Isn’t Prevention Better Than Cure?

Even as the corporate world keeps discovering and inventing new benefits of a

networked world, threats to their networks too, are attaining new dimensions.

Very much like the real world crimes — where criminals always seem to be one

step ahead of the police — attackers, hackers and intruders are constantly

developing new and complex techniques to outsmart the best security systems.

Moreover, if they are not the highly motivated and armed-to-the-teeth kind of

attackers, organizations are also most likely to be hit by attacks from within.

Network security threats have certainly assumed new proportions with the fast

emerging centrality of the Internet as a source of communication. And the

Internet, we all know, is a network of networks, connecting millions of

anonymous users all over the world, making it more vulnerable than any other

form of computer network. All this means that corporate networks are always at

risk.

So what does one do in these circumstances? Should one look for a perfect

security? It is better to realize here as Neel Ratan of PricewaterhouseCooper,

India’s global risk management solutions puts it, information security is a

risk and like most risks, it cannot be eliminated but can be mitigated. So, if

perfect security is a mirage what should one do? The solution lies not in trying

to eliminate the risk but in managing it effectively and placing an adequate

security mechanism. But how does one manage risk effectively or define adequate

security and then design, implement and manage it?

To

begin with, organizations must do away with the belief that deployment of

powerful technological paraphernalia is a guarantee against any of the security

threats, be it viruses, hacker attacks or network intrusions. Technological

controls are usually ineffective in the absence of a proper security management

and monitoring policy.

The first step towards achieving adequate security goals should be the

assessment of an organization’s security mechanism and its performance in the

existing security environment. Primarily a management functions, the assessment

should then form the basis of the next step — a comprehensive documented

security policy. The policy should not only assess the present and future risks

but also determine the needs of the organization. It should also determine the

management and monitoring principles that the organization would be following in

order to maintain an adequate security. The policy itself could contain the

details of the technological tools that the organization would require. Here, it

must be remembered that the policy should be a dynamic one with an in-built

flexibility, so that changes are incorporated whenever necessary.

While

deciding on the security policy, the assessment of risks and needs must take

into account the fact that the two are not common across the spectrum. The

security needs of different kinds of network would be different. In other words,

an e-business portal would have an entirely different set of risks and security

needs as compared to a raw material supplier who is connected to its buyer

through a private network. A security policy should not only be linked to

threats but also to business risks specific to the organization’s industry or

area of operation.

Among other things, a well-documented security policy has two prime benefits.

First, it brings focus into the security practices of an organization, making it

easier for it to know and do what it needs to do, in terms of management,

implementation and monitoring. Second, it helps the company to avoid expenditure

on unnecessary security boxes and solutions.

Here, it is important to distinguish between policy and guidelines. While the

policy should outline the fundamental requirements that the senior management

considers imperative, guidelines should provide the more detailed rules for

implementing the broader policies. Guidelines can also be designed as an

educational tool that could help the employees understand and follow the desired

security practices. Employees need to be educated effectively because, in most

cases, it is the human being that is the weakest link in the security chain. An

employee could sometimes be as strong a security threat as the most motivated of

the attackers.

Educating and training the management and employees on the security risks and

control is imperative for the success of any security policy. Also important is

involving business managers in risk assessment. Involving business managers in

identifying potential threats, vulnerabilities and also consequent impact on

business operations, could help them better understand the imperatives of

security. This is important, given the fact that a business manager is in a

better position to know which information or data is sensitive and needs to be

protected.

A security policy can only be effective when it is linked to a cycle of

activities, so that the network security risks are identified and addressed on

an ongoing basis. The effectiveness of the policy and the risk control

mechanisms should be monitored regularly through various analysis, evaluations

and audits to determine if the existing policy or security mechanism needs to be

modified or updated. External third party audits should be regularly carried out

to get an independent assessment of security.

When securing a network, the most important thing an organization should have

in mind is that prevention, as they say, is the best cure. So a proactive

approach to security that focuses on prevention and detection before any breach,

should be the goal. After all, if security costs money and time, the loss on

account of inadequate response to threats and risks could mean irreparable

financial loss, but also a damage to organizational reputation, credibility and

trust.

Ravi Shekhar Pandey