurate, impartial advice that explains in layman's terms everything from firewalls to computing law.

We start our journey by discussing the state of information security awareness within businesses today, why security is so important, and identify the starting point for all security professionals ' your information assets.

In a recent survey, 96 percent of small businesses claimed that they were confident in the security of their data - blind optimism which probably explains why 97 percent of recently tested web applications were found to have "serious flaws" allowing everything from digital shoplifting to free access to confidential records, and why something like 92 percent of small businesses actually lost time and money last year due to some form of IT failure, malicious or otherwise.

In the coming weeks, we will discuss:
  • Threats and Vulnerabilities ' why is hacking so easy?
  • Firewalls ' essential perimeter protection, and what they don't do
  • Anti-Virus protection, its limitations, and dealing with Spam
  • Good housekeeping, backup and physical security
  • Training, acceptable use policies and legislation
  • ISPs, Domains, Web design and Hosting
  • The impact of new technology ' VPNs, WiFi, Broadband, et al

An analogy
When it comes to domestic security, most of us are pretty clued up. We know what and where our most valuable assets are. We wouldn't just install a good front door lock, and then go out leaving all the doors and windows wide open. No-one would approach their estate agent for security advice or be crazy enough to think that by fitting a burglar alarm system then never turning it on, they would somehow be protected against arson.

Yet this is exactly what most businesses do and think when it comes to securing their computers ' and it's hardly surprising. Information technology can be very complicated, so businesses tend to get lost in the marketing spin produced by the countless IT vendors, resellers and ISPs. Businesses, particularly small businesses, then end up buying piecemeal 'solutions' for problems they don't fully understand for all the wrong reasons, install and use them incorrectly, believing themselves to be safe when they are not.

As a result, information security for most small businesses turns out to be a patchwork of technology with gaps you could drive a bus through. For example, 72% of businesses do not provide any form of security awareness training to their staff, which is interesting since 64% of users recently disclosed their password to a complete stranger at Victoria Station, and 79% of users would pass confidential information to an ex-employee ' even if working for a rival firm. 6% would have absolutely no qualms about deleting important data if they were asked to leave, but then 67% would have already stolen data to use in their next job anyway.

Another classic example is the widespread misuse of anti-virus software and firewalls, resulting in businesses being surprised when they are hit hard by viruses, hackers and worms such as MSBLAST. The trouble is, technology such as anti-virus software cannot properly protect you from many blended threats such as used by MSBLAST, or from worms and viruses before they happen. Only training and good housekeeping can do that. Information security is not a product ' you can't buy it from a reseller or ISP ' good information security is about awareness and process.

Secure businesses don't rely on technology ' they are aware of the risks posed to information assets right through their business. They understand the impact of threats ' be they worms, hacking, or something as mundane as a power failure in the US which could knock out their email. And they then prepare their systems, processes and perhaps most importantly ' their people.

Businesses depend on information
Imagine what would happen if your customers' most private information was posted onto your web site. Perhaps correspondence with the Inland Revenue, or their latest top-secret designs? Or if you couldn't access critical information because of a system failure ' and as a result you missed an important deadline? Or your staff couldn't work because none of your computers were functioning?

According to DTI figures, 44 percent of businesses suffered a malicious breach of their security last year ' and the average cost of a serious breach was around £30,000. Much of the costs came after the event ' clearing up the mess, paying for staff to sit around waiting for systems to return, customer churn, loss of reputation. To make matters worse, in order to prevent it happening again, they still had to buy the systems and implement the processes which would have prevented the losses in the first place. Poor information security seriously and negatively impacts profitability, cash-flow, balance sheets, customer confidence and legal compliance, to name but a few.

Enter the CIA
Mention information security to the uninitiated ' and they'll talk long and hard about products such as firewalls and anti-virus, which as you have already discovered are only part of the story. All true security professionals on the other hand will talk about 'information assets' and will refer to the CIA mnemonic, which stands for:

Confidentiality: ensuring that information is accessible only to those authorised to have access;

Integrity: safeguarding the accuracy and completeness of information and processing methods;

Availability: ensuring that authorised users have access to information and associated assets when required.

You don't have to have information stolen (loss of confidentiality) to lose money. Having information damaged (loss of integrity as a result of a hacker, virus, malicious user, wrong key press or even a lightning strike) can be pretty threatening. So too can loss of availability ' perhaps a virus has killed your server, or maybe the server has simply been stolen.

STEP ONE: Identify your assets ' you can't secure what you can't identify
Assets can be physical (e.g. a computers, networks, etc), information (spreadsheets, databases, and word documents), software (applications, web sites) or services (anything from an email system to a heating system).

