Leaks and lessons

Leaks and lessons

Internal threats magnified by the global financial crisis were high on the agenda at a recent CIO roundtable sponsored by MessageLabs.

Around the table

  • Asaf Ahmad, information security manager, NSW Fire Brigades
  • Brad Bazley, national IT co-ordinator, Grant Thornton
  • James Bourne, chief technology officer, Dr D Studios
  • Mark Carmichael, CIO, PKF Australia
  • Greg Edwards, service delivery manager for group IT, Bilfinger Berger Services (Australasia)
  • Bjorn Engelhardt, vice-president, Symantec Hosted Services
  • Michael Garas, general manager of IT, Dymocks
  • Dennis Harris, general manager of IT and communications, SMEC Holdings
  • Aaron Hillier, IT manager, the Frank Whiddon Masonic Nursing Homes of NSW
  • Joe Perricone, IT manager, the Spastic Centre of NSW
  • Steven Pinto, global IT risk and security manager, Aristocrat Leisure
  • Tony Pollock, CIO, Angus Knight
  • Peter Wilson, information manager, Sydney Anglican Schools Corporation
  • Brian Corrigan, editor, MIS Australia

Economic downturns present IT departments with a dilemma. While most chief information officers have been handed down flat or reduced budgets in a bid to reduce costs wherever possible, security threats are on the rise.

And while concerns about external hackers are justified, the reality is that the biggest worry is probably much closer to home.

Grant Thornton's national IT co-ordinator, Brad Bazley, says the accountancy firm has become much more aware of internal security threats because of the uncertainty created by the global financial crisis. "People don't know what's going to happen to them, particularly where firms have made redundancies," he says. "Making sure that there's no data leakage in the lead-up to those redundancies is a real concern.

"You have to monitor the people who you're going to be dealing with in those exercises without giving too much away. It has a ripple effect throughout the business."

Aristocrat Leisure's global IT risk and security manager, Steven Pinto, says security comes back to risk management but that medium-level risks are less likely to be given attention in the current economic climate than they would have previously.

This view is shared by Bilfinger Berger Services (Australasia) service delivery manager for group IT, Greg Edwards.

He says any perception of increased security risk in recent times is more likely to be because organisations have not taken appropriate measures as a result of cost-cutting associated with the financial squeeze.

Data leaks

Dr D Studios has more reason than most companies of its size to be worried about content leaking beyond its corporate firewall - having only been in business for a year, the digital production company works on movies worth hundreds of millions. For chief technology officer James Bourne, network access control is a major headache.

"We might have some guy who's just flown in from Western Australia and has to have his Mac on the network with access to all of our digital asset management systems," he says. "I'm just at a loss on how to solve that problem at this point in time.

"Where do I centralise or set up this hardened core inside my network, and say this is a no-go zone? We provide a whole bunch of services within our networks, and then if we don't service them we hand them on. So, for example, we use Gmail exclusively. We don't have any internal email infrastructure.

"We permit every chat client there is, but we do monitor and manage it at the edge to find out about those things."

He has good reason to be nervous. Australian visual effects company Rising Sun Pictures was caught up in a storm earlier this year after an unfinished print of the movie X-Men Origins: Wolverine ended up on the internet a month before its release date. It was downloaded about 100,000 times before the leak was noticed and the film was pulled down.

And 20th Century Fox has promised to take legal action against the source of the leak, which is being investigated by the FBI and the Motion Picture Distributors Association of Australia.

Human failings

Symantec's software-as-a-service group vice-president Bjorn Engelhardt says there are three types of human threats - the outsider who is trying to get your information, the employee who inadvertently makes a mistake and, worst of all, the staff member who steals information. In addition to having the right technology, organisations must ensure that they have the correct policies in place and good people who will enforce them, he says.

In September, it emerged that consumer electronics retailer Clive Peeters had found itself on the receiving end of a human failing.

The company began legal proceedings against a woman in its payroll department for allegedly embezzling close to $20 million and spending the money on investment properties. Along with difficult trading conditions, this resulted in Clive Peeters posting a net loss of almost $9 million.

