IT security is broken, so can companies stay safe?
Once upon a time, keeping a company’s IT systems secure was fairly straightforward. IT managers used a “castle and moat” approach. They established a secure perimeter around the system; the computers inside were safe.
Firewalls, locked-down desktops (that stop users installing their own software), anti-virus software, limits on the size and type of e-mail attachments were all part of the defences; in very secure firms USB ports were non-existent to stop staff sucking data into or uploading viruses from their MP3 players or USB sticks.
These days, the castle walls are crumbling.
‘Breaking stupid rules’
As the security fetish turns corporate IT into an old donkey – disagreeable, petulant, and difficult to handle – workers are taking IT into their own hands. To get the work done they use their own smartphones, netbooks and other digital devices.
Plenty of malware, meanwhile, enters corporate networks through dodgy links shared carelessly on social networks, with URL shorteners disguising malicious links.
Can’t move a large file with sensitive information from one part of the company to another? Use sendit.com. Need to work with others on a recruitment drive? Put the spreadsheet with the candidates’ details on Google docs for your collaborators to see. All very straightforward, all very nasty violations of corporate security and data protection laws.
“The IT guys have been told to do one job, so they lock things down and] rule out the use of Google docs. And the workers are told to do another job, to get their work done, so they start using Google docs, and the power balance is moving away from the IT guys,” says Josh Klein, co-author of Hacking Work, a guide on how to “break stupid rules for smart results”.
The choice: security or productivity
According to a survey by networking firm Cisco, 41% of workers break corporate IT policies, saying that “they need restricted programs and applications to get the job done – they’re simply trying to be more productive and efficient”.
Russell Dietz, chief technology officer of information security firm Safenet, says that people bringing their own IT into the workspace is the “biggest issue for information security” right now.
But companies themselves are breaking down the castle walls. They make workforces mobile, and as road warriors connect to the IT systems back home, the security problems multiply. Through outsourcing businesses are becoming virtual and global, collaborating with many partners.
It doesn’t help the IT guys that they are being undermined publicly by their chief executives brandishing new (personal) iPads, expecting them to work on the corporate network.
And if a company’s IT team keeps frustrating the workforce, the best and the brightest will leave and set up on their own, warns Mr Klein.
Businesses thus face a difficult choice: aiming for good security or higher productivity, efficiency and convenience.
It’s a culture clash, and not being made easier by a growing security threat.
Mobile devices are increasingly being targeted, says internet security firm McAfee in its most recent threat report.
Then there are USB thumb drives, cheap and “very dangerous,” says Hubert Yoshida, chief technology officer of Hitachi Data Systems. “Wireless connectivity through Bluetooth is another of many avenues for attack.”
Then there’s the web, teeming with malware as clever criminals monitor Twitter and Google to see which terms are popular and change their lures accordingly, according to Mike Gallagher, chief technology officer of McAfee’s global threat intelligence.
To ensure corporate security, a lot of things have to come together, says Safenet’s Russell Dietz. The old “castle-and-moat” perimeter model will not completely vanish, but companies have to become more data-aware, find easy-to-use encryption software, and start embedding security directly into the hardware (he points to Intel’s recent takeover of McAfee).
The data object itself must be protected, he says.
One thing is certain: As the castle of IT security lies in ruins, we have to hope for some kind of Ninja security, where every device, every data set is a formidable little warrior, ready to defend itself.
By Tim Weber Business editor, BBC News website