Security needs whole-of-business approach
You have no credits left. To view this article subscribe to Business News.
You have used {{points}} and have {{current_points}} remaining. Your credits will reset on {{reset_date}}.
This article is part of a special report and is available to paid Business News subscribers only.
You can purchase access to this special report or subscribe to Business News.
You can purchase access to this special report or subscribe to Business News.
This article is premium content and is available to paid Business News subscribers only.
Subscribe to Business News.
Subscribe to Business News.
Tuesday, 6 November, 2001 - 21:00
THE security of a company’s computer system is a business issue as well as an IT issue, and decisions about it need to be made in the boardroom, not the IT department.
That’s the message from Check Point Software Technologies regional director Peter Sandilands, in Perth recently to brief executives about security issues and the development of security policy.
Mr Sandilands believes business leaders in non-IT industries are shirking their responsibility by leaving decisions and policy formation in the hands of their IT departments.
Up to 75 per cent of Australian organisations do not include security in their overall business planning process, he said.
A recent Information Security World 2001 survey found only 55 per cent of senior managers understood the risk of security incidents to their business.
“Security is something every company should be concerned with. The IT aspect of it is that IT provides some tools to implement parts of the security policies defined by the organisation,” Mr Sandilands said.
“In reality, security doesn’t belong in the IT department. It belongs in corporate governance, at the CFO or CEO level. Banks are probably the best example of this, where their security procedures are involved in everything they do.”
But Mr Sandilands said that, in order for management and IT departments to bridge the gap, IT employees needed to have a better head for business.
“One of the dramas with the acceptance of IT at a business level is that a lot of the people in the IT industry believe in IT for IT’s sake, rather than asking what problems does it address or what opportunities does it create,” he said.
“Until we have IT people who understand the reason an information technology department exists is not to provide them with new toys, then we will never see that gap bridged.
“We are seeing those in the IT sector having a better head for business more and more today. A lot of universities insist computer science students take business or commerce units as part of their degree to address the question of how IT relates to business.”
Mr Sandilands said Perth companies’ recognition of the importance of security was about the same as other parts of Australia, but he had noticed a recent increase in demand for anti-virus and security software.
“Perth has been a fairly solid market for us,” he said. “It’s obviously a lot smaller market than other cities, but I think it reflects the feeling we get elsewhere. Organisations that are required by legislation to be very careful with security, such as banks, insurance companies and some government departments, are very aware of the issue. But other organisations are less so.
“There is a growing interest in it in the medium business level in Perth and the feedback I’m getting from my resellers is that a lot of the mid-tier organisations are raising security as an issue and investigating solutions for it.”
But Mr Sandilands said too many businesses assumed security threats would come from hackers, who vandalised websites or left messages showing they had broken into the network. He said the reality was that most intruders could get in and out undetected if there was no electronic protection to stop them.
“Then there’s the small to medium enterprises who think because they’re not a bank, a finance company or an insurance company, nobody would be interested in attacking them,” Mr Sandilands said.
“But the reason they would be attacked is that, with poor electronic security, they’re a prime candidate to be used as part of attacking other organisations, such as the distributed denial of services attacks we saw in the US last year against Yahoo and others.”
Spammers, people who send large volumes of unsolicited email, also were a threat. Mr Sandilands said there were instances of spammers illegally using a companies’ email system to send large amounts of spam email, leaving organisations to take the blame and foot the bill.
“They use someone else’s resources and if you’re paying per megabyte, they’re effectively using your money,” he said.
“To combat spamming, a lot of people are subscribing to things called black hole lists, which collate information about spamming sites. If your site gets taken over to be used by a spammer, it can potentially end up in a black hole list and you’re unable to send or receive email.
“If you’re moving into this medium to be more accessible and people can’t send email to you, that’s a big impact. You need to change your domain name, which you might have struggled for six months with Melbourne IT to have registered in the first place.”
That’s the message from Check Point Software Technologies regional director Peter Sandilands, in Perth recently to brief executives about security issues and the development of security policy.
Mr Sandilands believes business leaders in non-IT industries are shirking their responsibility by leaving decisions and policy formation in the hands of their IT departments.
Up to 75 per cent of Australian organisations do not include security in their overall business planning process, he said.
A recent Information Security World 2001 survey found only 55 per cent of senior managers understood the risk of security incidents to their business.
“Security is something every company should be concerned with. The IT aspect of it is that IT provides some tools to implement parts of the security policies defined by the organisation,” Mr Sandilands said.
“In reality, security doesn’t belong in the IT department. It belongs in corporate governance, at the CFO or CEO level. Banks are probably the best example of this, where their security procedures are involved in everything they do.”
But Mr Sandilands said that, in order for management and IT departments to bridge the gap, IT employees needed to have a better head for business.
“One of the dramas with the acceptance of IT at a business level is that a lot of the people in the IT industry believe in IT for IT’s sake, rather than asking what problems does it address or what opportunities does it create,” he said.
“Until we have IT people who understand the reason an information technology department exists is not to provide them with new toys, then we will never see that gap bridged.
“We are seeing those in the IT sector having a better head for business more and more today. A lot of universities insist computer science students take business or commerce units as part of their degree to address the question of how IT relates to business.”
Mr Sandilands said Perth companies’ recognition of the importance of security was about the same as other parts of Australia, but he had noticed a recent increase in demand for anti-virus and security software.
“Perth has been a fairly solid market for us,” he said. “It’s obviously a lot smaller market than other cities, but I think it reflects the feeling we get elsewhere. Organisations that are required by legislation to be very careful with security, such as banks, insurance companies and some government departments, are very aware of the issue. But other organisations are less so.
“There is a growing interest in it in the medium business level in Perth and the feedback I’m getting from my resellers is that a lot of the mid-tier organisations are raising security as an issue and investigating solutions for it.”
But Mr Sandilands said too many businesses assumed security threats would come from hackers, who vandalised websites or left messages showing they had broken into the network. He said the reality was that most intruders could get in and out undetected if there was no electronic protection to stop them.
“Then there’s the small to medium enterprises who think because they’re not a bank, a finance company or an insurance company, nobody would be interested in attacking them,” Mr Sandilands said.
“But the reason they would be attacked is that, with poor electronic security, they’re a prime candidate to be used as part of attacking other organisations, such as the distributed denial of services attacks we saw in the US last year against Yahoo and others.”
Spammers, people who send large volumes of unsolicited email, also were a threat. Mr Sandilands said there were instances of spammers illegally using a companies’ email system to send large amounts of spam email, leaving organisations to take the blame and foot the bill.
“They use someone else’s resources and if you’re paying per megabyte, they’re effectively using your money,” he said.
“To combat spamming, a lot of people are subscribing to things called black hole lists, which collate information about spamming sites. If your site gets taken over to be used by a spammer, it can potentially end up in a black hole list and you’re unable to send or receive email.
“If you’re moving into this medium to be more accessible and people can’t send email to you, that’s a big impact. You need to change your domain name, which you might have struggled for six months with Melbourne IT to have registered in the first place.”