Security for CXOs

As the Head of Cable & Wireless’ Security Practice, Paul Hanley and his team are responsible for providing expert information security advice to enterprise customers, as well as internal security assurance and governance for Cable & Wireless globally. Paul has extensive experience in the field, regularly providing input for draft ISO security standards, as well as more specific UK Government Security Standards.

CXO. What are the essential enterprise IT security considerations for the modern CXO?

PH. Phenomena such as cyber-napping, zombie armies, script kiddies and phishing now represent a constant and growing threat and have had a devastating impact on even the biggest and most robustly protected business.

The main concern of the CXO should be getting the right mindset in place in their organisations and ensuring that the issue of security is at the top of the business agenda. You wouldn’t buy a brand new Ferrari and leave it parked with the keys in the lock and the doors wide open – yet so many businesses still only deal with the problem of security when their business is in meltdown as a result of a breach.

In an ever more threat-laden environment, importantly, the answer doesn’t lie in new technologies, but rather in how we apply existing technologies. Businesses must take a holistic approach to their security planning ensuring that security is embedded at the network layer and in the business processes of the customer organisation. It’s this mindset that allows a business to plan for and mitigate any security risks.

CXO. What problems do you consistently find customers have with the security of their ICT architecture? And what are the most common factors behind these security issues? Is security a technological, process or human problem?

PH. One of the most common mistakes is to approach security on a piecemeal basis. We may find we are asked to provide advice on firewall implementation, only to discover that no formal risk analysis has been performed. If you haven’t determined the risks, how can you establish how to protect against them? Having a highly secure network firewall is all well and good, but it won’t do anything to guard against desktop virus threats, for example.

However, if you consider the overall picture of all the possible threats instead, you can apply the correct combination of technology, processes, procedures and security awareness to make sure that each box is well and truly ticked - otherwise a single weak link could undermine your entire strategy.

Another common mistake is to call in the security guys too late in a new project. Involving security right from the start can save a substantial amount of time and cost, not least by ensuring that a costly eleventh-hour solution redesign is avoided.

CXO. With attacks growing in number and sophistication, is it possible for organisations to stay ahead of security threats and protect against future virus mutations?

PH. The most effective method of dealing with viruses and worms is to assess the actual risks your organisation may be facing, and then to implement a strategy to mitigate these. Typically this will include using an anti-virus solution on all desktops, laptops, servers and PDAs, and a different anti-virus solution on gateways. Also consider the frequency of updates to the software. Ensure that you have good relationships with your anti-virus vendors, so you are alerted to emerging threats.

At the same time, it is essential to ensure that the underlying operating system, application patches and anti-virus signature files are up to date, for example by performing random checks on machines. Machines that are rarely connected to the network must also be considered - if they are standalone, this is probably because they are of particular significance to the organisation.

Behaviour-based technology that also addresses intrusion prevention is an important weapon in guarding against virus mutations, offering greater protection than that relying simply on signature files.

The final consideration when protecting against viruses is a layered and holistic approach to security. For example, ensure that end users are appropriately educated. If people understand the threats and how to prevent them, this can significantly reduce the likelihood of a successful virus attack.

CXO. Demand for wireless and remote access, which is extending the business network beyond the four walls of the traditional office, is continually increasing. How is this impacting on enterprise security? Does enterprise mobility provide any additional security challenges?

PH. Providing users with remote access to company resources means you have lost a level of protection that would exist if the users were on site: physical security. One way of dealing with this is to create different access privileges from those that apply when on site.

That said, mobile solutions are much improved, and increasingly organisations are requesting that mobile working functionality be no different to that in the office. With initiatives such as the Jericho Forum spearheading the de-perimeterisation of security, the security landscape is changing again and old security truths are being replaced with new, different solutions.

CXO. And how do your products help mitigate risk to a customer’s organization? Why should a company look to Cable & Wireless?

PH. We strive to differentiate our proposition both on the service and products that we offer, and by providing customers with what they ask for.

Within our security practice, this means a number of things. First, the components used in our solutions are best of breed – they are what our customers want, from both a business and a security perspective. Second, the quality of service we offer is a key differentiator. We have staff of the highest calibre, who are responsive and fully aligned to a customer’s needs. Third, security is often seen as a burden to an organisation. We seek to change that by demonstrating a clear return on investment. If approached properly, security solutions can reduce costs, either by preventing breaches (less system downtime, fines and negative publicity) or by increasing efficiency (for example, using VPNs over the internet rather then dedicated leased lines).

CXO. Specifically, you’ve recently launched DDoS protection for European service providers. What are the dangers of DDoS attacks and how can this product assist?

PH. There are a number of key dangers associated with DDoS (Distributed Denial of Service) attacks, which will vary depending on the DDoS target and the level of criticality the target holds to your business. The most obvious impact is the financial impact from lost productivity, and associated liability and litigation. However, the negative effect on the reputation of an organisation can be more significant, especially if made public, and again needs to be factored in when assessing the risks. It is also worth remembering that a successful DDoS attack can indicate that there are other underlying fundamental security problems, and you may find that you become even more of a target.

Cable & Wireless DDoS Protection is part of a portfolio of managed security services designed to reduce risk with a single point of contact and accountability. The services enable Cable & Wireless to take ownership of the risk of dealing with DDoS attacks, by cleaning ‘dirty’ packets within our infrastructure, before they hit an organisation’s network. The service scales to accommodate an organisation’s future needs, and, because it’s a managed service, we are removing the burden of responsibility from a company’s internal IT team.

CXO. Looking ahead, what concerns do you have with regard to enterprise security over the next 12 months? What areas provide the greatest challenges?

PH. Security compliance is one of the biggest challenges. There has been an explosion of legislative and regulatory requirements. Companies need to identify all that are applicable, understand the impact on the business, and understand how compliance can be achieved. Once the plan has been put into action, it will need to be verified or audited regularly. The challenge is compounded for those operating internationally, as data protection and other security requirements in one country may be vastly different to those in another.

On a technical level, phishing attacks will become more sophisticated, leading to an increasing use of technical countermeasures to combat them, such as mutual authentication systems. Trojans and spyware will become increasingly complex, with more intricate mechanisms to hide themselves, and will be able to perform even more sophisticated attacks.

Above all, organisations must realise that security needs constant attention, as threats change daily. Just because your systems appeared secure yesterday, does not mean they will be today.

CXO. Similarly, what are you encouraged by?

PH. The more focused attitude organisations are taking towards security. Typically, security budgets are increasing (although arguably not as rapidly as they need to be). Also, most organisations now have dedicated departments for information security, and some have a security presence on the board.

Users are now more security savvy than perhaps they were 10 years ago. They are now more likely to alert the company to a suspected security breach, something that is helped by clearer escalation paths and defined responsibilities. In addition, more organisations are realising the need for effective business continuity and disaster recovery.

There is also a greater move towards co-operation within the security industry as a whole. For example, competitors and colleagues alike are now cooperating on the next generation of security standards. Unless organisations work together, the bad guys may get ahead.

Optimising systems security
Paul Hanley’s top five tips

• Ensure a structured and methodical approach to security. Make sure security is not an afterthought but a primary consideration.
• Perform a formal risk assessment and business impact analysis to help you prioritise.
• Implement counter-measures correctly. Ensure that all tools are appropriately patched and maintained, including the underlying operating systems - and regularly audit.
• Make sure staff are appropriately trained and educated about the risks and critical security measures.
• Take a holistic view of security, rather than simply looking at individual solutions such as firewalls and anti-virus solutions. Consider also physical security, logical security as well as procedural security.