A silver bullet for compliance?

Graeme Pitts-Drake, managing director of Prefix IT, asks whether integrated PC management tools are the answer, especially considering security concerns and the potential benefits to SMEs.

No-one in business today can be unaware of the compliance challenges facing the IT team in protecting company assets and processes.

The statistics are clear, abundant and all around us, leaping from headlines on a daily basis; massive financial losses associated with security non-compliance are commonplace, as are high-profile court cases about staff misuse of email where internal policies have failed, along with punitive fines for software license infringement.

What is less clear however, is the strategy that is best employed to satisfy requirements.

Newly available integrated software tools that automate many of the standard required functions and report in real time may hold the answer, particularly for IT professionals working in the SME sector where the challenge is even steeper.

In the past these organizations have been unable to invest in the resources, systems and staff that their larger brethren can call upon - yet the problems they face are identical.

Strategy and planning can easily become a wistful dream in the hurly-burly of daily fire fighting. Yet ignoring compliance issues inevitably spells trouble, as things left on the backburner tend to boil-over in time.

First and last: compliance is the key

Security and compliance are now more interconnected than ever and integrated software tools can provide easy-to-manage automation for IT managers. They often include quite broad portfolios of tools that save time and put the IT manager in better control of the network and how it performs.

Those considering this route should look for products which include features such as automated alerts and tools for threat removal, policy enforcement, data loss prevention via the USB port, network discovery and inventory management along with a range of configurable reports to satisfy board and departmental queries.

Under attack

Security threats can arise from any number of sources from intentional attacks via the internet, from unguarded or poorly educated staff, or malicious attacks from internal sources.

To handle the variety of issues effectively, the IT manager must juggle an increasing array of security products designed to increase perimeter security, including anti-virus software, firewalls, IPS, IDS etc. Each system produces quantities of data, which must all be analysed and prioritised.

To make sense of the data and ensure compliance, the IT manager needs to view activity levels across the entire PC environment. Armed with this information, faster and better decisions can be made to remediate a range of security issues and deliver a higher degree of control to the IT team.

Lock and load

Making sure that software is compliant (patched and updated appropriately), is a time-consuming and often thankless task. However, it is important that it is done quickly and effectively, particularly if it's anti-virus software that needs to be updated with the latest worm signature, for instance.

To save time, the process can now be automated and administered from a central console which can also remove services and applications when appropriate, restart computers remotely or delete files, control the use of shared drives or folders and update registry entries.

The rise of life-style technologies, such as the ubiquitous iPod, has also given birth to a new type of security threat via the USB port. MP3 players are in reality portable memory devices, which are capable of downloading and storing vast amounts of data from a corporate network – as is every laptop.

So whilst the conscientious employee may be intending to do some work over the weekend there is nothing to prevent him or her leaving the laptop in a taxi or the local pub by mistake, along with all that valuable data.

Alternatively, what's to stop a disgruntled employee passing information to a competitor? In either case, the threat is huge, whether the potential data lost is a customer database or personnel files, payroll or tax data.

Indeed, companies have a responsibility to protect employee data from the rising threat of ID theft. Some early studies indicate that much ID theft is often perpetrated by staff that can access records to set up credit cards or commit other crimes. This is becoming an increasingly serious issue in North America where more than 20 million instances have already been recorded.

This raises the issue of vicarious liability, whereby an employer is personally and directly responsible for the failure of security systems and incomplete compliance.

However, integrated software tools can deliver increased peace of mind as well as better security compliance too. They allow the IT manager to prevent all such activity by remotely assigning access and download rights to user groups, or even individual users if necessary.

In this way USB ports can effectively be locked-down to prevent unauthorized access by external storage devices whilst remaining available for use by approved peripherals such as mice or printers.

Policy please

Now we come to the issue of policy enforcement, which straddles both camps of security and compliance. Its importance grows daily, inline with the increasing number of compliance challenges facing SMEs.

There is an increasing trend amongst employees to regard office PCs as their personal property. It is uncommon to find a user who does not consider it their right to use it for personal admin, email or MSN messaging and internet surfing.

Whilst many employers are currently happy to overlook this to a certain extent, there are specific dangers associated with these activities if they aren't limited by acceptable usage policies. For instance, it is very easy now for employees to download software direct from the internet, via their office server.

They may be downloading pirated software, viruses, trojans or worms, pornography or other inappropriate materials – all of which can create huge compliance issues for the employer.

Policy is important, not only to ensure security issues such as those examined above, but it is also important to ensure compliance for an increasing range of legal and trade issues.

Once again it's down to the IT manager to manage the policies and ensure that they are followed whilst not hampering the productivity of users. Thankfully automated tools can now help in this task and can restrict the use of specific applications or services and track application usage on a by-PC basis.

Taking software license compliance seriously

Software license compliance is an extremely serious issue yet most British businesses fail to realise its importance. Software piracy is rife in the UK according to the Business Software Alliance, which says that currently around 27 per cent of PC software is pirated with unlicensed software populating the vast majority of corporate networks.

Whether it has arrived through the ignorance of staff action, deliberate risk-taking, or bad management, the risks of potential legal action and large fines are the same.

According to some reports around 70 per cent of firms do not have an automated software asset management system in place and have a less than comprehensive approach. This leaves them vulnerable to a host of compliance issues, in terms of the currency and validity of license agreements.

Automated asset management systems can enable users to get a clear and real time view of their IT estate and understand where software use may fall out of compliance as and when it happens.

It can have other direct benefits too; according to Gartner, most users experience cost savings of around 30 per cent on their IT budget once they implement inventory management.

Three less things to worry about

The arguments in favour of using integrated software to tackle IT compliance issues effectively are clear and have been well-accepted for years in larger companies.

The arrival of cost-effective integrated software tools that are similarly featured, yet designed specifically for the smaller business, represents a major opportunity for SMEs.

Now small businesses can to get to grips with today's dynamic challenges of policy, security and compliance and ensure they are best placed to flourish in the future.

This article first appeared in July 2006 ITNOWextra.