IT Security - Caught in the Net

A team of hackers has breached your company’s firewall and is poring over top-secret commercial information in your company’s general ledger. It’s a modern nightmare for finance staff. The hackers can alter whatever figures they like because the security system doesn’t know they exist.

It’s an increasingly common scenario but the infiltrators are not just a bunch of teenage computer nerds locked away in a bedroom. Instead, they are a team of security experts from KPMG’s information security practice conducting an authorised ‘penetration test’ to find out how secure a company’s information network really is.

Everything is agreed in advance between the company and the authorised hacker, of course, from the parts of the company network the team will try to access – posing as an internal employee or external hacker – to the amount of time they have to do it.

And it’s a role play that the team is good at. ‘We have a very good success rate,’ says Leslie Roberts, the head of information security management at KPMG. ‘As internal employees, the rate is 100%.’

With the explosive growth in corporate computing, email, internet access, intranets and extranets, information security has become a key issue for most finance directors and their auditors. Companies not only have to contend with external security threats from internet hackers and software viruses, but internal security headaches from disgruntled or IT-ignorant employees.

Security vendors have a vested interest in playing on public fears over hacking and software viruses. But the seriousness of Melissa, the recent high-profile computer virus, needs no exaggeration. The virus, activated in Microsoft Word 97 and Windows 2000 software, infected documents from the user?s email address book. It has forced some companies to shut down their entire email systems and prompted an unprecedented warning from the FBI.

Recent research from Infosecurity 99, the exhibition organiser, which is holding its annual IT security conference at London Olympia today, estimated that non-business internet-use costs a large company, with an average annual salary of #20,000, #2.5m a year. The survey of 191 companies found that the average employee spends half an hour a day surfing the internet for personal purposes, such as looking for another job or visiting ‘adult’ websites.

It also found that only 35% of companies had a formal policy for controlling internet use. And when it came to email security, many respondents seemed complacent. Only 43% of companies had a policy to filter incoming emails – all of which could carry potentially damaging viruses.

Quite often, however, information security hassles are caused inadvertently. Chris Miller, director of Deloitte Consulting and a risk management specialist, says networked PCs make it easy for employees to make blunders.

‘Someone can take a copy of a spreadsheet and change something in it,’ he says. ‘It then gets written into the master copy. It’s an error, but not a malicious one. Everything then depends on whether the system manager can bring back the last copy of the spreadsheet from the archive.’

In response to the dizzying pace of change in the IT industry, the government has updated information standard BS7799 to include new areas of concern such as outsourcing and e-commerce. The original BS7799 was launched four years ago, and the recent update continues the institute?s efforts to promote a more realistic attitude towards risk-assessment by requiring companies to identify and protect the core information and business processes that are essential to their survival.

The latest standard represents a radical overhaul, and one that was well overdue according to some industry observers. With a nod to the increasing globalisation of business, the updated BS7799 aims to become more ‘internationally applicable’.

It also attempts to define risks arising from third-party access to a company’s network and places greater emphasis on the myriad forms of communication that exist in the office – voicemail, networks, multimedia and mobile computing. And, in an effort to keep up with the growth of e-commerce, the revised standard refers to the various forms of encryption.

The new standard could transform the way companies view information security risks if it becomes an industry standard written into contracts to guarantee commercial confidentiality.

Some companies, particularly in the financial sector, have an internal risk management department. But for many, the onus for information security will fall on the finance director.

Jon Grant, technical director at the Auditing Practices Board, stresses, however, that it is not the responsibility of the accountancy auditor to examine a company?s information security policy. He argues that audit is concerned with verifying a company?s past financial performance, while a company’s IT security policy focuses on future risk.

‘Information security is terribly important for competitive advantage but not terribly important when seeing if a company made #10m,’ he says.

For a year now, companies have been able to obtain a BS7799 certificate after inspection by authorised third-party accreditors such as the National Quality Assurance and the British Standards Institution (see box below). Although uptake has been limited – the BSI, for instance, has awarded certificates to fewer than ten companies so far – the new BS7799 could still spark off a round of certifications.

KPMG’s Leslie Roberts, who sat on one of the DTI industry committees which shaped the revised standard, believes it could take off if rival companies compete to hold the quality kite mark. ‘The certificate might start a chain reaction. Organisations might decide to do it even if there are no quantifiable benefits because everyone else is doing it,’ she says.

The emerging standard also provides another source of consulting revenue for the Big Five firms. But Roberts argues that striving for the standard is not an exercise in IT overkill. ‘The process of getting the accreditation is an excellent discipline,’ she says. ‘Most companies look at operational, commercial and strategic risks. But they should consider the technical risks for these at the same time. It’s a holistic look at a company.’

The certification process has also spawned a new breed of auditor – the information security specialist. David Watson, who works as an auditor for the NQA, says the investigative nature of the job inevitably creates distrust among staff at the company under inspection.

‘Everyone tries to keep an auditor out,’ he says. ‘People never volunteer information to an auditor. You have to ask the right questions. They want a certificate and it’s like being in the witness box.’

A typical job might involve checking that a company sticks to a six-character password by making employees demonstrate the password or other security measures in action.

Phil Mawson, national IT project manager for Kidsons Impey, is at the sharp end of IT security. He explains that one of the main challenges confronting him is to agree a ‘national’ IT security policy across the firm’s 29 offices. ‘The main problem at the moment is that IT policy is decided by IT managers in local offices,’ says Mawson, adding that Kidsons is about to hold a national IT conference to promote discussion on the issue. ‘We have 29 different security standards in what are, in effect, franchises.’

