Policy or policing – which method best describes how your business approaches IT security?

In the past, many businesses adopted a ‘policing’ style attitude to maintaining their IT security – blocking websites, stopping employees accessing webmail at work and so on. But increasingly, this style of IT security is finding itself outdated in the modern business environment.

An ever developing threat landscape coupled with a rapidly increasing pace of change in IT environments means that businesses need to radically change the way they safeguard their data.

Over the coming months, we’re going to be examining some of the ways in which policy-driven approaches in today’s Web 2.0 world can radically change the way businesses approach their IT security.

Although policy is generally better than policing, all too often, a policy is simply a document which is referred to only when something goes wrong – almost proof that someone ‘should have known better’.

Modern IT policies need to clearly outline employee responsibilities towards safeguarding data as well as laying out the details of what is and isn’t acceptable in terms of company IT use. By giving the individual a greater degree of understanding as to why a policy is in place and what the implications are should it not be adhered to, a culture of respect and greater responsibility can be fostered.

This is not a quick fix, more a change in mind set needed by companies looking to make IT security work for them without undoing the good that adopting more modern ways of has produced.

Watch this space!

Cloud computing is arguably one of the most widely adopted IT trends of recent years. Lured by the offer of flexible, low-cost and easily scalable IT, many businesses are relying more and more heavily on cloud-based applications, storage and security. But the issue of confidence remains a barrier to adoption for many businesses, and significant questions remain unaddressed around key issues affecting this, one of the key being that of security.

Several industry bodies have been established around the world to try and address this, amongst other issues. In July this year, the Cloud Security Alliance launched what it termed ‘the world’s first user certification for cloud security’ and next week, the Cloud Industry Forum is set to unveil its Code of Practice to help increase confidence in hosted services. This is welcome news, and will hopefully serve to at least partially allay some of the fears companies have.

Perhaps what has made the cloud security debate rage quite so fiercely is the fact that issues or breaches have the potential to be catastrophic – to the extent where they transcend business departments to become a major business issue.

But the issue of cloud security is not necessarily as hugely complex as some assert. One of the basic premises for cloud security is the fact that securing the cloud itself is an almost impossible task due to the numbers of providers involved and the level of sharing that is inherent with many cloud-based services. The fact is that by the time data has reached the cloud, it’s normally too late. The potential for data getting in to the wrong hands starts from the moment it leaves an organisation, and it’s therefore at this boundary point between the organisation and its external environment that security has to be the key priority for those looking to use cloud-based services. There will always be data that is so sensitive that it simply cannot be allowed to leave a business, and that is why the key priority for improving security of cloud computing lies in the routes between a business and the cloud, not the cloud itself.

As with tangible security risks to homes and business premises, it’s the access points that are always the weak point. Therefore it’s vital to ensure the ‘windows’ and ‘doors’ of cloud computing models are made as secure as possible. Addressing the security of a company’s specific cloud entry and exit points is the best – and simplest – way to get a grip on the potential issues involved to enable businesses to take advantage of all that the cloud has to offer.

The largest fine ever to be imposed on a single company for data security breaches was enforced this week in the UK. Zurich Insurance’s British operation was fined £2.3million following the loss of 46,000 customers’ details in 2008. Worryingly, the firm was not aware of the error until a year after the event.
From the various media reports, the incident seems to have come about following the transfer of data to South Africa as part of an outsourcing arrangement.
Whilst no doubt a particularly severe example of what can happen, Zurich’s experience does draw much-needed attention to the issue of data security, hopefully serving as a wake-up call to many businesses who may have previously felt their IT security was perfectly adequate.
Outsourcing is of course commonplace nowadays in business around the world, having been a focus of efficiency in recent years. Today, technologies such as cloud computing are being adapted at a similar rate of knots as organisations look to take advantage of news ways of making savings. Unfortunately, however, whilst companies are avidly adopting such technologies, often their approach to security is not keeping pace, rendering it inadequate.
Part of the issue may be the all too common misconception that security is simply a cost to a business. Yes, IT security does cost, but really good security will also provide real value to businesses. This value can take the form of saving on IT administration costs, enabling more efficient use of time by staff, allowing a company to be freed from the confines and restrictions of old-fashioned ‘stop and block’ style security and of course, ultimately, safeguarding a brand from the damage caused through data loss incidents.
To a certain extent, IT security will always be driven by a need to comply with regulations and the desire to prevent inbound or outbound damage to infrastructures, but it’s only when companies realise that security can be a valuable asset rather than just a cost that they will see the benefit of their investment.
Clearly there must be regulatory enforcement in place to prevent data loss incidents, but it is sad to see this serve as the sole driver for so many businesses’ IT security when there is such value to be gained in other ways.

