There is no doubt that IT security has, and will continue to have, an ever-increasing number of challenges to face. However, like in the physical world, security measures are generally regarded as an inconvenience by those they are designed to protect. So how do you keep the organisation safe in the modern world without being cast as the corporate villain?
Go back a few decades and the IT security challenge was much simpler, keep the borders protected, and internally give access to users on a need-to-know basis. The bigger challenge was securing business continuity with organisations particularly vulnerable to physical damage of their main IT facility. Fast forward to now and organisations are facing the same security objectives – keep others out, make sure those inside are behaving, and protect the core IT systems from physical attack by man or nature. What has changed significantly is the systems we are trying to protect.
There are three critical elements to this change: the adoption of cloud computing, advances in portable storage device, and the proliferation of personal devices connected to the organisation. These changes have fundamentally adjusted the risk ranking of various threats to the modern organisation, and in doing so they have changed how organisations need to address their IT security.
In highlighting these things, I am not suggesting that they are the only IT security considerations, rather I am saying that these things make some of the traditional approaches to security obsolete. Just as a castle wall cannot prevent a bird from entering, IT security needs to take on additional dimensions to address new developments.
Cloud computing has substantially reduced the risk to business continuity of damage to core IT systems and functions, although it has simultaneously increased the risk to an organisation of WAN failure – even if this risk is much easier to mitigate.
Advances in portable devices present an unprecedented risk of theft of corporate IP from within an organisation. Given that with most employee resignations, the heart leaves before the head and both leave well before the employee hands in their notice, a significant amount of corporate IP is leaving organisations on USB sticks and other portable devices before the organisation is even aware that the employee is thinking of leaving.
Similarly, the proliferation of personal devices accessing the corporate environment would have unimaginable prior to the smartphone. Now it is more common for email to be read on a phone than on any other device. With a wide range of devices and applications interacting with the organisations core systems, there are an enormous number of combinations of potential threats.
To be seen or not to be seen
In the animal kingdom prey often send signal to predators to save them the inconvenience of a fruitless pursuit. One example of this is the meerkat signalling to the jackal that he has been spotted and if he comes any closer, they will all be gone before he gets there. Similar with security, sometimes it pays to signal that predators should stay away.
The obvious examples of this type of security are various login and password checkpoints. However, the limitation of this type of security is that the organisations users have a low tolerance for it and tend to find ways around it, if it gets too annoying. One example of this is widespread sharing of logins and passwords – the IT equivalent of propping the fire-door open with a brick.
This type of user behaviour is just one of the reasons it is also important to have hidden security. Because hidden security does not inconvenience the user, they are unlikely to attempt to circumvent it. This combined with activity logging and audit trails also increases the probability of early detection of a potential threat. This type of security needs to be balanced against the system performance implications as well as your organisations HR policies and procedures.
There is no doubt that there are real threats to every organisation’s IT systems, some will be specifically targeted at an organisation, many will be unintentional or accidental, and more still will be because there are people in the world who enjoy seeing what damage they can do through viruses, malware, ransomware and various other means. It would be nice to live in a world where this was not the case, but unfortunately it is, and so IT security is a fundamental requirement of every organisation.
Somerville has been partnering a wide range of clients to provide them with IT security solutions for many years. We pride ourselves on delivering the right solution to meet your organisations needs and budget. Please contact us via the enquiry form so we can discuss your organisations needs and create a solution that fits your organisations requirements, now and in the future.
About the Author
Craig Somerville is the founder and CEO of Somerville IT with over 30 years’ experience in the IT industry, Craig has spearheaded the growth of one of Australia’s leading providers of IT solutions to schools and corporates.