Sunday Business Post | Irish Business News

Breaking News Business Ireland World Sport Weather

Navigation (Home)News News Features The Market Media & Marketing Comment & Analysis Computers In Business Profile Property Motoring Agenda Letters

People In Business Budget Forum Events / Conferences Company Reports Tools Crossword Search the archives Newsletter IMODE RSS

Text-Only

Good management is vital to security
Sunday, July 06, 2008
Firms can take a number of steps to beef up security and ensure corporate information is safeguarded, writes Brian Terry.

Much has been written of late about the need to safeguard corporate information so that it doesn't fall into the wrong hands.

Identity theft has become an issue that seems to have grown in importance recently on the back of big media stories on the loss of laptops at institutions such as Bank of Ireland and the Irish Blood Transfusion Service.

Much of the focus on identity theft has centred on the need of organisations to tighten up security procedures to ensure that members of the general public are protected in the event that devices containing customers personal information does go missing.

While this is as it should be the impact of loss of corporate data on companies themselves is often underplayed. This is somewhat puzzling because just as individuals can find themselves at the whim of third parties who get their hands on vital information, so can firms as well.

Loss of corporate data can not only lead to severe embarrassment if it becomes public knowledge but can also prove costly if company secrets end up in competitors laps.

While we tend to imagine such events only occurring through the loss of laptops and other devices or as a result of break-ins, there are far easier ways for your classified information to become public knowledge.

Visit any online message board and you'll possibly come across information that you shouldn't necessarily know. Talk to a dissatisfied employee from a rival company in any social setting and again you'll gain insights that aren't meant for general consumption. Admittedly it's not easy to gag members of staff.

However, taking care to ensure that security procedures are in place to limit the availability of sensitive data and to respond if it does become widely known is essential.

It's easy to downplay the issue but according to a 2006 survey carried out by the Centre for Cybercrime Investigation, along with the Information Systems Security Association (ISSA) and University College Dublin's School of Computer Science and Informatics, the problem of organisational identity theft, which is considered a relatively recent phenomenon in terms of cybercrime, had been experienced by 17 per cent of respondents.

“In terms of coverage on this issue, I think most coverage has focused on individual identity theft which involves individuals, for example where an organisation suffers a security breach that compromises sensitive information which could be used to steal the identity of customers, citizens, etc.

The issue of true organisational identity theft is still fairly obscure in Ireland and primarily discussed in fraud circles where it is definitely a problem in some areas,” said Owen O'Connor of ISSA Ireland and Security Careers, a recently established specialist recruitment agency for information security.

“Actual organisational identity theft is mainly a detection and response issue rather than prevention, so companies need to put their efforts into awareness and monitoring, for example signing up with a service that can alert on mirrored websites or new domain registrations, carefully checking order confirmations from suppliers, monitoring for any unusual shipping arrangements on orders, etc,” said O'Connor.

Truth is that there aren't the hard facts available to ascertain just how much of a problem organised identity theft is. As Brian Horan, managing director of BH Consulting, an independent IT consulting firm specialising in information security notes, unlike the US, where there is an obligation on firms to disclose if they have lost data related to their clients or essential for the day-to-day running of their company, no similar law exists in Ireland.

“There is no legal requirement for companies to take any actions upon discovering that data has fallen into the hands of others - the issue of disclosure is a hotly debated one with people arguing the pros and cons as to whether or not similar legislation should be introduced here,” said Horan.

John Power, senior solutions strategist with CA in Ireland, believes that disclosure laws can be effective in pushing companies to beef up their security procedures so that both customers and shareholders alike can feel safe.

“It is generally accepted that the rate of organisational identity theft is on the increase and that the number of incidents is under reported each year for a variety of reasons. Firstly, there is an obvious absence of widespread industry reporting, even though there is evidence of some of the consequences. Secondly, there is no legislation to mandate security breach disclosure in Ireland,” said Power.

“In the US, many states now require immediate disclosure, and that's lead to some high profile cases coming to light. That, in turn, internalises the costs of such breaches because the firm's reputation suffers. Companies therefore start proactively, rather than reactively, dealing with risks.

