Telecom consultant: no security exceptions

“Is your business secure?” is a question most senior-level IT management get tossed their way ad nauseam. They snap off a quick ” yes” and walk to their offices to mull over their response.

Invariably the question will again arise the day there is another news story about how some impenetrable IT fortress got hacked. Levels of self doubt quickly rise to new and astonishing levels as the IT manager starts searching for real and perceived security holes.

“It is part of our common experience,” said James Cavanagh, an Atlanta-based telecommunication consultant. He spoke at a recent Telus Corp. Expert Series in Toronto.

He started his talk by outlining the huge impact bad network security can have on a company. Most of the attendees were well aware of Cavanagh’s list of potential direct and indirect financial losses that can result from bad network security, so his focus soon shifted to the issue of trust. Companies that get hacked can see repercussions in stock prices, sales and partnerships.

“Trust is very, very fragile,” he said.

To bring his case to the point he described a hypothetical “cyber war” waged against a Toronto company. The attack was of the denial of service variety, but what followed was the real point of concern for corporate types: public trust eroded and as a result, stock prices started to fall.

Though Cavanagh’s example may have been a bit simplistic, since the likes of e-Bay seem to have suffered little from their denial of service experiences, it did demonstrate the randomness of attacks. The shear number of novice hackers creates a huge problem, he said.

Cavanagh moved on to the world of risk assessment, a difficult yet important task for companies to perform. His experience has shown him that companies which attempt to assess risk internally tend to over or underestimate the levels and, as a result, will have protection which does not match corporate needs.

One reason to go outside corporate walls to get an accurate assessment is that the professionals are more aware of what is going on within and across industries. Some industries have tremendous problems with competitive spying while others are prone to attacks from idealists or extremists.

“It is absolutely impossible to have flawless security – the game we are playing is to reduce [risk],” he said.

Cavanagh is no different from other security gurus in basing success on the people-technology-policy triangle. Where he differs, though, is his hardcore attitude. If you want your company to have tight security there can be no exceptions to the rules.

“Everybody in the organization needs to be trained,” he said. This means from the CEO down to the cleaning staff. If an employee gets a third “security strike” a company needs to be quick and efficient in firing him or her. This goes as high as the CEO, he said.

“The first thing you need to do as a company is to assess the extent to which you can trust your employees,” he admitted.

Cavanagh cited examples of corporate bonus programs for good security. “I feel that the carrot works better than the stick.” Stopping someone from coasting in through the door on your pass, for example, could put you up for an award.

But these types of drastic solutions are bound to meet some fierce internal resistance. Cavanagh admitted it is a difficult road. “We like to trust the people we work with,” he said.

“[Security solutions] must be able to change with the situation…not react the same way all the time,” he said.

For many companies this is a problem, since hackers learn quickly. Cavanagh even suggested larger companies can create a honey pot, a place on the corporate site where hackers can enter and be tracked and monitored, though he admitted this option is rather expensive to implement.

He explained how simple tasks like finding out from your ISP what other companies are hosted on their servers can give your company a more complete security profile. If your sites reside on the same physical server as another and they are hacked, you have to know how it will effect you.

And finally once your easy-to-use-yet-impossible-to-avoid security solution is in place, it is of paramount importance to have your security measures audited by an impartial third party.