HR and IT: Network Security Makes for Strange Bedfellows

    It could be an incident in which proprietary company data is stolen. Or your employees’ personal information could be exposed to others who might not keep it to themselves. It could be a situation like the one that occurred at Indiana University last summer, when hackers rooted around in the university’s computer system, having free access for at least three or four days to the applicant data from 1,200 prospective students.

    There’s a long list of nasty possibilities, one of which is that someone might be attempting to break into your company’s digital infrastructure right now. “The threat exists for everyone by varying degrees, regardless of who they are,” says Steve Fuller, president of NetWorks Group, a company in Brighton, Michigan, specializing in network security and data protection. “Automated scans, worms, and pre-attack probes launched from the Internet go on constantly, testing for vulnerabilities in companies’ networks.”

    Consider this, from a survey released in April on computer crime and security by the FBI and the San Francisco-based Computer Security Institute:

• Ninety percent of respondents (primarily large corporations and government agencies) had detected computer security breaches within the last 12 months.

• Eighty percent acknowledged financial losses due to computer breaches.

• Those reporting losses quantified them at nearly $456 million in 2001.

    Another thing that is almost certain: when these computer breaches occur and a company experiences significant negative impact, the vigorous finger-pointing that follows would cool a Tucson warehouse in the summertime. HR may say that the IT department should have had better technology in place to protect the system. IT may insist that the problem is with HR’s network-security policy.

    So, to stave off the finger-pointing, and--even better--to greatly eliminate the risks of a network-security meltdown, now is the time to talk and plan.

Working together to create sound policy 
    A strong partnership between HR and the technical staff is crucial, says Fuller. Working together to formulate policy ensures not only that the guidelines being established are sensible, but also that they are practical to implement and enforce from a technical standpoint, he points out. "Network security works best when it is policy driven. The actual policy should come from the HR side, but the technical people should be involved in implementing the details."

    Having a clearly established network-security policy also serves as a guide to IT staff for decision-making when incidents arise, says Fuller. “For several reasons, it is much easier for technical people to respond in situations when they have a clearly written policy as a guide. First, you get more consistency in your reactions. For instance, if you had to discuss how your company was going to handle things like lost passwords each time it happened, you’d waste a lot of time and end up with haphazard responses in handling it on a case-by-case basis, as opposed to having to make the decision only once at the management level.”

    Having the weight of an established policy behind a decision is important, too. “With a clearly written, well-communicated policy, IT people don’t have to make compromises they're not comfortable with,” says Fuller. “They know that they have the backing of management in their decision. It’s not an individual making that determination--it comes from the organization through the policy.”

Some problems come from within
    Not only are people trying to break in from the outside, but a company's network can also be compromised when someone inside the company does something that can harm the network, accidentally or otherwise.

    Eliminating problems from within is more challenging. To put it logically: a) employees are people, b) people are human, and c) to err is human. So just assume that you're going to have incidents.

    "Something like 60 to 80 percent of network-security problems come from the inside," says Fuller. "It's not a small problem."

    To minimize the risk from within, there are two things you should do: provide training on proper use of the system, and perform thorough background checks on everyone who accesses the system, temps and contractors included.

    Also, periodic reminders of your appropriate-use policy and network-security guidelines are crucial. At the least, you should have employees annually sign the policy, indicating that they understand it and agree to act accordingly.

    “Security works best when it is part of the culture,” says Fuller. “End users will know what to do in most circumstances, and providing employees a thorough orientation combined with frequent reviews of the policy can go a long way to preventing incidents.”

When there Is trouble
    So, what do we do if some sneak does get far enough into the system to poke around a little bit? Or if it turns out that everyone knows that Rita in Accounting uses “SPRING_FEVER” for her password?

    "Every company should have an incident-response policy in place," says George Jelatis, director of security architecture services for Secure Computing Corporation, in San Jose, California. "This can be as minimal as defining a reaction team and the roles they play, but usually goes further and addresses questions like whether or not the company will want to contact law enforcement in the event of information loss or theft, and when and if the company will publicly acknowledge a breach has occurred."

    Giving early thought to these questions--before the heat is on--is something that can really pay off in the event of a network-security problem. “If you can make these decisions when things are calm, it will save you a lot of heartburn during an incident,” says Fuller of NetWorks Group. “These are very stressful, chaotic times, and you’ll be glad you considered these issues in advance.”

Keeping up with technology
    Your policy is now in place and the technology has been deployed. Your employees know the guidelines and have been trained in appropriate use of the network. Your job is done, right?

    “The biggest thing that people--tech staff included--do not understand is that security is an ongoing process," says Fuller. "You need constant review of your policy and the technology used to safeguard the system. You should also regularly remind employees of the policy and the expectation it sets for them.”

    Dan Jude is president of Sugar Grove, Illinois-based Security Software Systems, which offers Internet monitoring, filtering, and blocking software to employers. He agrees, saying that an outdated network-security plan is almost as bad as not having one at all.

    "Technology is changing so quickly, and in such big ways, that the network-security policy has to be a living document," says Jude. "It has to change as technology changes, and change as the organization changes. As those updates happen, they must be continually dispersed to employees as well."

    Though you can never eliminate risk completely, when you tie HR and IT together to formulate a sound network-security plan, when you train end-users on smart and safe computing, and when your IT people incorporate the latest technology to keep the bad guys out, you go a long way toward keeping your networks safe and your life happily free of finger-pointing.

 Steps to creating a network-security policy

1. Perform a risk assessment
   "Figure out what your most important data is and what steps need to be taken to protect it," says Steve Fuller. This will help prioritize your efforts, determine what technology is needed, and decide how to most effectively apportion costs. 

2. Create a clear policy, keeping it as simple as possible.
   "Your network-security policy should be three to five pages long, 10 at the most," says George Jelatis. "The policy should be written at a fairly broad level, with references to specific procedures when more information is needed.”

Also, given the amount of information out on the Internet, you won’t have to start from scratch. Sample policies are available free from the SANS (System Administration, Networking and Security) Institute on their Web site.

3. Communicate the policy and train employees on it regularly. "Too often we give new employees a copy of the acceptable-use policy as part of a big stack of papers they have to fill out and sign on their first day. Then it gets thrown into a file and never looked at again," says Dan Jude. "It is really important that there are frequent reminders of the policy, so that employees do not lose sight of its importance."