Social security - Summer 2010

14 Jun 2010 Voices

Brian Shorten emphasises the importance of working with people to ensure good IT security.

Brian Shorten emphasises the importance of working with people to ensure good IT security. 

In 1986, deregulation of the financial markets did away with the distinction between the London Stock Exchange and the banks, allowing banks to deal in shares, with a growth in automated dealing systems and networks. For the bank I was with at the time it also led to the need for the management of those systems.

This was very much an administrative function. We didn’t have the technology we have now to protect and secure the systems, so it was a people thing rather than a technological issue, and I had many conversations with dealers explaining the reasons behind having access to a system issued to an individual rather than shared. I was explaining why users should take a particular action rather than using a technological process to enforce it.

Since then, the technology has increased with a complexity and power that I couldn’t have imagined; however, one thing has remained constant. Whatever the industry you are working in, whatever the assets the business has to protect, the most important element is the people.

The technology is obviously an integral part of security; I’m not advocating that we do away with firewalls, anti-virus software, intrusion detection/prevention processes etc, but these become stronger parts of the whole if the people who use the applications, access the internet, and send and receive emails understand why security is important and how to protect themselves.

A firewall will protect against attacks against the network but it cannot prevent individual users circumventing it to connect to the internet. Anti-virus software can detect known viruses in files and software but it cannot stop a user bringing in a device containing a yet-to-be discovered virus. Software can detect viruses in email attachments and emails attempting to defraud the recipients of money and login details but users can still respond to a suspect email or click on a link.

Employee misconduct, carelessness or lack of knowledge cannot be controlled by technology alone, nor by policies, even if strictly enforced. The only way is to involve everyone in the whole process and effectively to turn every member of staff into a security manager.

Brian Shorten is IS BCP, risk and security manager at Cancer Research UK and chair of the Charities Security Forum