The firm is also implementing a new practice management software application across all offices, raising vital security issues concerning emp- loyee access. ‘We’ll have a national client base and believe in sharing information,’ says Mawson. ‘But you need to be careful about what access different grades of staff have.’

Faced with a bewildering array of security threats and ‘bullet-proof’ fixes, many accountants simply switch off, according to Robin Mathieson, director of information technology at the Scots ICA. ‘Many people have an information security policy but how many really have a disaster recovery policy in place? Many also find information security a fairly boring topic.’

In a bid to overcome this apathy, the institute launched an interactive website a year ago for members to hold confidential online discussions on business and IT issues. Mathieson admits the response so far has not been overwhelming, but he adds: ‘I believe in the ketchup bottle principle. You shake it and at first you only get a trickle but then a flood comes out.’

One of the most damaging perceptions surrounding information security is the belief that a company’s diverse financial and commercial security needs can be met by an official security policy and the latest anti-virus software.

Jonathan Fowler, director of city-based JCP Computer Services, a data security vendor, believes many companies spend a lot of time and money putting in place sophisticated security systems, only to overlook some commonsense non-IT precautions.

‘One company I knew had a very good security system with passwords for access to systems,’ he says. ‘A lot of personal assistants, however, had access to their bosses’ computer systems and there was nothing to stop a rival company paying to access their director’s system. Companies forget about the human factor.’

The human factor, Fowler adds, also applies to firewalls, the increasingly common security software which sits on a company server and filters information passing in and out of a company’s network.

After they have been configured, adds Fowler, they can be difficult to administer. ‘Are there any holes in the firewall? The marketing department, for example, often receives binary code files which get through the firewall if the company makes an exception.’

With so many applications becoming web-enabled, companies are forging closer links with their supply chain and providing more-up-to-date information to customers.

Roberts, however, offers a note of caution to finance directors keen to embrace the internet. ‘The internet is a popular and sexy area but businesses are jumping in with their eyes closed. Management is not overwhelmingly IT aware and may not be aware of feedback from IT staff that you can?t guarantee service levels over the internet.’

The information security vendors, certification providers and Big Five consultants are bound to welcome the revised BS7799 standard – and a consequent rise in awareness of security issues. IDC, the IT researcher, predicts the worldwide market for internet security software will top $7.4bn by 2002.

Information security deserves the higher profile, particularly among accountancy practices, but many finance and IT directors will struggle to find the solution that really fits their organisation.

HOW TO GET A BS 7799 CERTIFICATE

The first step to getting a BS7799 certificate involves drawing up an information security policy, explains Kay Ruddeforth, product manager at British Standards Institution Quality Systems. ‘It’s very important for a finance director,’ she says. ‘The commitment has to come from the top and should be endorsed by a board member.’

When a written policy is in place – usually a page outlining key commitments – the risk assessment can begin. This identifies a company?s assets and the different security risks they face. Companies can do this on their own or call in a consultant. The risks vary according to the IT system. ‘If a company has a local area network and one server, then the server needs to be running 100% of the time,’ says Ruddeforth. The server becomes the company’s number one priority.

The next task is to document business processes and procedures in accordance with the information policy allowing a certification party such as the BSI to come in.

The two-phase audit tests the theory and practice of the information security policy before awarding a BSI certificate. Companies can then use the BSI logo on company material.

A certification can be carried out over a couple of days or take as long as a month. Prices vary according to company size and complexity of IT infrastructure, but BSI charges start from #1,500 for a simple system with no remote users.

INFORMATION SECURITY – GOLDEN RULES

Don?t fall into the trap of thinking that IT security is just ?a ?techie? thing. ?It?s not just an IT issue, it?s a business issue,? says Leslie Roberts, head of information security management for KPMG. It also pays to bear in mind that security problems do not always have a technical solution – whatever the vendors may tell you. The availability of vital data often rests on people and manual procedures.

Highlight the main risks facing your company and don?t let the BS7799 dictate the security policy, advises Roberts. ?Risk assessment was one of the weaknesses of the old BS standard,? she says. ?I didn?t agree with its ten key controls and don?t blindly follow someone else?s criteria.?

An information security policy should save your company money and reduce errors.

But after the system is in place, it?s important to monitor how effective it is. You may have a state-of-the-art firewall, but if no one is attacking the company?s network then shelling out for a second one is a waste of money.

?You also need to know the cost of password resets, and who forgets them,? adds Roberts.

DATA PROTECTION – THE LAW

The Data Protection Act, which is expected to come into force this summer, started life as a European Union directive and is being implemented across EU member states. The main difference from the old 1984 Data Protection Act is that the new one applies to manual, or paper records, and not just computer data.

Another important difference for companies to consider is a greater emphasis on individuals? right to see information about themselves that is earmarked for use in direct marketing campaigns. The individual?s right to view other personal data is also enshrined.

The range of data processing that falls under the Act?s remit is now wider – from the ?collection to the destruction? of data – and places more restrictions on automated decision-making systems.

Also, companies sending data outside the EU will have to meet detailed criteria to guarantee its safety.

Although the full effect of the Act may well take years to sink in, the Scots ICA has raised concerns about the extra workload on businesses that are already ?swamped? with year-2000 and euro-compliance issues.