By David Hobson

The recent issues and protests surrounding the torch on its journey through the streets of London, Paris and San Francisco have highlighted some very serious security issues the U.K. will face in the run up to, and during, 2012.  As the U.K. stepped into the limelight, with the baton passed to London during the closing ceremony at this year’s event on the 24th August, the focus was redirected and the U.K. is the next major target of attacks driven by political and religious beliefs -- believe it or not, not everyone in the world loves the U.K. and its culture.  These attacks are more than likely to be both physical and digital and will, undoubtedly, be a magnificent smokescreen for organized crime to hide behind.  The security community faces a tremendous challenge of educating organizations about the threats to their business.

THREAT TO BUSINESS

At the end of 2007 the Times newspaper had a front page story disclosing details of an unprecedented warning issued by CPNI -- Centre for Protection of National Infrastructure to major businesses in the U.K. accusing China of carrying out state-sponsored espionage against vital parts of Britain’s economy, including the computer systems of big banks and financial services firms.  The Government alleges that British companies doing business in China are being targeted by Chinese State Organizations using the Internet to steal confidential commercial information (a touch ironic with them hosting this years Olympics!).  And the U.K. is not alone, while I was in the U.S.A., recently, it was publicly confirmed that the U.S. Defense Department acknowledged that their systems have also been compromised by China and they have no idea to what extent and depth.  So what are the threats to your organization and why would the government issue notices to anyone?

As the dependence on IT continues to grow, so does the realization of how much sensitive or critical information is held within IT environments.  As more and more sensitive data is digitized, and regulatory requirements become increasingly stringent, organizations face the challenge of securing and protecting their data against unauthorized access, tampering and loss.  An enterprises network is an inherently complex entity including a myriad of devices, platforms, applications and operating systems.  Because of increased employee mobility and the growing number of end-user network-capable devices, tracking and controlling network access has become essential to maintaining data security in corporate networks.  Organizations must balance access to these resources, while protecting valuable assets and ensuring customers’s privacy.  Failing to get the equilibrium right proves to be a costly business issue.

DEALING WITH SECURITY VULNERABILITIES

The sheer number of threats and intrusions to corporate IT systems has grown phenomenally in the past few years and todays security risks are complex.  Threats to an organization range from external threats to internal threats as well as passive threats.  Networks and personal computers need to be protected from vandals (malicious mobilecode, Trojans, worms, VB/JavaScript), viruses, data exposure and inappropriate content.  To better deal with the rapidly evolving threats, organizations are moving towards combining proactive and reactive security measures both within the existing network and at the boundaries where the network may interface with external and unknown devices.  Historically associated with protecting a network against attack from the Internet, firewalls are increasingly becoming more important for securing a network against internal threats.

So where to start?  Even thinking about dealing with the number of security vulnerabilities that your organization faces is enough to cause a migraine.  Finding and prioritizing the sheer volume of network’s vulnerabilities, and then ensuring that they are fixed, is a nearly impossible task that can leave your organization exposed.  Implementing ongoing vulnerability management to discover and assess vulnerabilities, and to implement and maintain system configurations, will ensure secure environments saving time and money in the long run.

WAKING UP TO THE THREAT

The threat to business is increasing as we rely upon the data within an organization.  The good news is that U.K. plc finally seems to be waking up to the threat to their business.  The information we have suggests that, after many high profile data losses, boardrooms are finally giving security a bigger piece of their IT budget.  Is this because no CEO wants to see himself or herself on the front page of the nationals, and have to explain to their shareholders how they lost all their customer data?  Or is it because the threats are finally being given proper airtime?

Either way, one of the issues the security industry faces is that if it does its job well, it will never be able to prove that the money was well invested because incidents have been prevented before they happened!  I had the good fortune to sit next to Richard Walton, former Director of Communications and Electronic Security Group, GCHQ at a couple of events recently.  He rightly pointed out that had legislation been passed before 9/11, making it compulsory for airlines to fit locked armour doors to a plane cockpit, 9/11 would not have happened.  Well, not in the form that it did.  In my opinion the industry would have been up in arms over the extra expenditure calling it unnecessary.  Perhaps in hindsight this is something that should have been done, after all there had been plenty of hijackings of aircraft before but hindsight is a wonderful thing.

We need finance directors to recognize the real benefits from an investment in security that is necessary not only for today but to protect us into the future.  As a result of this outlay, when they see fewer breaches, that should be recognized as money well spent instead of down the drain.  The threats will be growing, with U.K. plc becoming a major global target in the run up to 2012.  There’s no time to be wasted as it’s pointless to secure the door after the horse has bolted.

London’s Olympics will definitely be reported on and subsequently be remembered in history, let’s just hope for all our sakes it’s for the right reasons.

David Hobson, MD of Global Secure Systems (www.gss.co.uk).