The most sophisticated security systems are useless if a company fails to recognise and guard against the threat posed by its own employees.
Dries Morris, director aat Securicom, says that, without a comprehensive corporate IT security and email policy in place to enforce responsible email and Internet usage – combined with continuous training and education on techniques and threats used – even the most sophisticated security technologies will be rendered ineffective.
“Its like installing an expensive alarm system and indestructible burglar-proofing at your home and then failing to train the people and/or to instil the importance of setting the alarm and locking security gates amongst the house-inhabitants.
“Similarly, companies must ensure that their employees use the internet and email responsibly, and that they understand the risks associated with email, downloading files and applications from the internet, accessing unsafe websites via spam messages, internet browsing, giving-out their personal details over the internet and be aware of the various social engineering techniques used to create attack opportunities such as pretexting; phishing and phone phishing.
"If they don’t, employees unwittingly – or even knowingly – open-up company networks to a range of very serious threats such as spyware and malware to name but two,” says Morris.
That’s why he says corporate email; security policies and network access control should form the core of securing a network.
“It doesn’t matter what size your company is, or what industry you are in, implementing a corporate e-mail policy is an essential first step towards protecting your company against the threats associated with email, which include, amongst others, confidentiality breaches; loss of intellectual property; network congestion and damage to reputation.
“By having an internal email policy in place, you are officially making your employees aware of your organisation’s guidelines and restrictions on e-mail usage. Implementing an e-mail policy is also advisable if you intend using email filtering software to check the content of your employees’ emails. Your email policy would have to state the possibility of email monitoring otherwise you could be liable for privacy infringement,” says Morris.
He explains that, while a corporate e-mail policy affords protection against the various threats associated with email, a corporate IT security policy goes much further than that, covering the entire spectrum of technology systems typically employed by companies today such as:
* Ecryption mechanisms;
* Access control devices;
* Authentication systems;
* Virtual Private Networks (VPNs);
* Messaging systems;
* Anti-virus systems;
* Mission critical applications;
* End-user desktops;
* DNS servers; and
* Routers and switches.
“A properly-applied security policy enables companies to control and monitor access to these systems. Ideally, security mechanisms must be built into all layers of infrastructure and, depending on the specific environment and business requirements, specialised software may be needed to manage, monitor and enforce an IT security policy,” explains Morris.
He says that companies should only start looking for technologies to assist in mitigating IT security risks once they have established their corporate email and security policies and communicated these to their employees. Without these in place, implementing effective security technologies is impossible.
“We then recommend that a dual approach to be run in parallel on completion of the security policy. This approach would be to secure and monitor the internal systems by means of system management tools and network access control devices and then simultaneously secure the perimeter of the network thereby providing protection from internet threats.
“Due to the fact that most security breaches occur from the inside and that the biggest threat is the deployment of various social engineering techniques which are based on the flaws in human logic; making it easier to convince a person to give you their username and password than to crack a system; it is a good idea to partner with an organisation that specialises in security, especially with regards to perimeter and content security. This assures companies of the latest technology, access to specialist skills and round-the-clock monitoring."