Bug Watch: Bad attitudes block IT security

As the big names continue to hit the headlines as victims of security breaches, confidence in IT security is taking a battering along with them. Matt Tomlinson, business development director at MIS Corporate Defence Solutions, looks at why the attitudes of corporates must change, so that businesses see security as a top priority, yet one that is still achievable for all.

Infosecurity 2001 hit Olympia last week and the same queries as ever abound within the business sphere: why hackers might target smaller businesses or what sort of security solution would best protect networks from the threat of a virus attack. They drew worrying conclusions about just how secure systems around the UK really are.

Implementing a successful IT security policy has some obvious spin-offs: a reduced risk of virus damage, hack attacks, lawsuits and therefore no negative publicity as a result. But achieving this is not so much a question of technology, rather a matter of attitudes. Where better to start the building of attitudes, than with the big players on the IT circuit.

Just from scanning the news, it is clear to see that this is where a major problem lies. For example, there has been much publicity on the various breaches Microsoft has experienced over the last year, predominantly when QAZ ran rampant, a number of IIS and Internet Explorer vulnerabilities were discovered and numerous overseas sites were defaced. Many businesses may look at Microsoft and adopt the view that if Gates' empire can't achieve optimum security, then neither can they.

There is no argument that the rate at which threats grow on a daily basis is huge, and the knowledge required to fight them is playing catch-up as quickly as humanly possible. Despite this, when a huge player produces a tool specifically to tackle security, it's expected to succeed at combating the problem it has been designed for.

When Microsoft's Internet Security and Acceleration Server 2000 launched this month, the Canadian-based company FSC Internet claimed it took just 15 minutes for its security team to source out a potential problem, throwing serious concern over just how secure this product is.

Although Microsoft denied there was a threat to security through the allegedly weak firewall, news reporting such as this highlights further the many uncertainties within the IT security market.

Stateside companies are not the only ones falling foul to breaches that are damaging attitudes. BT.com also suffered problems recently, in this instance through what was most likely a result of a web application programming error. Customers logging on for confidential billing details were presented with the previous users' details - hardly a secure message to the customer. Add a small amount of knowledge to this situation, and the system was like an open book for those wanting to search for personal or confidential data.

Even with these high-profile security problems, businesses of all sizes still seem to have an apathetic approach to IT security. Some simply adopt the view that they are not likely to become a victim and therefore do not put security high on the IT agenda. Others implement a minimal level of security such as a firewall and assume they're covered. But many more companies are simply ignorant of the risks and don't get round to finding out.

Whatever the attitude, the downside of being under-prepared can range from loss of data or reputation to lost revenue. With an increasing number of high-profile security mishaps, the attitudes towards IT security of those responsible for running the businesses we work in, is vital to the successful implementation of corporate IT security.

The larger the business, the greater the need to employ specialist personnel to manage security policy. In smaller organisations, an individual should be made responsible for things like email policy and web usage, to make sure policies are implemented.

As IT security hot spots hit the headlines on a regular basis, companies wanting to trade successfully and securely within the ecommerce world need to look closely at IT security. Ecommerce has created a new set of security disciplines that organisations need to follow to protect their business while the internet continues to grow. The type of hazards ecommerce exposes businesses to, the security solutions needed to guard against these hazards, and the attitudes that need to change to enable optimum security, should be considered.

There are a huge number of IT security companies to choose from, as highlighted at this year's Infosecurity exhibition. The solutions are available and easily accessible, proving that security breaches are potentially avoidable within ecommerce.

Therefore, what needs to change are the attitudes of senior members within businesses worldwide: they should place security at the top of the business agenda, as an architect treats fire exits at the planning stage of a building.

Once a positive stance is taken to IT security, there will be, without doubt, a domino effect, as knowledge filters out and into day-to-day business life. Of course, as with all technology, it will take time.

Next edition: 3 May