Defend against external risk from the inside out

“Because we’re public sector, we have people working inside our network
that other people are trying to block,” said Brad Biehn, director of
information systems with Louis Riel School Division, at an IT security
roundtable hosted by Microsoft in June.

The school division had to deal with the usual gamut of security
concerns, such as viruses, but also with social engineering attacks
aimed at young, naïve children, as well as online predators and even
cyber bullying.

“That’s the new issue in the playground,” he said. There’s also
education that needs to be done with students on issues like plagiarism
and hacking into other people’s information. “We’re doing a lot to
educate our students, but you have to have some controls,” he said.

Prior to amalgamating the school division and rolling out new
technology, Biehn had a virus template letter he sent out two or three
times a month, and his job consisted of quarantining and cleaning up
after viruses. With PCs in 40 different buildings across the school
district, it used to take three months to apply a patch.

“You can’t run a business like that,” he said, adding that it’s
important not to lose sight of the end-user either. “You can tighten a
network so it’s unusable, you can lock down a PC so it’s frustrating to
use,” he said. “What’s good for users makes the IT department spin into
the ceiling.”

The school division is now a Microsoft shop, and while it still gets
hit with viruses, everything is patched in a timely manner, he said.

For Indigo Books & Music, security is also a top concern, but for
different reasons. With millions of dollars of transactions on credit
cards going over the Internet, the company is a target for hackers.
“It’s a risk we mitigate,” said Ricky Mehra, director of IT security
and internal controls with Indigo Books & Music. “It’s a huge
threat for us.”

It’s critical the company retains customer trust, he
said, and this involves building better practices internally.

Bill 198 in Canada and Sarbanes-Oxley in the U.S. are forcing companies
to comply with security regulations, and a lot of companies that use
third parties are asking those parties for audit reports. Still, it’s
important not to evangelise security as insurance, he said, because
that treats it as a threat ”“ it’s better to show C-level executives how
security can be a business enabler.

ROI is difficult to prove, he said, since security risks are
qualitative rather than quantitative, but you can break it down into
solutions that have measurable metrics, such as single sign-on for
users versus labour costs at the help desk — and that can help you get
executive buy-in.

He’d like to see better integration, interoperability and manageability
between vendor products, and believes PIPEDA — Canada’s privacy
legislation ”“ needs more teeth.

Point products from different vendors have become costly to acquire and
difficult to manage, and we need to get to a point where there’s a
single security management console, said Pat Kewin, director of Trend
Micro Canada. “We need to be able to fit into other managers’
managers.” But it’s a marathon, not a sprint, he added, and security is
a constant cycle without a start or finish.

One of the biggest challenges is dealing with complexity and the
unknown nature of threats, and network availability, intellectual
property and sensitive financial information can all be held hostage to
denial of service attacks. “The stakes have gone up so dramatically
because of the financial rewards,” he said.

But the industry is also seeing more aggressive disclosure
requirements, such as in California, where the law requires businesses
to notify customers within 48 hours of a data breach.

A standards body called OASIS (Organization for the Advancement of
Structured Information Standards) is making it possible for vendors to
collaborate across product lines. And WS-Star is an initiative being
driven by Microsoft and IBM to define specifications for Web services
security, reliable messaging and transactions; WS specifications are
also designed to interoperate with existing security models such as
passwords, Kerberos and PKI.

“Some people would say technology is only 20 per cent of the problem,
the rest is policies and procedures,” said Steven Lloyd, chief security
advisor with Microsoft Canada Co.

Regardless, he said security should be viewed as an integral part of
the business. “Stop looking for ROI,” he said. “Security should be part
of your business plan. It’s not an add-on. It’s not an afterthought.”