Story image

What does security mean to you?

21 Aug 2011

One of our clients subcontracts to an organisation that places a very high emphasis on security. To take their laptops onto that organisation’s site, they have to have a blank login account with virtually none of their data on the machine. The only application on the laptop is ours. It contains only the information they need for the site visit. When they return to their office, it downloads the information to the server and wipes everything about the site visit off the laptop itself.

Another recent project involved confidential interviews. While the interviews were recorded anonymously on netbook computers, we also ensured that during the subsequent download process they were sufficiently randomised that nobody could deduce which interview on which machine was which. Nor could anybody see the answers after the interview was completed, because it was vital to ensure the interviewee’s anonymity.

On another, smaller legacy site, we were called in to reconfigure a system to work on a server instead of a local machine. Unfortunately, we weren’t called in until an ex-employee had already left with a copy of the system, including the client list and about 10 years’ worth of sales records on a memory stick.

These are very specific and diverse cases that highlight the necessity of understanding just what security really means to you. Interestingly, not one of them involves credit card fraud, hackers, firewall breaches, encryption cracking or any other things security experts will tell you that you need to guard against.

That’s not to say you don’t need all these things; you do. But as a business person, you shouldn’t really know too much about the technical side of security. It is a highly specialised field, best left to the experts. What you do need to understand is how much security is relevant to your business. You need to understand your needs: what are the real threats to your business, and what is the most effective way to deal with them?

For instance, in the memory stick case, the need is to restrict access to sensitive data without otherwise encumbering staff. It is quite easy for your IT people to implement a set of restrictions that prevent anything being copied onto a memory stick. However, this can be somewhat restrictive in practice, as there are many perfectly valid reasons for staff to use memory sticks. It is more appropriate to locate the sensitive files in a secure location on a server so that staff can access them for bona fide purposes but cannot copy them.

How about access to data within an application? Do you let your staff have access to your accounting program? Have you restricted their access by use of accounts and passwords so they can only use the parts they need to use? Are they properly trained? Can they export data? Or edit it, or delete it? Are you sure?

A regular request for us it to build a front-end to an accounting system that lets staff perform their various functions, but completely obviates the need for non-admin staff to have any access to the accounting program at all. This sort of thing becomes much more relevant as mobile computing starts to become a mainstream event. It is not just a case of preventing people from hacking into your systems; there is increasingly a very real issue as to knowing who is actually at the keyboard at the other end, and controlling just what they are doing offsite. Even for the same staff member, it can be a very real consideration to decide that what they can do ‘in-house’ is not the same as what they can do while ‘on the road’. And if you reach that conclusion, then you are going to have to decide how to implement it.

One last thought: how do you know your IT people are doing the business re: security if you can’t be expected to understand it all? In short: peer review. Periodically, get one of their competitors in to have a look at your system. They will be pitching for your business, so you may have to take it with a pinch of salt, but they may well uncover some interesting issues.

Matthew Roscoe is co-director of Foundation Business Software. Go here for more.

Protecting data centres from fire – your options
Chubb's Pierre Thorne discusses the countless potential implications of a data centre outage, and how to avoid them.
Opinion: How SD-WAN changes the game for 5G networks
5G/SD-WAN mobile edge computing and network slicing will enable and drive innovative NFV services, according to Kelly Ahuja, CEO, Versa Networks
TYAN unveils new inference-optimised GPU platforms with NVIDIA T4 accelerators
“TYAN servers with NVIDIA T4 GPUs are designed to excel at all accelerated workloads, including machine learning, deep learning, and virtual desktops.”
AMD delivers data center grunt for Google's new game streaming platform
'By combining our gaming DNA and data center technology leadership with a long-standing commitment to open platforms, AMD provides unique technologies and expertise to enable world-class cloud gaming experiences."
Inspur announces AI edge computing server with NVIDIA GPUs
“The dynamic nature and rapid expansion of AI workloads require an adaptive and optimised set of hardware, software and services for developers to utilise as they build their own solutions."
Norwegian aluminium manufacturer hit hard by LockerGoga ransomware attack
“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
HPE launches 'right mix' hybrid cloud assessment tool
HPE has launched an ‘industry-first assessment software’ to help businesses work out the right mix of hybrid cloud for their needs.
ADLINK and Charles announce multi-access pole-mounted edge AI solution
The new solution is a compact low profile pole or wall mountable unit based on an integration of ADLINK’s latest AI Edge Server MECS-7210 and Charles’ SC102 Micro Edge Enclosure.