Even United States President George Bush is paranoid about sending e-mail. At a recent briefing with newspaper editors, he was asked about implications of the US’s Freedom of Information Act. He remarked that he doesn’t send e-mails to his family for fear of them ending up in the wrong hands. The leader of the free world is like the rest of us — our attitude to email usage is influenced by the insecurity of the networks we are using.
The IT director at the White House may have been dismayed to hear the president’s comment. The reality is that most large companies and government organisations in Britain and in the US have fairly well defined security policies, and these include staff guidelines that take into account compliance with the British Data Protection Act and the US’s Freedom of Information Act, as well as the need to keep all kinds of data secure. As such, they are designed to protect both the organisation and the rights of the individual user.
But among small and medium-sized companies, organised security policies are not the norm. According to industry experts, many firms still have patchwork policies that are inadequate in the light of today’s security threats, whether internal or external. Not surprisingly, security firms also see this weakness as an opportunity to sell new solutions.
It is all too easy to find holes in most firms’ defences. These range from allowing staff to transfer data on to USB memory sticks (memory drives the size of lighters) to not controlling who has the authority to send out confidential information via an e-mail attachment.
The problem for firms is that the scope of a security policy has grown exponentially over the past few years. It must seek to minimise any risks as well as comply with legal, statutory, regulatory and/or contract requirements. But at the same time, it must not unnecessarily hamper normal daily work.
The policy should determine which technology is applied to specific areas of weakness — notably in relation to spam, viruses and data theft. Ian Kilpatrick, managing director of security specialists Wick Hill Group, says firms wrongly hope they can buy one simple solution: ”Most firms want to buy a box known as a security appliance that can do most of what they want, but they shouldn’t really buy kit until they know what their policy is. That way they can educate staff better and manage risk across the whole company.”
A key problem is that staff are often unaware of ”acceptable use” policies that specify what they can and cannot do. Larger firms are now beginning to benefit from automated software that tests user awareness. PolicyMatters from Extend Technologies is typical of this new policy management software. It periodically presents each user with a small test to see if they understand the firm’s policy. Failure to answer most of the questions correctly leads to being locked out of the network.
Sue Beesley, commercial director of Network Defence, says such tools will become vital: ”It’s no use having the policy on paper nowadays, you have to ensure it is really understood.”
Another area of concern is staff working remotely. David MacFarlane, business development director of Sirocom, a virtual network operator, says that keeping protective software on laptops updated is a headache many firms have not tackled. ”We use a system to check out any laptop connecting to a company network every time it is connected,” he says. ”It spots if a laptop hasn’t been updated, say, in the case of someone going on holiday.”
Sirocom uses a service called Endpoint Policy Management from iPass, which has been developed specifically to let IT staff enforce the proper configuration and use of security software, automatically update OS security patches and anti-virus definition files on remote devices, and centrally manage policy enforcement.
Meanwhile, e-mail security firms are ramping up the sophistication of how policies can be applied to e-mail filtering. Examples include only allowing designated people to send outgoing e-mails containing financial information, and monitoring the content of any e-mails staff send using web-based services such as Microsoft’s Hotmail and Google’s Gmail.
But experts recognise that firms learn as they grow: marketing consultancy Grant Butler Coomber is a classic example. GBC has gradually bolted on more security to cope with new threats, but has also found that you have to fine tune whatever protection and written policies you have. ”We decided to use a managed service to filter e-mail but found that the filter on attachments was blocking important attachments we sent to clients. So we created a list of client e-mails so they could be treated differently as approved,” says the firm’s financial controller, Amya Reeves.
GBC also found that instant messaging was reducing productivity and amended company policy to stamp it out. ”The best thing we did was get our IT manager to create a policy of data-cleaning all our 24 desktops once a week. This ensures we destroy any spyware or viruses and stops IM software being loaded,” says Reeves. ”We have also saved ourselves time by developing acceptable use policies around templates provided by our industry association.”
As firms begin to benefit from more automation of policy management, IT security is expected to gain a higher profile, and the George Bush approach to personal e-mail could become the norm. – Guardian Unlimited Â