ICT security about more than technology

Education, not firewalls and software, is the answer

May 14, 2010

By Simon Webster, Technical Consultant, The Webcom Group

Education, not firewalls and software, is the answer

Government is working towards developing better, more efficient ways to deliver its services, using a variety of new technologies. Unfortunately, this is accompanied by host of new risks. Organisations and individuals are increasingly becoming victim to threats such as viruses, identity theft, and other forms of cybercrime – but for Government the risk is far greater.  As with the corporate world, technology is an enabler to address security concerns, but the fact remains that ultimately the key to effective security often lies in the people who have access to information themselves.

Government needs to build continuously on a security-conscious mindset  by implementing more distributed security awareness campaigns in order to make sure that its employees are aware of the repercussions of their actions.

Government, like many organisations, stores sensitive information about people. But unlike most organisations, its database is far larger and more complete and is not restricted to a particular group of clients or customers. For this reason, it is a prime target for cybercriminals. And the repercussions of a security breach are enormous, compromising the security of an entire country as well as the reputation and credibility of Government departments.

The weakest link

While there are various technologies that can assist in safeguarding sensitive information, the weakest link is ultimately the people who have access to this information – Government employees who work with it on a daily basis. Human error, and insider malice or sabotage continues to be a sore point for security in Government and many other organisations. And because Government information and infrastructure issues are the backbone of any country, sensitive information is often a prime target of political and terrorist motivations.

Security breaches could be due to ignorance, error, or disregard for the security policy on the part of the employee. Employees may intentionally violate the security policy either because they feel that their actions will not have significant consequences, or because they wish to use the information to their own ends by selling it for malicious purposes. The possibilities are numerous and can also include the introduction of malicious files or bringing a whole network down – either intentionally or unintentionally. Disgruntled employees pose an even greater risk to GGovernment,  for instance IT employees familiar with the network and infrastructure, have the potential to do even greater damage.

Security vs productivity?

Security technology advances fast enough to provide an adequate  security solution to almost every security threat. However, there is often a fine line between maintaining security and compromising accessibility or usability, which ultimately impacts productivity.

In today’s working environment one thing is clear: information security cannot compromise information sharing – and vice versa. As new technologies such as mobile devices and USB sticks allow for more efficient handling of information, at the same time they increase security vulnerabilities.

Striking a perfect balance between productivity and security can be difficult, and should depend on the specific working environment and type of information being handled.

Avoid the Paper Tiger syndrome

The common misconception that exists in many corporate and Government environments across the world is that ICT security is the sole responsibility of the IT department – once the security policy has been drafted, it is seen as IT’s job to make sure it is adhered to. This idea is problematic because it automatically isolates the issue as ‘technology concern’, which it is not.

Organisations and Governments that have in the past suffered security breaches usually do have a security policy – it just usually isn’t comprehensive enough, or strictly enforced. It is essential that the security policy of a particular department is well-defined, and vague references need to be avoided. The best way to accomplish this is to closely examine and evaluate how employees use and interact with information on a day-to-day basis.  This will allow for the drafting of an unambiguous policy, written using specific terms and references that are relevant to employees.

Second to this, it is vital that the policy is enforced, monitored and effectively communicated to all employees – at all levels. This should take the form of an awareness and training campaign that is not merely carried out once, but continually strives to foster a strong culture of security.

Employees need to constantly be reminded of the security policy, preferably in different formats and via different platforms. If security is top-of-mind, there is less risk of a breach, either accidental or intentional.