Sleepless frights
Sleepless frights
By taking a few simple steps, facing nightmarish security breaches may soon be a thing of the past.
A number of recent hacking cases and Internet scams involving both public and private sector organisations demonstrate the importance of managing Internet security risks effectively. Managing these risks is essential if organisations are to avoid the severe legal and commercial consequences that can flow from a security incident.
While no organisation will ever be able to guarantee that it will never suffer a security breach, Australian organisations must ensure that they take reasonable steps to minimise the risks of a successful attack and effectively respond to security incidents if they do occur.
Recent Internet security incidents involving utilities, financial institutions, Internet Service Providers and online retailers merely illustrate the real risks that senior management must respond to if they are to maintain operational efficiencies and competitiveness in an online world.
Senior management must also respond appropriately to avoid both personal and corporate legal liability.
Understanding the risks is crucial. If a manager cannot identify or appreciate a risk, that manager will not be in a position to determine whether the organisation is effectively managing that risk. This creates an extremely dangerous situation if the risk is substantial.
All senior management should attend a formal briefing on Internet security risks facing their organisations. It is critical that this briefing be delivered in plain English without the jargon or techobabble that so often intrudes into such presentations, obscuring the important operational issues. Ideally, the briefing should be conducted by in-house personnel, but if they do not possess the requisite expertise, external assistance should be obtained.
The importance of executive e-security briefings cannot be understated. If management are provided with clear information regarding security issues, they will appreciate the risks internetworked environments pose for their organisations. If they appreciate the risks, directors and officers will naturally be supportive of strategies to manage security-related risks.
Indeed, it is highly arguable that under a range of laws senior management are required to attend executive briefings on security issues where the organisation is connected to the Internet. For example, the Corporations Act requires directors and officers to take reasonable steps in managing the corporation. Obviously, as recent cases demonstrate, directors and officers have a duty to inform themselves of the affairs of their corporations. Given that internetworked information systems are core business systems, electronic security is one matter that directors and officers almost certainly have a legal obligation (apart from it being mandatory from a purely commercial perspective) to inform themselves of.
Although obtaining executive buy-in to security issues is crucial to ensuring that an appropriate e-security strategy is implemented organisation-wide, executive involvement must not cease after an initial briefing. Senior management must be involved in the Security Management Cycle on an ongoing basis.
The Security Management Cycle (SMC) is a high level description of the activities that effective managers use to manage security risks. The SMC is a template that executives can use to ensure that security planning and management are tracked according to generally accepted industry standards. The benefit of using the SMC as a management template is that it will achieve the twin aims of minimising the scope for organisational and individual liability as a result of a security incident. It achieves these legal risk management aims because by applying the SMC to the day-to-day operations of the organisation, senior management can require reporting from subordinates that is aligned with the SMC. And they can use these reports to assess the effectiveness of security risk management within the organisation.
Risk management phases
The four main risk management phases of the SMC are audit, planning, implementation and monitoring. Any organisation will cycle through these phases over a given period of time. The audit phase must be refreshed every time there is a significant change to network architecture or every six to 12 months to ensure all material risks have been identified. The outcome of any audit will obviously have flow on affects for planning and implementation. If different plans or technology are implemented in light of new audit findings, obviously monitoring activities will also need to change. Although this is only a snapshot of the utility of the SMC, senior management should note that if they utilize the SMC in their decision making process and require reporting consistent with the SMC, they will go a long way to discharging their legal obligations and reducing commercial risks.
Security Management Cycle
Once management buy-in is achieved and business practices and reporting are aligned with the SMC, organisations will have taken significant steps to managing the legal, commercial and reputational risks associated with security incidents. But collateral issues will still need to be addressed.
Although the SMC is a good template for risk management in this area, it by no means covers the field. Obviously issues such as employee/ user education are extremely important.
It is trite to say that the weakest link in any security architecture is a user (eg, customer, business partner or subcontractor) or an employee. The recent Web site spoofing attacks involving Australian banks demonstrate that a little knowledge would go a long way to making business systems more secure. The only effective way to upgrade the strength of the weakest security links is to provide adequate training and continuing education on security issues. If an organisation does not provide adequate training and education for a user or an employee, it will have very little scope for taking legal action or disciplining the relevant person. If it has no scope to do this, it has no legal leverage over the person in this context and hence the person will continue to pose an unmanaged security risk to the organisation.
Security education is neither hard nor expensive. It is a straightforward matter to draft and impose clear technology use policies and require employees to view material such as the readily available Sleepless Frights security education videos. These simple steps can exponentially reduce security risks. Despite the ease in which user or employee risk can be addressed in this context, a litany of court cases reveal that many organisations get it wrong when they attempt to enforce their legal rights against individuals.
Then there is the issue of insurance. Why not just insure against electronic security risks? Standard insurance policies do not generally cover electronic security issues. Insurance cover for electronic security related incidents is extremely difficult to obtain and often very expensive. But in many ways insurance cover in this context is not on point.
Security risk management involves taking pro-active steps to ensure a particular type of security incident does not occur. Insurance is something that may mitigate loss in the event of a security incident, but it is just a small part of a much more important security planning - namely business continuity, disaster recovery and incident response planning.
Choosing a secure platform
It may at first appear strange that in an article about electronic security things like software and hardware have not been mentioned. This is because managing the legal and commercial risks in this environment is primarily dependent on implementing effective processes and procedures, not technology. If the process is in order, the appropriate technology will generally be implemented. But if poor processes are in place and poor reporting results, then it is almost certain that poor technology choices will be made.
However, once choices regarding the acquisition of technology are made, senior managers have to ensure that the agreements that usher in this new technology adequately protect the corporation's interests. This is equally important whether the acquisition is for outsourced services or software or hardware. Agreement after technology agreement fails to synchronise the sales cycle with perceived legal rights should something go wrong.
Some companies may make blanket promises about the business outcomes that a particular service or product may support, but when it comes time to put pen to paper, the agreement fails to capture the relevant promised business outcomes. As a result, customers acquiring security goods or services often have no legal leverage over providers apart from some loose specifications that are not capable of precise definition or supporting any type of legal action. Senior managers need to ensure that technology agreements for security goods or services clearly capture business outcomes as obligations on providers in order to ensure that risk is managed in this area.
Senior managers need to constantly remind themselves of the four simple steps that they must take in order to minimise legal and commercial risk in relation to maintaining internetworked information systems. First, they must ensure they are always fully informed about the high level issues impacting their organisation. Secondly, they must ensure processes are in place that map to the SMC or some other generally accepted industry standard. Thirdly, they must ensure that education issues are addressed. And, finally, they must ensure that risk associated with any security technology contract is addressed. If these issues are addressed, senior management will go a long way to minimising both organisational and their own personal liability in the event of a security incident.
Leif Gamertsfelder is the Head of E-Security Group, Deacons www.deacons.com.au
Related Article: