Administrative security, though rarely appreciated, is a fundamental link in a mature security strategy. Nowadays – in the era of the technological revolution – not everyone remembers the existence of this security element. Is boundless trust in technology enough to ensure the security of a company’s information?
People and computers
The world of the 21st century cannot do without computers. They are almost ubiquitous and hardly anyone does not encounter them on a daily basis. And although machines themselves do not make mistakes, their behavior is defined by humans, who can always make mistakes. With the development of technology, the construction of applications and systems is becoming more complex. And where the system is more complicated, there is a greater probability of human error in the process of its creation. So is technology good for everything? Can technology be trusted absolutely?
Hackers in ties
The global growth of the Internet and the general accessibility of the web has made access to information as easy as ever. Information about vulnerabilities and bugs in software spreads at a rapid pace and reaches millions of users. Can we therefore assume that by installing the latest solutions to protect IT systems we ensure the security of our company? According to statistics, about 80 percent of recorded security incidents are initiated within companies.
Violent incidents of computer intrusions, industrial espionage or cyberterrorism have caused most companies to equip themselves with firewall and intrusion detection systems (IDS/IDP), which protect the contact with the public network. These protections stop most “bugs” looking for systems vulnerable to known vulnerabilities. Today, vendors also offer systems for securing internal networks, and while few companies use them, certainly most institutions will invest in this branch of technology. The issue of internal network security is much more complex than protecting the Internet interface.
About 70 percent of internal network incidents are the result of lack of user knowledge or awareness. The remaining 30 percent can be seen as intentional acts of disloyal employees. After all, who has more opportunities to manipulate accounting data than the accountant himself? Who has such unlimited access to information as the administrator of an email system or file server? It is difficult to limit rights of an administrator or revoke rights of an accountant. So how to guard against unauthorised actions of employees? Can technology really help us?
Data security consists of three components:
– physical safeguards,
– technical safeguards,
– administrative safeguards.
Where firewall and intrusion detection systems, antivirus protection, surveillance cameras, and access control systems are already in place, the time has come for administrative safeguards – i.e., security policies. It should provide mechanisms to minimize the risk of fraud by disloyal or unaware employees. There are many options available to the employer, including:
– candidate vetting procedures (e.g. reference checks), designed to identify dishonest individuals as early as the recruitment stage;
– separation of powers – aimed at dividing key business processes, so that they require cooperation of at least 2 people.
Committing forgery in this way would require collusion between several employees, which significantly reduces the likelihood of such an event occurring;
– job rotation – increases the probability of detecting illegal activities undertaken by persons previously holding a given position and also increases the company’s resilience in the event of losing a key employee;
– Mandatory leave – increases the probability of detecting illegal activities undertaken by persons who are on leave and whose duties are taken over by another person.
In addition to organizational solutions, no less important are procedural solutions that minimize the risk of unintentional mistakes, the most important can include:
– procedures and guidelines – i.e. instructions on how to act in specific situations, which are designed to impose the minimum level of security required by the company (e.g. password length);
– awareness training – to ensure that the employee is aware of existing risks and procedures;
– Regular audits – aimed at an independent assessment of the level of technological or procedural security;
– monitoring and auditing – recording key events in computer systems in order to detect suspicious behavior and for evidential purposes.
This is only a small part of security policy issues. Technology provides us with great solutions, but they still remain only a tool in the hands of man, who must be aware of how to use them in a safe way.
Aleksander Brozek ,
“New Technologies” – ComArch Magazine