You want system security? Bury your computer!


13-05-2004

System security within a business would be simple - if only people didn't use the system.

'Users are the bane of any security professional's life,' Dr Nicko van Someren, chief technology officer of security company nCipher, told Cambridge Network members at this week's Open Lecture, 'Security and the Internet'.



He said: 'Disconnecting from the Internet and burying your computers would guarantee security, but it's not very good for business.



'Security is much more than technology. My business deals with the intersection of the technology - or rather, the risks inherent in the technology - and the people who use it, and the policy about how they use it.



'Unfortunately we have users who make mistakes, and who occasionally have malicious intent. There are different sources of threat, but people are probably the biggest.'



Conceding that security will become an ever greater challenge, he outlined the primary goals of security systems: to protect confidentiality, ensure data integrity and availability, and ensure authentication of users and systems. Statistics from a Computer Security Institute survey detailed the considerable risks associated with breaches in security reported by more than 500 security practitioners within a 12 month period - 85% had detected breaches in their systems; while 64% acknowledged financial loss, with 34 organisations reporting more than $150 million in losses from theft of proprietary information.



'Everyone in this room will have seen a breach of security in their computer using life,' he said, and the key issue was about building trust, especially for those who were conducting high value transactions on the Internet. 'Without trust, there's no confidence. Without confidence, there's no business.'



Detailing the types of threats businesses faced - ranging from 'the script kiddie' who might not even understand what he or she is doing, to hackers, competitors, company insiders and computer criminals - Nicko van Someren said that building 'defence in depth', with multiple layers of defence, was the only way a business could safeguard its systems and its secrets. In doing so, it could protect itself against all kinds of losses.



But such 'preventative healthcare' could be costly. 'The less you spend, the greater your potential losses,' he said. 'It all boils down to risk management, and it is a trade-off.'



In a lively Q&A session, chaired by David Hurley of Anglia Business Computers - one of the event's sponsors - Nicko van Someren was joined by a panel including Robert Temple, chief security architect at BT; Mark Price, technical director at Panda Software; Ian McKendrick, IT director at Acambis, and Andrew Herbert, managing director of Microsoft Research in Cambridge.



Topics included WiFi security ('It's very easy to deal with - you simply don't trust it. Treat everybody as if they were a threat,' said Nicko van Someren); security patches for Microsoft software ('Security is a major issue for us: there's a long way to go, but we're working on it,' said Andrew Herbert); and email encryption ('In my experience the very people who most need to use secure email will not use it because using it involves making more than one click!' said Robert Temple.)

 

Cambridge Network is a membership organisation based in the vibrant high technology cluster of Cambridge, UK. We bring people together - from business and academia - to meet each other and share ideas, encouraging collaboration and partnership for shared success.

Cambridge Network Limited