The Role of Network Security in Risk Mitigation
A lot of people believe that network security has nothing to do with meeting compliance regulations even though they are finance-related controls. A recent report by the Information Security Forum (ISF) suggests that companies are spending up to £5.7m on technology to meet Sarbanes-Oxley (SOX) regulations, which is a hefty sum to pay for something that is apparently unrelated. So, does security truly have a role to play?
Basel II and SOX, which are both focused on corporate accounting, boil down to two basic requirements: managing operational risk and providing immediate access to information. If companies fail to reduce their risk exposure, or provide certain information, they will face stiff financial and legal penalties. Managing these requirements needs thinking at several levels. A magic ‘compliance pill’ does not exist in any form. There are, however, ways in which technology can help address parts of the problem.
A major part of managing operational risk and preserving information integrity is making sure a company’s network infrastructure is adequately secured to deal with a rising number of threats, ranging from the loss of information, malicious software and ‘day zero’ threats (new viruses which are unknown to antivirus software and are capable of taking down unsecured networks in minutes) from organised crime syndicates along to the reality of distributed denial of service (DDoS) extortion.
The National High-Tech Crime Unit (NHTCU) estimates in its 2005 ‘Impact on UK Business’ survey that the total cost of hi-tech crime in the UK is £2.4bn, a staggering sum presumably split across lost productivity, sales, hardware damage and technical support.
Managing operational risk from a network security perspective has consequences beyond achieving compliance with BASEL II – indeed, though it may seem obvious, protecting your brand and reputation against the eventuality of disabled websites, stolen data or otherwise damaged infrastructure is at least part of the reason such regulations exist.
Malware poses one of the most insidious technological threats to businesses. While malware writers were traditionally seen as teenagers trying to show off their skills, organised crime has begun using malware to less trivial ends. These include corporate espionage and theft of information. This has led to a rapid increase in the level of sophistication of malware, including viruses, trojans and spyware. E-mail enables viruses to proliferate around the world in minutes or even seconds, and ‘day zero’ threats are now a reality.
Additionally, with the increase of mobile working, computers and mobile devices are regularly leaving and entering the safety of the corporate network, increasing the risk of malware entering the network. Viruses may also include spyware programmes, such as key-logging tools, that can be used to steal confidential information and intellectual property.
Any business with a significant online presence is also at risk of being the target of a DDoS attack, which can cripple or disable a website or network. Moreover, any business that shares an Internet Service Provider (ISP) or a data centre with a target company is also at risk. Crime gangs are now using this threat to blackmail businesses into paying out large sums of money for ‘protection’, which can be rescinded at will, or when the blackmailer decides they want more money.
Information integrity plays a critical part in compliance regulations, especially SOX, which prescribes that all information needs to be stored adequately, and that it can be made available as required on request from financial auditors. Although SOX is targeted at US businesses, it had an immediate effect on the 113 UK-listed companies on a US exchange. In addition, UK companies who trade extensively with US companies may find pressure from their US partners to adhere to similarly rigorous accounting standards. UK regulation is also changing, and might reflect the hard line SOX takes. For example, the recent Company Law Reform White Paper calls for tougher penalties for accounting offences. Of course, the obvious ‘best practice’ accounting implications of this regulation makes it good business sense beyond simply complying.
If critical information is lost or stolen, these businesses risk severe penalties from regulators. Theft of information can come from quite unsuspected sources: the average employee could pose a significant security threat.
The progression of storage technology has got to a point where the entire active dataset of a small enterprise can be extracted on a common portable device, such as an iPod. In addition, the availability of broadband and wireless devices means that employees, whether malicious or simply ignorant users, could pose a threat by extracting sensitive data from, or putting illegal data onto, the corporate network.
The need for security varies from organisation to organisation. Banks, for example, will face different security needs to an accountancy firm, or a utility company. Every business will therefore need to assess its operational risk on an individual basis, and it can receive help from security consultants and vendors to assess and plug holes in network security. There is now clever technology available which can help mitigate security risks from malicious software, cyber-criminals, end-users, and even unknown day-zero threats.
The wide variety of security threats demonstrates that traditional methods of protection, such as firewalls and anti-virus software, are not enough to shield companies from these new, complex and highly sophisticated threats. What is needed is a multi-layered approach to security that ranges from perimeter security to end-point systems through to the implementation of a security policy. This will ensure protection from unknown malware threats.
It is possible to use end-user behaviour monitoring tools which enforce security policies to provide protection against day-zero threats, and to block potentially harmful USB devices, which could be used to steal information from an organisation’s network. Businesses with a strong online presence would be well-advised to find an Internet Service Provider (ISP) that has invested in technology that protects them from the increasing threat of DDoS attacks, which ensures security from the link of the service provider through to the fringe of the corporate network.
Mitigating risk is important for any business to ensure economic stability and ensure survival in competitive environments. The reality of 21st century business means that risk assessment requires taking network security into account. Malicious network behaviour comes from a variety of sources, and businesses need to take steps to protect themselves. A defence-in-depth approach which secures a network to lower operational risk is an important piece of the compliance puzzle. Having a highly secure network goes further than compliance: it makes good business sense.