Why do serious security breaches continue to occur? Companies spend millions every year to secure computer networks and digital data but incidents fill the news: HMRC's loss of two CDs with 25 million sensitive records; medical records on a hard disk purchased on eBay; Cotton Traders loss of 58,000 customer records (thankfully encrypted); M&S losing a laptop with 26,000 unencrypted staff pension details.

Those are just a few of the recent breaches and they will continue to occur until we change our ideas about security. Gordon Rapkin explains why having a culture of security is crucial in an increasingly vulnerable virtual world.

Many businesses that suffer a serious security violation have deployed protective systems in a rather random patchwork approach with heavy emphasis on protecting the network from outside attackers.

Instead business needs to think beyond the model of perimeter security that clearly doesn't work, and focus attention on creating a culture of security with a multi-layered, holistic defence system that covers people, policies and procedures. Basically, we can't rely on applications to do all the work for us. Smart policies, procedures and people are just as important as choosing the right security solution.

The culture of security

To be effective, security has to be everyone's problem. The processes that support real security need to be embraced by everyone from the cleaner to the MD. Until businesses focus on creating a culture of security, and until employees understand exactly how and why they have to protect networks and digital assets, systems and data will remain vulnerable to attack.

Look at these statistics:

  • IT Policy Compliance Group research indicated that human error is the cause of sensitive data loss in 75 per cent of all occurrences, while malicious hacking activity amounted to just 20 per cent of data losses.
  • In the Deloitte Touche Tohmatsu 2007 Global Security Survey, which included many of the top financial services firms, 79 per cent of respondents said that human error was the cause for information security failures. Yet 22 per cent said they had provided no employee security training over the past year and only 30 per cent believed their staff had sufficient understanding of security issues.
  • A survey by Infosecurity Europe, on behalf of the Information Security Awareness Forum, found 79 per cent of organisations acknowledged the single greatest security weakness is lack of awareness.

Security consciousness needs to be hardwired into your policies and procedures and embedded into everything you do. Some companies pride themselves on innovation, customer service or the quality of the products they offer. All businesses now need to stop worrying about security only after their customers' information has been exposed and start taking pride in the security of their networks and data, and become truly proactive about securing them.

But simply devising policies and procedures isn't enough. Security measures that aren't understood and fully embraced across the enterprise can, and will be, circumvented.

Steps to take

One of the most positive steps you can make is to institute regular security awareness training for all employees. When staff understand the value of security, as well as how to protect data, their entire approach and attitude changes.

Teach them:

  • how to identify confidential information;
  • the importance of protecting data and systems;
  • how to choose and protect passwords;
  • acceptable use of email/the internet;
  • the company's security policies and procedures;
  • how to spot scams.

Training should not be generic but be tailored to an employee's role in the company, with refresher courses biannually, or more frequently depending on the person's role in the company and their access to sensitive data. Alert employees to new threats and issues via a monthly newsletter, an RSS feed or emails from IT.

You should also establish an incident response and reporting policy. This policy enables employees and executives to determine the severity of an incident and the inherent risk and how to deal with it.

The policy needs to state who the incident should be reported to, or even concerns - e.g. supervisors, legal, marketing and IT - and how they should be resolved. Never make an employee feel silly for reporting anything they find suspicious. The easiest way to do this is often to set up an email address that employees can use to report potential problems such as 'securityreport@ourcompany.com'.

After a security incident has been resolved, you should review the policy to determine if changes need to be made. How did the incident occur? Were you able to resolve it successfully? Implement the necessary change management and move on.

Enforcement and commitment

Enforce policies and procedures with technology controls like role-based systems access, database encryption and auditing tools. These ensure that everyone is following the rules and protect data from misuse and exposure, even if the rules are broken.

Automated enforcement and monitoring of policies takes the onus off employees - they no longer need to make judgement calls, nor can they be pressured, bullied or coerced into responding to requests for data that could provide an attacker with a virtual key into company systems.

Bear in mind that it is quite possible to develop policies that are so rigid that employees resent them and actively look for workarounds. It's best to develop policies in tandem with representatives from every department and level. Each of your employees is a stakeholder in security and should feel as if they are a valued participant in protecting company data, not a mistrusted child who is being watched and controlled every moment of the day.

What do you need to secure?

Tracking data as it moves across a network is rarely a straightforward task. It's likely that an audit of many networks would reveal sensitive personal data tucked away in places that you'd never expect to find it, stored unprotected in applications and databases across the network.

First step is to conduct a full audit of the entire system and identify all the points and places where sensitive data is processed, transmitted and stored. Data flows into and out of numerous applications and systems. It is precisely this flow that needs to be the focus of a holistic approach.

Look at data flow as a municipal transit system - the system is not just about the station platforms; the tracks and the switches are just as critical. Many companies approach security as if they are trying to secure the station platforms, but lose sight of the importance of securing the flow of information. Additionally continuously monitor all systems for malicious activity and malware.

As businesses and agencies continue to move services onto the web, it's critical to extend protection past the internal network perimeter - the classic focus of all security efforts - and protect all public-facing applications that act as a conduit to the internal network and stored data. Websites and web-enabled applications, particularly those that collect data or allow access to internal databases, must be very carefully reviewed and regularly tested (using an outside expert) to ensure that no exploitable security flaws exist.

Then, to protect against brand new vulnerabilities, deploy a web application firewall to ward off threats and control any abnormal activity that could overwhelm an application or server and open you up to an attack. Properly defended web applications allow outside users to access internal applications and selected segments of databases, enabling effective communication and service offerings, while ensuring that both users and owners are protected from criminal attacks and privacy violations.

In summary

Some of the companies polled in the IT Policy Compliance Group survey weren't regularly losing data. These companies all had one thing in common: they used multiple methods - user training, strengthened security policies and compliance screening, threat monitoring and targeted application protections, network and user access controls, encryption and system auditing - to protect against data loss. Think holistic and your systems are bound to become significantly more secure.

About the author

Gordon Rapkin is CEO of data security management specialist Protegrity. He has more than 20 years of wide-ranging executive experience in the software industry. He is a frequent author, commentator and spokesperson on data security issues and corporate responsibilities.