Grant Thornton's Bazley says opportunist behaviour like this is impossible for CIOs to prevent, but having highly visible security strategies in place can make employees think twice before undertaking such high-risk and damaging activities.

Network visibility is critical for Angus Knight's chief information officer, Tony Pollock, who has about 800 devices on his network - most of which are accessed by users who are not employed by the training company.

Angus Knight provides employment services for job seekers under a contract with the federal government and has numerous transient users who access the network from sites across Australia. To make matters worse, blocking possible sources of trouble, such as USB devices, is not an option because many people use them to carry their resumés around.

"The one area where my budget hasn't been affected this year is that layer of investment I need to make sure I know who's coming onto my network," Pollock says. "When I joined the organisation just under 18 months ago, it was completely open. We had people who could bring in any device, just plug it in and, bang, they're on. It was scary as, from my perspective, but now it's completely the opposite way."

Social networks

There are few topics that have divided CIO opinion as much as social networking sites. However, the weight of opinion seems to be shifting towards opening up access.

Grant Thornton's Bazley argues that greater freedom makes employees more productive. Instead of blocking access to social networking sites like Facebook or Twitter, an alternative approach is to open up access but let staff know that their usage is being monitored.

"IT has always had a bad reputation as being the gatekeeper and saying what is right and what is wrong," he says.

"We shouldn't be. Human resources is the one [department] that says what's morally right and wrong, so we should just be the enforcers.

"There's a vested interest in opening the floodgates a little bit but the challenge is in doing it securely."

This, again, comes down to the rules of enforcement, says Bilfinger Berger's Edwards. "IT isn't a policeman - we are there to set up the game but HR has to lead the policy," he says.

"All we're there for is to watch what's happening and, if behaviour outside of what we have accepted as OK is taking place, it gets reported.

"It's not an IT thing to jump all over the person saying 'you can't do this'. Those days are gone."

PKF Australia's chief information officer, Mark Carmichael, believes that putting up barriers to social networking sites is counterproductive. "The business should be telling us what to do and we just put the mechanisms in place to work with them," he says.

"Gen Y operates in a certain way and likes the use of social networking sites. If that breaks the tedium of their general working day for 10 minutes and then they're back into it again, so be it."

And blocking access was simply not an option for Dr D Studios' Bourne, who says his marketing department uses Facebook as its only recruitment channel.

"That's the only way they can contact the demographic. We've waived off any attempt to control and we just refer it upstairs to HR, which is fantastic. Let them decide what's bad or evil."

Dymocks general manager of IT Michael Garas was asked to block access to Facebook but argued that it would be a bad idea.

"This is now a tool that is used to communicate in work and socialise," he says.

"We're in the book business and people talk about books on Facebook. You monitor behaviour and, if they're becoming unproductive, you do something about that individual.

"But don't block the tools because they will just grow and become more powerful. You can't escape it."

Still, not everybody is convinced yet. Angus Knight's Pollock says the training company bars all access to social networking sites because they are not legitimate business tools.

Into the clouds

Cloud computing offers a whole new set of security challenges for CIOs. The concept is an attractive one because it allows organisations to scale IT resources up or down according to demand while only paying for what they use, but the concept of letting information live beyond the corporate firewall is making information chiefs twitch.

Angus Knight has been considering a well-known cloud-based customer relationship management package but has decided against proceeding because of the Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (Patriot) Act passed in the United States in 2001.

The act increased the scope for law enforcement agencies to search telephone and email communications as well as medical, financial and other records. It also eased restrictions on foreign intelligence gathered within the US, gave the US Treasury more authority to regulate financial transactions and enhanced the discretion given to law enforcement and immigration authorities over detaining and deporting immigrants.

"That would exclude me from using them as a vendor because of the contract I've got with our government, and the ambiguity with the Patriot Act, in terms of what the US government could do with that information if they decided to," Pollock says.

"My problem with cloud is that it keeps being blown away," Sydney Anglican Schools Corporation information manager Peter Wilson says. "I don't know what it is. It is a hugely dynamic sort of thing and it's so nebulous that it keeps on moving." MIS Australia

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags SaaScloud computingsocial networkingsymantecmergersvendor managementSoftware as a servicemessage labs

Show Comments