Most information – including indeed this – is at some point electronic. How do you secure it from hackers who may misuse your business information out of mischief or to gain a competitive advantage?
Even your ceiling is at risk from the hacker who wants your organisation’s information. Besides off-site attacks, the ‘Tiger Team’ try to access computer networks which include physical entry (via the ceiling), stolen key cards and ‘social engineering’ (politely tricking office staff into divulging sensitive information). John Butters gives what he calls ‘war stories’ of security vulnerabilities – the oil company’s control of its gas pipeline, the chemical company’s secret formulas, personal credit card details and strategic merger targets; the hotel chain’s business plans and board report. The team’s report may be technical (a system has patches missing) or non-technical (reaction times to a hack are poor, the organisation does not monitor hacking well). An internal audit of information security can do more harm than good, he warns. An executive summary saying that no security weaknesses were found is not the same as ensuring security. A summary that says ‘you are vulnerable to hackers’ can add to distrust between the IT department and others, while after the organisation acts on the report staff may tend to relax, believing that the ‘holes’ are fixed – though in truth testing ought to be regular. On the plus side, an ‘ethical hacking’ exercise does keep staff on their toes. Visit www.bcs-irma.org – British Computer Society IRMA (Information Risk Management and Audit) group or BCS Information Security Specialist Group.