“What we do know is that last year's Irish cybercrime survey found that 46 per cent of organisations suffered some form of information leak, but only 11 organisations reported a security data breach to the Data Protection commissioner. Clearly, there's a gap here that needs to be plugged,” he said.

According to the Deputy Data Protection commissioner, Gary Davis, companies are slowly wising up to the importance of introducing strict security measures, predominantly as a result of media coverage of the issue.

“A recent survey carried out by the EU would seem to indicate that while there is a large amount of awareness of data protection and by extension the need to protect personal data it also revealed a certain amount of complacency particularly on the part of smaller business and organisations.

“In some respects the recent high profile media coverage of data loss in the IBTS, Bank of Ireland, AIB, Jobs.ie has highlighted that data loss can affect any organisation and the implications can be great in terms of reputation and customer trust,” he said.

Davis added that there is room for improvement in terms of how organisations secure their personal data. The Office of the Data Protection Commissioner has also outlined concerns in terms of how Government bodies control access to data as well.

There's no getting away from the fact that there's costs involved for those organisations looking to tighten up their security procedures so as to cut down on the likelihood of identity theft occurring.

However, as Vivienne Mee, computer forensics consultant with Rits Information Security notes, it's a small price to pay for ensuring that your data is secure.

“The implementation of correct security procedures can be costly on the outset, however the potential cost of a breach outweigh the costs of the implementation not just in monetary value to customers, but also reputation,” said Mee.

Such an assertion is backed up by O'Connor who claims that companies need to stop thinking reactively.

“Organisations need to take security seriously and resource it appropriately, they need to maintain focus over the long-term rather than just responding to immediate crises or external pressures, and they need to embed security considerations into every business process,” said O'Connor.

As John Power notes, organisations can take a number of steps to beef up their security both internally and externally so as to crackdown on possible security breaches.

“The first step here is to keep the bad guys out by implementing perimeter security such as anti-virus, anti-malware, firewall, intrusion prevention and web and content filtering technologies, something which most large and medium-sized companies are good at,” said Power.

“Just as the company protects its physical perimeters with doors, alarms and security guards, so they should protect their electronic perimeters. Then, it's important to better manage the good guys by implementing identity and access technology to centrally manage identities and their access to sensitive information across the IT infrastructure.

“Finally, and the message is starting to get through to companies now, all mobile devices that contain sensitive company information (no matter how little), should be encrypted,” he said.

Returning to the thorny question of disclosure in the event of a security breach, the general advice is that companies should alert the Office of the Data Protection Commissioner, particularly if information pertaining to customers becomes compromised.

However, while many security professionals are in favour of the introduction of legislation to compel organisations to disclose breaches, some worry about the rush to reveal all.

“Although the current attention to information security and security breaches is very welcome, there is a danger that the sudden public interest in this area could force government to introduce new measures without proper consideration. As an example there have been many suggestions that mandatory public disclosure of security breaches would improve the situation but I don't agree, there may be a place for confidential breach reporting but in general I think premature public disclosure is the most damaging thing that could be done in most cases,” said O'Connor.

He said the recent BoI admission that laptops had gone missing was a perfect demonstration of how early disclosure can make matters worse.

“They had agreed with the Financial Regulator that they would not inform customers for two weeks to allow an investigation of circumstances and scope of the breaches.

“Instead RTE broke the story a few days later and BoI were forced to put out early and inaccurate information, saying that it had only affected 10,000 customers, etc. All of this information later turned out to be incorrect but in the meantime they had told whoever was holding the laptops everything they needed to know so that if the thieves had a list of the full 31,500 customers affected they could just ignore the 10,000 BoI had already identified,” said O'Connor.

“There are certainly areas where the government could help to improve this situation, for example consumer protection around credit, but there are very few international examples to follow and we will have to be very careful not to make the situation worse or to affect Ireland's competitiveness,” he said.

Click here for Sunday Business Post stories before this date