A story captured my attention this week about Virgin media. The company has announced it is to take a more proactive stance in helping customers safeguard against IT security threats by writing to people whose PCs show signs of malware infection.
It’s a positive move, and interesting to see such a well-respected consumer brand following in our footsteps just three months after Clearswift outlined the decision to significantly step up the level of support that customers receive.
The crux of our decision was based on the premise that never before has IT and email usage been so business-critical. Modern businesses are reliant on such technologies to the extent where even the briefest of downtime causes real problems, making 24/7 support a baseline requirement.
In addition, we recognised the huge wealth of expertise and knowledge within our in-house support teams around the world, and decided that it made sense to use this knowledge proactively as well as reactively. The result is that our support centres in the UK, Australia and USA pre-empt potential issues that new threats could cause to our customers rather than wait for them to take effect.
No doubt we will start to see more and more companies follow in a similar vein, recognising the value of proactively engaging their customers – whether consumers or other businesses – to help enhance the service they receive.

Following pressure from online safety campaigners in the UK, Facebook™ recently introduced a Child Exploitation & Online Protection Centre (CEOP) “panic button” application that can be used to report any suspicious behaviour. Since its launch in July the app has been downloaded over 55,000 times and over 200 cases of inappropriate online behaviour have been reported. This is a good example of how technology can be adapted to take a proactive role in protecting the safety of users.

However having the ability to report inappropriate actions does not change behaviour or educate users to the risks associated with what they are doing. To be truly worthwhile the button’s introduction must be accompanied with an understanding of why it is there and what the dangers are; plus that there is a requirement for the online community as a whole to act responsibly.

This is the same in the workplace when there are IT policies in place. To be really effective employees need to understand what the parameters are and more importantly why they are there. Otherwise ‘accidents’ happen when they try to find a way to get around them. Again education and explanation of web and email policy means that people can actively take on board the risks and adapt their behaviour in the long-term.

In the midst of what seems like a raging torrent of forward progression when it comes to collaborative web and email tools being accepted in today’s workplace, last week there came a reminder of the way in which concern over the unknown can result in a ‘stop and block’ approach. With Saudi Arabia implementing a block on the use of mobile devices that use remote servers to share data.

The specifics regarding country or technology are irrelevant; however the issues raised are important, whether in relation to BlackBerry usage or cloud based services.

Throughout the week, the story has developed, and indeed it seems that initial apprehensions are on the way to being allayed. However, there are some interesting learnings, perhaps most significant of all being the importance of not only understanding, but having visibility of, where your information and data is.

Any technology which employs cloud-based systems to transfer or store information (and there are countless examples of such technology in use globally) highlights the challenges and complexities of a fully integrated secure IT system. Whereas safeguarding a simple two-way email channel is fairly straightforward, introducing other services adds another dimension, one which can make businesses more hesitant about accepting such tools.
As many organisations have discovered, the answer is simple. At the core is a need for proper understanding and visibility of the way in which such technologies and services interact with a company’s IT system, where information is stored, and who has access to this information. When this is achieved, and when people feel that they do have – where necessary – the ability to control this, another barrier to creating an open and collaborative environment can be ticked off the list.

