Bugwatch: A rounded approach to security

Each week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.

This week Dr RK Raghavan, consulting advisor for Tata Consultancy Services, stresses the importance of treating security as far more than simply a technological issue.

It's now a well-acknowledged fact that security is not an IT issue in isolation.

Businesses have to deal with two conflicting realities: on the one hand, we are dealing with an increasingly global economy, with 24/7 business and the opportunity to adopt global sourcing practices which in turn bring cost and quality benefits.

On the other hand, however, we have to face the realities of a world afflicted by security threats.

From a business perspective, the only way to protect business intelligence is to adopt a rounded approach to security.

This means more than focusing on the systems that store data. It means taking a considered look at the people that create and handle that data. After all, most security breaches occur from within the organisation.

So what do organisations in today's global economy need to do to keep their staff, brands and systems safe?

For one thing, they need to become more stringent in the way they vet new staff.

Ensuring that each new recruit provides two references and can prove they are who they say they are is the first step towards a safe and secure working environment.

You'd be surprised at how many organisations fail at this first hurdle, thinking that their IT security systems are all they need to keep them protected.

Businesses should also only work with suppliers and partners that have comprehensive security policies themselves and that can prove they are sound business partners.

Outside certifications such as BS7799 are useful in demonstrating this. Such certifications can save global organisations millions of pounds, avoiding the significant damage that can be inflicted on a brand and bottom line as a result of a breach.

From a management perspective, it's imperative that the organisation has a policy in place that defines its overall security needs.

This policy cannot be static; it must evolve on a week-by-week basis to ensure that it is effective.

This means carrying out security audits regularly to highlight potential vulnerabilities and to ensure they are addressed before they cause problems.

To be effective, security policies also have to be rolled out to, and adopted by, all employees.

This is probably the biggest area where companies fall short. Those that fail to ensure staff follow security requirements are leaving themselves wide open to attack.

Companies are only as safe as the lowest common denominator.

Carrying out ad hoc tests on staff to check their knowledge of security policies is a simple and cost-effective way of both ensuring that everyone is up to date and pinpointing who needs to be trained.

From a technological standpoint, it is of course absolutely critical that all the relevant solutions are in place.

This means installing firewalls, intrusion detection systems and antivirus software. It also means ensuring that the company can function even in the event of attack. Backing up all data on a daily basis and putting a disaster recovery centre in place will ensure that, come what may, the effects of any attack are minimal.

In short, the only way to secure the enterprise is to have a rounded and complete security policy. Not one of the various elements that make this up - technologies, checks, training, certification - is worthwhile if carried out in isolation.