IT Focus - Know the enemy

Computer technology has brought about the knowledge economy. But as well as enabling you to make more money, dependence on IT creates a host of new threats, as year 2000 doomsday reports attest.

In February, the Infosecurity exhibition organisation and Check Point Software Technologies lambasted the accountancy profession for putting confidential client data at risk by failing to protect internal networks from intrusions via Internet connections.

The Infosecurity team contacted 150 medium-sized accountancy firms and found 85% of the firms used the Internet – 30% of these firms were connected through to their network, but almost two-thirds of Internet users did not have firewall protection.

The survey, like many others commissioned by IT security suppliers, played heavily on commercial fears. It highlighted the profession as a weak spot in the ‘chain of security’. While major companies spend huge amounts on IT and security, their accountants could be exposing sensitive information to potential theft, breaches of confidentiality, manipulation and file deletions.

The Internet greatly increased the profile of hackers, crackers and malicious virus writers. And if the menace is sometimes overplayed, it does not override legitimate concerns about the security and reliability of financial transactions and data interchange online.

While complacency and ignorance are probably the greatest threats to a firm’s information security, panic inspired by scare stories or overreaction to incidents once they have happened do not make for sensible strategies.

KPMG’s head of information security, Leslie Roberts, cautions against focusing on inappropriate areas, which usually happens when companies conceive a security strategy in isolation from their core business activities.

‘The last thing we want is for people to pay more than the assets they are trying to protect are worth,’ she says.

Dangers lurk in-house

A telephone survey of 1,200 organisations conducted at the beginning of the year by the National Computing Centre showed that 44% of all sites had experienced a significant information breach in the previous two years.

Sites with more than 500 users had the highest incidence of virus attacks (30%) and thefts (28%) and reported average costs of #20,199 for each breach.

But in the overall results, mundane breaches such as power failure (18%) and local area network collapses (17%) were more prevalent, with the average cost reported as #7,146. Follow-up studies showed respondents tended to report only the direct costs of re-instating the service. Replacing lost data or work was generally ignored. With these elements included, the average total bill was three times the reported costs.

User errors and deliberate staff misuse contributed to a significant number of breaches. Of the most serious incidents, 57% were reported to be ‘accidental’, compared with 24% that were due to malicious action and 15% that were blamed on hardware, software or power failures.

Kevin Hayes, marketing manager for the security evaluation and certification service ITSEC, concluded: ‘Most organisations rated security very high, but only 39% had a security policy in place. There is a discrepancy in what they say and what they do.’

When a risk-assessment expert is called in to evaluate an organisation’s IT security measures, they will start by examining existing management control mechanisms.

BS 7799 is directed at creating a more realistic risk-assessment culture based on protecting the information that is essential to a company’s core processes and business survival. The information security policy is a first step.

To be effective, it should be propagated through education and training, and be regularly reviewed. ‘You need to get senior management buy-ins and budgets to do it effectively,’ says KPMG’s Roberts.

Even the best management practices cannot protect a company from mishaps.

Any decent security policy should include contingency plans for what to do in these situations.

The NCC found that fewer than half the organisations which had suffered a security breach had a business continuity plan in place. Of those which did, 90% reported that their rescue measures helped to reduce the impact of the incident.

Worst case scenarios – the flood, bomb attack or virulent virus outbreak – would be covered by disaster recovery procedures, but contingency planning also extends to simple measures, such as taking regular backups and storing them off-site. And don’t forget insurance cover.

Firewalls should be a must

Infosecurity’s survey highlighted the danger of connecting the office network to the Internet without any protection. In the words of one network expert, any electronic connection can be a route into your system unless it is properly configured.

Firewalls are the most dependable barrier. They usually consist of a dedicated PC at the point of connection which filters incoming traffic and prevents unauthorised data transfers from the internal network to the Internet.

Accurate measurements for Internet breaches have proved difficult to collect in most security surveys, with many companies reluctant to advertise their vulnerability.

For risk-assessment purposes, remember also that a firewall does not protect the firm from internal breaches, a more common source of trouble.

According to the NCC’s 1998 survey, larger companies are most prone both to external virus attacks (experienced by 30% of firms in the past two years) and to internal viruses (17%). Overall, a quarter of all companies have probably encountered a virus. For accountants who take in files and data on disk, the proportion is probably higher.

