Subscribe

Policy would decrease ICT risk

Martin Czernowalow
By Martin Czernowalow, Contributor.
Johannesburg, 14 Jun 2005

Experts agree that failure to employ a well-considered and structured security policy is one of the biggest ICT risks facing South African companies.

Barry Cribb, MD of IS Digital Networks, says any company employing staff knows the problems that can be caused and the costs incurred by the improper handling of disciplinary processes, for example. Such procedures are usually well documented and followed by human resources departments.

"However, far too many South African companies fail to document the rules and procedures required to mitigate many of the security and behavioural risks in the use of IT systems."

A simple, yet carefully-considered, security policy not only provides the opportunity to identify and classify one`s risks, it facilitates and focuses the need for staff training on security issues, he says.

"It makes staff aware of the level of personal Internet usage that can be considered reasonable, together with both the personal and company risks of being involved in inappropriate network behaviour or propagating and distributing undesirable material.

"The cost of the bandwidth alone used in distributing non-work-related content, undesirable or otherwise, if quantified, would lead most companies to act against it, yet many seem reluctant to invest in acting to curtail the losses," Cribb says.

Security as a whole is still perceived as an expense by many organisations, Cribb argues, saying the historical belief that security is predominately a technical issue still prevails. Companies fail to recognise security as a multi-faceted business problem.

Under attack

"Security can be clearly identified as having a tangible return on investment. Similarly, the cost of training, which can prevent staff from inadvertently acting or failing to act in the required manner, will be less than the potential penalties, fines or losses incurred in falling foul of legislation or an attack from hackers.

"Security policies are essential for defining the rules of play. How can any employee be expected to follow the rules if he doesn`t know what the rules are?" Cribb points out.

Pria Chetty, IT lawyer at Buys Inc Attorneys, agrees that human ignorance remains the main reason for IT security breaches.

"Notwithstanding the fact that 80% of vulnerabilities flow from staff errors, employers do little to educate and train their employees. During March 2005, Citibank received a $40 000 fine because it failed to properly train staff on electronic data distribution."

According to Chetty, human ignorance can also lead to risks resulting from the common practice of deleting e-mail messages after a certain period. She adds that more than 23 separate pieces of legislation require the retention of certain records.

"If these records are contained in e-mail messages, those messages should be securely archived for the period prescribed by the applicable law. These periods may be as short as three months or as long as 30 years, depending in the nature of the record."

Early in 2005, she says, Wall Street investment bank JP Morgan Chase had to pay $2.1 million in fines to settle accusations that it failed to retain e-mail sought in investigations of misconduct.

Share