Even as the corporate world keeps discovering and inventing new benefits of a networked world, threats to their networks too, are attaining new dimensions. Very much like the real world crimes – where criminals always seem to be one step ahead of the police – attackers, hackers and intruders are constantly developing new and complex techniques to outsmart the best security systems.

Moreover, if they are not the highly motivated and armed-to-the-teeth kind of attackers, organizations are also most likely to be hit by attacks from within. Network security threats have certainly assumed new proportions with the fast emerging centrality of the Internet as a source of communication. And the Internet, we all know, is a network of networks, connecting millions of anonymous users all over the world, making it more vulnerable than any other form of computer network. All this means that corporate networks are always at risk.

So what does one do in these circumstances? Should one look for a perfect security? It is better to realize here as Neel Ratan of PricewaterhouseCooper, India’s global risk management solutions puts it, information security is a risk and like most risks, it cannot be eliminated but can be mitigated. So, if perfect security is a mirage what should one do? The solution lies not in trying to eliminate the risk but in managing it effectively and placing an adequate security mechanism. But how does one manage risk effectively or define adequate security and then design, implement and manage it?

To begin with, organizations must do away with the belief that deployment of powerful technological paraphernalia is a guarantee against any of the security threats, be it viruses, hacker attacks or network intrusions. Technological controls are usually ineffective in the absence of a proper security management and monitoring policy.

The first step towards achieving adequate security goals should be the assessment of an organization’s security mechanism and its performance in the existing security environment. Primarily a management functions, the assessment should then form the basis of the next step – a comprehensive documented security policy. The policy should not only assess the present and future risks but also determine the needs of the organization. It should also determine the management and monitoring principles that the organization would be following in order to maintain an adequate security. The policy itself could contain the details of the technological tools that the organization would require. Here, it must be remembered that the policy should be a dynamic one with an in-built flexibility, so that changes are incorporated whenever necessary.

While deciding on the security policy, the assessment of risks and needs must take into account the fact that the two are not common across the spectrum. The security needs of different kinds of network would be different. In other words, an e-business portal would have an entirely different set of risks and security needs as compared to a raw material supplier who is connected to its buyer through a private network. A security policy should not only be linked to threats but also to business risks specific to the organization’s industry or area of operation.

Among other things, a well-documented security policy has two prime benefits. First, it brings focus into the security practices of an organization, making it easier for it to know and do what it needs to do, in terms of management, implementation and monitoring. Second, it helps the company to avoid expenditure on unnecessary security boxes and solutions.

Here, it is important to distinguish between policy and guidelines. While the policy should outline the fundamental requirements that the senior management considers imperative, guidelines should provide the more detailed rules for implementing the broader policies. Guidelines can also be designed as an educational tool that could help the employees understand and follow the desired security practices. Employees need to be educated effectively because, in most cases, it is the human being that is the weakest link in the security chain. An employee could sometimes be as strong a security threat as the most motivated of the attackers.

Educating and training the management and employees on the security risks and control is imperative for the success of any security policy. Also important is involving business managers in risk assessment. Involving business managers in identifying potential threats, vulnerabilities and also consequent impact on business operations, could help them better understand the imperatives of security. This is important, given the fact that a business manager is in a better position to know which information or data is sensitive and needs to be protected.

A security policy can only be effective when it is linked to a cycle of activities, so that the network security risks are identified and addressed on an ongoing basis. The effectiveness of the policy and the risk control mechanisms should be monitored regularly through various analysis, evaluations and audits to determine if the existing policy or security mechanism needs to be modified or updated. External third party audits should be regularly carried out to get an independent assessment of security.

When securing a network, the most important thing an organization should have in mind is that prevention, as they say, is the best cure. So a proactive approach to security that focuses on prevention and detection before any breach, should be the goal. After all, if security costs money and time, the loss on account of inadequate response to threats and risks could mean irreparable financial loss, but also a damage to organizational reputation, credibility and trust.

Ravi Shekhar Pandey