Coopers & Lybrand recently went public with its experiences of a major virus attack and announced that it had signed a deal with Dr Solomon’s to equip its 10,000 PCs in this country with the company’s security Toolkit.

Coopers receives monthly updates to cater for new virus strains and scans every incoming disk for infections.

The study by Infosecurity found 92% of the accountancy firms surveyed were aware of the need for anti-virus protection and had invested in anti-virus software.

Backup procedures essential

The most essential and effective precaution a computer user can take is to make regular, systematic copies of the data created. Procedures for switching between half-daily, daily and weekly backups on different tapes grew out of the mainframe environment. The PC boom saw an erosion of these disciplines.

Any network server these days however is incomplete without a backup tape drive. More assiduous sites will invest in servers or disk arrays that maintain a live mirror copy so they can be switched in immediately in the event of a major failure.

The Internet is more than a source of danger. Several companies now use it to offer remote backup services.

If your internal resources cannot be trusted to run the backups regularly, firms such as Datanet (Fleet, Hampshire) DataSave (Hounslow, Middlesex) or DataSafe (London) will do it for you over the wire.

The DataSafe starts at around #150 for an annual service and is calculated by the amount of time required online. With an ISDN connection, the monthly fee is 28p per megabyte.

Infosecurity and Check Point highlighted the responsibility of accountants to protect the confidentiality of client information as a particular vulnerability. Yet just 7% of medium-sized firms used encryption.

Public domain software can be downloaded from the Net to scramble sensitive data for either transmission or storage. Given concerns about the Net, many firms might prefer to seek commercial suppliers who can offer a better prospect of long-term support.

As with password access controls and backup procedures, encryption introduces extra responsibilities for users. All users must follow established procedures to encode data and must ensure the decryption keys are kept secure, but not in such a way that the firm could be unable to recover the information.

To summarise the overriding philosophy, KPMG’s Roberts invokes a common mantra: ‘Information security isn’t a technical issue, it’s a people issue, reliant on the way people work, their training and awareness. We’ve moved out of the environment where you can get security out of technical systems. You have to change the way people work with their PCs.’

BS 7799: INFORMATION SECURITY MANAGEMENT

The information security policy is one of the main elements of the British Standard code of practice for information security, BS 7799. According to Leslie Roberts, KPMG’s head of information security, BS 7799 is seeping into business life, with companies asking their suppliers to show compliance.

Published by Disc, the technology and telecommunications wing of the British Standards Institute, the standard is in two parts: a code of practice and a set of requirements for which companies can seek third-party accreditation.

Disc published ‘BS 7799: Part 2’ in February, which provides the framework for the C:Cure certification scheme, launched by the Department of Trade and Industry at the end of April.

Part 1 of the standard sets out over a hundred information security controls.

Ten of them are highlighted as the key controls (see below).

‘BS 7799 talks about all types of standards and controls that ensure you’re managing information properly,’ says Roberts.

But she adds that no matter how sophisticated a precaution is, it cannot work without a proper appreciation among all staff. A technically sophisticated password-control system, for example, will be compromised if people write their passwords on Post-It notes and leave them lying around their terminals.

Typically Roberts encounters BS 7799 within organisations where senior managers have passed it to the IT department and told them to implement it. The technology specialists are not so good at addressing the people issues, she suggests, and the precautions do not take enough account of the business’ wider priorities.

‘Many organisations are far behind at putting mechanisms into place to identify where they’re actually having incidents,’ warns Roberts. ‘You can’t manage what you don’t measure.’

The NCC’s survey suggests that BS 7799 needed a shot in the arm. A quarter of all respondents were aware of the standard, but only 41% of them had actually reviewed their precautions against it. If that pattern holds across the country, just over a tenth of all companies have bothered to follow the standard.

TEN KEY INFORMATION SECURITY CONTROLS

– produce a security policy document

– allocate responsibilities to individuals

– provide education and training

– set up a reporting system for security incidents

– introduce virus controls

– develop a business continuity plan

– control unauthorised software copying

– safeguard company records

– comply with data protection laws

– follow the published security policy.