Running an enterprise without a formalized security policy seems as imprudent as installing office-building doors without locks. However, according to some security industry experts, it’s a common phenomenon.
Randy Kun, vice-president of marketing and product line management at Chrysalis-ITS in Ottawa, said many companies don’t implement a security policy because they don’t believe it has much to do with the real world. This misconception, Kun said, can be costly.
“A statement of consistency of what it is the organization plans to do and not do provides an opportunity to critique and assess what’s going on in an organization on an ongoing basis. Nobody implements everything, and that’s the reason that you have to have a policy,” he said.
Knowing exactly what an organization doesn’t do in terms of security allows a perspective on how much risk it is taking on, Kun explained.
Michael Murphy, Symantec Corp.’s Canadian general manager, agreed that a security policy is the first step to secure an enterprise’s infrastructure.
“It doesn’t have to be complex or convoluted, but it can’t just be a bottoms-up policy driven by someone in IT. It has to be embraced and bought into by senior management,” Murphy said, noting that organizations can turn to consulting companies specializing in developing security policies if they’re against a brick wall.
RSA Security Inc.’s director of management and marketing for its authentication products division said that if defining a security policy and educating staff on the policy is the foundation for all precautions, the next step is to invest in basic defend-and-detect solutions.
“In terms of defending the perimeter of a company, things that come to mind are solutions like firewalls and antivirus products – technology to keep the bad guys out,” said Bedford, Mass.-based Derek Brink. “Detection technology alerts you to intrusion and breached perimeter defences.”
Brink noted that this is the fastest-growing segment in the security industry, given the innovation in the virus-maker community.
According to Ian Curry, vice-president and chief marketing officer at Entrust Inc. in Ottawa, anti-virus solutions and firewalls are where a lot of organizations stop in terms of their security infrastructure.
“It’s just not enough,” he said.
This is partly due to the fact that not all attacks are external.
“It’s sometimes sociologically hard to accept, but attacks happen inside organizations, and it’s really important that people think about that and assess the impact of what that means. Data has to be secure no matter what happens – no matter who leaves or comes in – and without consistency across applications you don’t have security,” Curry said.
Murphy recommended that organizations take a multi-tiered approach to securing their infrastructure.
“The military uses the term ‘defence-and-depth,’ which is a linear approach to security,” he explained.
This means that security-wise, there’s a fence along the perimeter, doors on buildings, locks on the doors and alarm systems. What Murphy proposes that enterprises consider is a ‘defence-and-breadth’ approach to security.
“It follows a linear pattern of going from one point to the next, but also crosses widths – it’s security that goes across an organization from client or desktop systems to network systems to perimeter gateway systems,” Murphy said.
One approach gaining momentum in the enterprise is the use of multiple factors of authentication.
As Kun explained, factors of authentication are different things you need to bring to bear to demonstrate that you are who you say you are. These are things you know, such as a password, things you have, such as a physical token or card, and things you are, such as fingerprint or an iris through the use of biometrics.
“Using two factors of authentication basically makes things more secure,” he said.
A related aspect to the multiple factors is the concept of the single sign-on, which allows users to access information through one password.
“It’s reasonable to expect a human to look after one password, but most people tend to not be responsible with their passwords when they need to remember 10,” Kun said.
Brink agreed that the password issue is often one that leaves huge gaps in an infrastructure’s security.
“Passwords can be very expensive for an organization. People pick their passwords poorly or write things down and this can become a management problem for both users and administration. It weakens security,” he said. “But authentication is a key step that companies can take.”
Another tip put forward by Murphy is for organizations to integrate the solutions they do have. Many companies stock up on security products and solutions and then have a difficult time managing them.
“Integration is important because people are meant to do more with less today, and if the tools are centrally managed, they’re more effective and allow for a more timely response,” he said.
“Security is not about keeping everything out or even at bay 100 per cent of the time, because it can’t be accomplished, but security is an important component of business, and how quickly you’re able to respond makes a difference,” Murphy said.
According to Brink, this philosophy applies to everyone.
“Every company can improve. Some are at the far right or the far left on a bell-shaped curve, but even those in the middle can do better,” he said.