MODERN information technology has been improving and simplifying peoples’ lives now for decades, but the intangible character of digital information means it also presents distinct security challenges. The question of potential risk is wide and deep and many companies are already aware of the threats to information security and how to address them. But experts say that the situation is still far from ideal.
“When somebody steals €100 from me, I have €100 less in my wallet. When somebody steals my data, my data remains in the same place, but somebody else has an identical copy,” Gustáv Budinský, the executive manager of the Information Technology Association of Slovakia (ITAS), told The Slovak Spectator, adding that it is often the case that even people from within the IT world catch up with the latest threats only after a big delay. “It is even more complicated for ordinary people who do not have adequate knowledge about the essence of IT.”
This results in insufficient awareness among people and companies of information security issues and associated threats. Furthermore, it is not possible to identify only a few main risks for businesses as these depend on the character of individual companies and the scope of their business.
“There is no single, comprehensive answer to the question of what are the main threats to the data security of companies,” Budinský said. “For each organisation the risks change depending on what it does, i.e. what is valuable for it and in what environment it acts, and hence what threats it faces.”
Budinský specified that for a manufacturing company it may be of key importance to protect know-how and secure the non-stop operation of an IT system supporting production lines, while in a bank the stress will be on protection of confidential private information about clients and their transactions, and on limiting access to accounts only to authorised persons.
According to Ivan Kopáčik from Gordias, a firm which has focused on information systems security since 1997, in general the main risks are related to the confidentiality, availability and integrity of company data and the services of company information systems.
In terms of threats, their nature continues to change but the phenomenon itself has existed for a long time, according to Budinský.
“For example, various forms of computer viruses appear high in the rankings of most surveys,” said Budinský. “Then there are threats which change in response to the time and the way in which people use information technologies.”
Here Budinský pointed out that during the last few years, especially as a consequence of the current economic situation and the reduction of staff in companies, the problem of theft of sensitive data by employees and other cooperating subjects has become more serious. In many cases, dissatisfied or departing employees steal sensitive information about clients, products, etc. with a view to profiting from it – even if this means breaking the law.
Filip Hanker, the editor-in-chief of IT portal Živé.sk, added that it is also necessary not to forget threats such as break-ins into Wi-Fi networks, infection of USB flash drives, or viruses affecting mobile phones. He also mentioned what he called indirect security, such as when a hacker tries to overwhelm a server with requests. This may not result in any data loss, but can halt business and mean a firm loses clients.
Companies’ awareness about potential security risks and the solutions they apply is very individual and differs from company to company. In this respect it also matters whether a company is part of an international corporation with internal standards and adequate processes and measures leading to identification and minimisation of risks, according to Kopáčik. The related national legislation, especially the law on protection of personal data, also contributes to the attention which companies must pay to risks related to information security.
“Adequate attention paid to this field is an automatic part of a healthy and prudent business anywhere in the world and this trend is also visible in Slovak companies, but still not to the necessary degree,” said Kopáčik, adding that calculation of the return on investment in security measures is usually a problem unless these are designed and implemented in line with the general strategy of a company.
According to Budinský, companies’ awareness about potential security risks is growing as a consequence of various incidents as well as various forms of promotion and information campaigns directed at managers. But the situation is far from ideal.
“This is also caused by the fact that IT is a rapidly growing sector, which in many cases exceeds the borders of what people perceive as a relevant equivalent in the physical world,” said Budinský. In this respect the loss of €100, and its consequences, is much more imaginable than the theft of data.
The complexity of IT devices and systems can also make the situation more difficult.
“If I know how a vacuum cleaner works, I can imagine how and what can go wrong,” said Budinský. “If the inside of the vacuum cleaner is a mystery to me, then I can guess only with difficulty what could go wrong with it. And in this respect the vacuum cleaner is a very simple device when compared to current IT systems.”
Cloud computing and information security
The increasing prevalence of cloud computing – remotely stored data and systems, normally managed by a third-party provider – also brings with it questions of security. Data are losing their ‘material presence’, for example in the form of a server under lock and key, and instead are floating somewhere in a complex mass of systems which the data owner might never see.
Another potentially big risk stems from compatibility of legislation.
“Many global cloud systems are operated in countries which might not be considered secure in terms of specific legislation,” said Budinský. “For example, the US is not regarded as a country with legislation that provides appropriate protection for personal data according to EU requirements.”
Another type of risk is the question of getting data from the cloud and the ability to recover operations after a dropout of the link to the cloud or the failure of the cloud provider, according to Budinský.
Here Hanker pointed out that it is in the interests of the provider to keep its systems secure, as a security outage could impact huge numbers of clients.
Kopáčik of Gordias said that one should realise that cloud computing is not a revolutionary new technology, but a new way of making data accessible. With this come risks which, while not entirely new, in some case are becoming greater.
Here Kopáčik pointed to the loss of control over the security of the infrastructure and the inability to check whether company data is secured adequately, for example by an audit or penetration tests. Other risks arise from this, like protection of privacy of processed information, the question of third-party access to information, and others.
Information security remains a hot topic not only in Slovakia but around the world. But according to Kopáčik, we are forgetting that information security risks also affect other technologies, for example management of manufacturing processes, control and measurement systems, and others. Here the lack of attention to potential risks might bring some very unpleasant surprises, he warned.
According to Budinský, with regards to new trends several themes are currently present in the market. These are the increase in threats to payment systems such as payment cards, internet banking and so on. The IT community is also debating the question of protection of critical infrastructure given that more and more fields of society and the state depend on IT, and the security of these systems can have a direct impact on the lives of citizens.
19. Sep 2011 at 0:00 | Jana Liptáková