You start by building a comprehensive list ' detailing every asset within your business. Then against each, consider the costs that your business could incur should you lose confidentiality, integrity or availability of those assets, particularly information or services. You're not looking for 100 percent accuracy here ' the chances are you will be seeing figures of tens of thousands, hundreds of thousands or even millions of pounds worth of potential loss. The cost to your business of losing a customer database, an email system, or a week's work is unlikely to be just a few pounds'

If your business is obsessed with 'ROI' ' these figures are then a good starting point for justifying why you need to invest time and money in information security. Forget 'odds' for a moment ' hacking, viruses, worms, malicious users, hardware failure all happen every single day. We see plenty of businesses trying to protect assets worth millions using inferior or poorly installed equipment which possibly saved them, at most, a couple of thousand pounds. Even if the odds were small (they're not) ' the impact is huge, which means so too is the risk. Consider the simplified risk equation:

Risk = Chance of Occurrence (say, 44%) x Potential loss (huge)

If you are interested in odds, then consider these ' according to the Institute of Directors, 85 percent of companies that suffer a really serious incident cease trading within eighteen months.

Alternatively, you may be enlightened enough to view information security as being outside of 'ROI' ' and instead as a necessary expense of day to day computing ' just as you pay to insure and tax your car ' you pay to secure your network. This is fine, however you should never lose sight of the real reason you are doing this, i.e. to protect your assets. Accepting security as a day to day expense without first considering the assets you are trying to protect, or the potential losses, may result in you making less than optimal investment decisions.

Do I need to consult a professional?
It very much depends on your business and your aversion to risk. According to the DTI, just 6 percent of those in charge of information security are actually aware of the contents of ISO 17799, the internationally accepted benchmark for information security. It is vital to realise that information security is by no means an 'exact' science, but professionals within the field will be able to quickly:

  • Identify your assets
  • Estimate threats, vulnerabilities and costs (in order to asses risks)
  • Manage your vulnerabilities to reduce and mitigate risk in the most cost-effective manner.

Just as in accounting or law, a little knowledge is a dangerous thing. An experienced professional will probably save your small business a great deal of time and money in the long run.

Even when businesses understand what assets they are trying to protect, they rarely understand the threats and vulnerabilities, so are unable to make good decisions about what to invest in and why. We debunk many of the myths surrounding hacking, viruses, worms and much more, explaining why the dangers for small businesses are both real and proximate.

Previous articles in this series


Replies (2)

Please login or register to join the discussion.

By Stewart Twynham
27th Aug 2003 08:50

Re: Risk and Expense

Hopefully the next articles which discuss the threats and vulnerabilities will help focus some minds on these "unknown probabilities", although it is worth remembering the difference between probability and risk.

The probability of a married 30 year old non-smoker dying before the age of 55 is probably quite small, but most married 30 year old non-smokers will have some form of life cover - since the risk of financial turmoil for their family is more significant. Sound investment decisions are based on risk, rather than odds.

I whole-heartedly agree with your comments re: auditing businesses with reference to security - there is some education needed here, however. One very large accounting firm recently audited one of my clients. After a couple of weeks of intensive work, they emailed in a list of questions "to ask the IT guy". Most focussed on Anti-Virus, including confirming whether updates were carried out at least weekly! A week is a very long time in the life-cycle of a virus...

Information security was clearly on their checklist, but was an afterthought - resulting in an outdated list of questions that had no hope of actually uncovering any security issues.

[email protected]

Thanks (0)
By AnonymousUser
23rd Aug 2003 08:22

Risk and Expense
Thanks for a very interesting article. It is hardly surprising that business users pay scant regard to security - mostly it just makes their jobs more difficult. The increasing complexity of IT just adds to this. The rewards are not easily demonstrated either - you are insuring against a future event of unknown probability, with no guarantees of success.

The answer is to use the available technology to make it easy to maintain a secure and data-safe IT system without burdening the users. This means single log-ons, secure authentication that doesn't rely solely on passwords, automated off-site backups etc. The problem then is that few IT people understand how to do this - and it costs more than doing it badly or not at all.

I have come across many small businesses that don't even have a firewall in place, let alone a security policy. Tape backups are done every night - on the same tapes they've used for months, with increasing risk of data loss. Customer data is scattered across the business on laptops and on unsecured file servers. IT staff aren't given the resources or authority to implement effective security.

Unfortunately, business managers are not going to invest in information security until auditors start qualifying the accounts of those failing to pay attention to what is, after all, part of their legal obligation. It may sound draconian, but better that than the tragedy of the loss of an otherwise viable business.

Thanks (0)