This week has seen the launch of a national competition in the UK to find the next generation of cyber security specialists. The challenge is being run to help fill out the numbers of skilled computer security workers Britain can call on. This call for new blood into the IT security profession from the Government is an indication of the importance of cyber-security as a national priority; this is not just from a domestic security point of view but also because cyber-attacks have global implications. Most of the commonly known internet security risks are just the tip of the iceberg and there is a lot more going on below the surface.
Our reliance on the internet for personal and business use is increasing by the day, from email and shopping through to collaboration on projects with customers and partners, or sharing information with customers via social networks. And with Web 2.0 we live in an era of openly sharing information. All of these tools and technologies are now recognised as familiar communication channels. However with familiarity can often come a relaxed approach to what is being allowed into an organisation or sent out via the internet. It is a real balancing act to ensure strong network security with the need to harness email and collaborative online technologies which is essential for business growth.

This week Facebook reached its 500millionth user milestone.  Facebook has grown to become the definition of social media, with users sharing everything from friends to important events, like births and marriages.    With Web 2.0 tools like Facebook and Twitter we have become a generation who want to share and involve friends and family in the micro-detail of our everyday lives and let them know what is important to us.  According to research released earlier this week, as many as one-third of women aged 18-34 check Facebook when they first wake up, even before they get to the bathroom (Oxygen Media/Lightspeed Research).

With this level of reliance on social media what are people doing once they get into work? Definitely not switching it off.  We know from global research that we conducted recently that Generation Standby – a group of people who are never socially and technologically disconnected – are still living their personal lives online when they are at work and compensating for doing so by working through lunchtimes or after hours.  And in fact, our research also brought to the fore the fact that businesses were actively encouraging employees to use their social networks for business purposes.  There is no denying the fact that these technologies have changed the way we live our lives at home and work. By the time it reaches its 1 billionth user – which Mark Zuckerberg believes it will – who knows by how much more it will have impacted our lives.

This week we published the third report from our Web 2.0 in the Workplace global research. The report really brought to the fore how progressive companies are dealing with social technologies and the positive impact that this is having throughout the business.

It was interesting to see how the use of social media and Web 2.0 tools is permeating throughout the business and that it is not seen as just a ‘nice-to-have’ – over half of the businesses surveyed cited social media as ‘critical’ to their business. Access to social media networks was seen as a key driving factor to aid productivity amongst employees – and not allowing this was viewed as detrimental to motivation and employee well-being.

We all know the value of brand perception and reputation management in the social world and our research backed this up; along with almost nine in ten people saying that it was essential to generate new business. And when it comes to building a successful business with the right people understanding and use of Web 2.0 tools and the business benefit they may bring is now a criteria in many organisations’ recruitment process.

All in all, there is no doubt that Web 2.0 is influencing the way that we work today and those companies who are embracing it know that it is having a positive impact on the operational and commercial performance of their organisation.

BYO (Bring Your Own) technology is not a new phenomenon in the workplace. In fact, if you stop to think about it, most people have probably used their own technology in one form or another in the workplace, whether a USB stick, a smart phone or a netbook.

A recent IDC report has brought the subject to my attention once again. The report explores the consumerisation of IT – or in other words, the way in which employees are using their own hardware, applications and tools to get their jobs done.

The report supports many of the findings of our recent research into staff attitudes towards Web 2.0. Specifically, the suggestions that consumer-powered IT is turning traditional IT models on their head, and serving to bring down the old artificial barriers around the workplace.

It is here that you might expect a security firm to start scaremongering about the dangers of external devices being brought into a company IT environment. But the implications are far more significant that this.

Aside from the obvious concerns around information and data security raised by staff bringing their own ‘home’ devices into the work place, what is more worrying is staff bringing a ‘home attitude’ towards IT into the workplace.

For most people, the way they behave towards IT at home is vastly different to when at work. At home, you might be tempted to open ‘joke’ attachments from friends, run unknown programs, or visit certain websites. But at work, most people do still maintain a greater level of professionalism, thus protecting the company from a whole host of potential threats.

A breakdown of this traditional professionalism and a blurring of the use of home and work technology presents a need for businesses to re-examine their approaches to data and information security, and make sure policies are in line with today’s day working practices and employee attitudes.