The phrase “security clearance” will become more common in general business as well as sensitive government agencies, says Unisys security consultant Terry Shubkin.
“The weakest link in the security chain is still people,” she told a Computer Society meeting last week.
Increasingly, companies will insist that ICT support staff and client-facing staff must be security cleared, ensuring that they have no suspicious incidents in their past and are likely to abide by the company’s security standards.
Increasing concern with security, she says, will provide one more disincentive in the already delicate decision whether to outsource ICT work overseas. If the staff working on software are too far from vetting and control by head office, vulnerabilities could intentionally or inadvertently be introduced to its ICT systems.
Identity management, “still in its very early days for most New Zealand companies,” will get more attention in the near future, Shubkin says. The means by which an employee identifies him/herself to the company network will become increasingly advanced, and will more often include biometrics of some kind, she says.
Increased sophistication will also come into identity management’s logical partner, authorisation.
Shubkin also refers to the growing fear of weaknesses in mobile equipment, which emphasises security as a whole-of-company business-oriented policy, reaching to the highest directors. It’s difficult to countermand the chief executive who demands a BlackBerry or similar PDA which will access the company’s network and also be connected to unknown other equipment, she concedes, but everyone must observe security disciplines.
Some more inert devices, such as flash-memory chips with a USB connection may be just as dangerous, Shubkin says. There have been cases of them being infected with viruses and spyware which copied all open files on the system and then “phoned home” as soon as the chip was plugged into an internet connected machine.
Plans for business continuity in the face of a natural disaster are another worry. At least half the audience indicated they had given some thought to the ICT consequences of a bird ‘flu pandemic. Plans typically include people working from home or elsewhere off-site and the security risks of this mode of operation must be scrupulously evaluated, she says.
Increasing skill in the population and more advanced development tools are allowing viruses and other exploits to be developed more easily and quickly. The number of exploits for Unix-type operating systems, including Linux, is increasing and, some sources suggest, now exceeds exploits for Windows. Exploits no longer attack the operating system only; some target the network infrastructure, Shubkin says.
Formal tools are evolving to help companies evaluate their security “maturity”, with diagrams and dashboards able to identify how mature the organisation is in this respect and where specific failings are.