Vive la Revolution:
A letter from the back seat of a car

Dear Sir/Madam/One of that remaining 10%,
I’m taking my life in my hands here. For a technological troglodyte like me to address a letter to your magazine that probably has more readers in the information technology field than a dog has hair, and then to suggest that they may wish to re-examine their approach to information security, is to invite ridicule and anger. But hey, life is short! I’ll simply sleep in my car for a few weeks, so here goes.

Some months ago, PricewaterhouseCoopers (PWC) again published the results of its regular "Global State of Information Security" survey conducted in 2008. It made for some interesting reading.

PWC’s research showed that companies – by a wide margin – place responsibility for information security with their IT departments. Is it therefore reasonable to assume that IT specialists know what information is, where it is to be found in a company, who or what threatens it, in what way it is threatened, why it needs protecting, and how to secure it effectively? Scanning IT security literature, I find very little proof of that.

This scramble for enhanced information security is the IT industry’s fault entirely! Those guys began a revolution and guillotined the king, but then retreated from the battleground too soon. Let me explain…

For more than a hundred years, we’ve all become comfortable with the demands of that other revolution we all read about in our school history books – the industrial one, remember? Fixed assets, capital and labour became the means of production; the new corporate royalty.

But then two things happened over a short span of time: the world population ballooned, and global literacy increased dramatically. This prepared the ground for another revolution, and the peasants were again becoming restless.

Then those technology-inclined folk came along and hurled the microchip like a Molotov cocktail onto the world stage. (Okay, so what if I do get my revolutionary metaphors a bit mixed up?) The streets were on fire.

Now the peasants were, as they usually are, revolting. Frantically knitting software in their laps, the IT industry watched the heads of the industrial age royalty roll across the cobblestones. Long live King Information!

And so those IT guys led us all into this thing called the Information Age – the remnants of the industrial age’s royal family of land, labour and capital were banished to the fringes of the economy, replaced by… er… information.

Servers glowed softly in the dark; Bill Gates was crowned wealthiest man on the planet; earringed, ponytailed nerds became the new elite virtually overnight; and more than 45% of the market capitalisation of companies on the New York Stock Exchange are now made up of ‘new economy’ stocks.
Information is a democratising force, we all said. Information, like prune juice, will set us free, we said. Vive la Revolution!
Who cares if pimple-faced punks hiding behind shades regularly cause billions of dollars’ worth of damage to this new economy with the release of viruses and worms and other creepy-crawlies? That is merely collateral damage we all have to endure for our common good. At least the generals of the IT liberation forces led us all into the Information Age. Good for them!

The new revolution transformed information into a corporate asset greater in value than ever before. The profits, competitiveness and, indeed, the very existence of more and more companies depend primarily on the manner in which they create, utilise and protect their information. The fact that information has value, and that its value is threatened if not properly safeguarded, is at the very heart of the information security industry.

So who or what could threaten our companies’ information? Here it becomes a bit more interesting. The integrity, and even the very existence, of some of a company’s information is certainly threatened by power outages, lightning, fraudsters, hackers and pimple-faced punks, and all companies should continually guard against such catastrophes and deviants with vigour.

But that is only a fraction of the information security threat. The American Forest and Paper Association estimates that hardcopy business records are growing at about 7% annually, and the printer company Lexmark says that 67% of all digital business documents eventually find their way into printed format. In addition, Xplor International reckons that, on average, businesses make 19 hardcopies of each digital document. Looking at my study floor, I have no reason to doubt them. (Ah, how we all think back fondly on that innocent fairy tale of a paperless office!)

What this means is that whoever is responsible for information security in a company (as apposed to securing only digital information) should have made arrangements to secure the 19 hardcopies of that critical document. Is that being done? Was the hardcopy document classified in some way? Are there policies and procedures in place governing access to classified hardcopy documents? Were the drafts of that critical document shredded? Who typed it? Who proofread it? Where is it kept at night? Is there a way of knowing if a photocopy was made of it?

Let’s continue. Listen to what a former director of the FBI, Louis Freeh, said long ago about things that go bump in the night: “An intelligence collector’s best source is a trusted person inside a company or organisation, whom the collector can task to provide proprietary or classified information.”

Fact is that more than 75% of proprietary information loss in the United States occurs as a result of inadequate personnel security. No need to hack into your computer system, break your encryption codes or rummage through the rubbish bin in search of one of those 19 drafts. Just go out and buy the guy with the information a beer.
I can almost hear you muttering under your breath: “That’s okay for the US, but do such things really, really happen in this country of rugby, sunny skies and Chevrolet?” You bet it does! As far as I know, nobody keeps statistics about economic and industrial espionage cases in South Africa, but that doesn’t mean it’s not happening.
In the US, law enforcement’s industrial and economic espionage caseload grew by more than 3 500% in the 10 years leading up to 2001. (China, Canada, France, India and Japan were fingered as the main culprits. Being an American study, the Land of the Free came out smelling of roses, of course.) Heaven knows what their caseload is today; they’ve stopped providing statistics more than eight years ago.

Ask yourself, why should we here in South Africa escape this trend so noticeable in the US and elsewhere? In Germany, for instance, the industrial espionage expert Walter Opfermann says that German companies are losing about $87 billion and 30 000 jobs to industrial espionage every single year.
So, what arrangements have you made to protect the proprietary information carried in the heads of your executives, employees and suppliers? Have they all signed non-disclosure contracts? Has the company recently lost key personnel to a competitor? Do you use temps or students during peak periods? What access do you give them to critical information? Do you verify the CVs of applicants?

This I know for certain: people should at all times be the single most important element in any information security programme. Ultimately, all information dissemination falls under their control. And the most important contributor towards good personnel security is fostering an awareness, understanding and corporate culture of security.
At the heart of all effective information security is not technology but an attitude. (Does this not mean that human resources departments should actually take the lion’s share of responsibility for information security rather than IT departments?)

I must admit that there seems to be a growing international appreciation of this fact. In 2008, 54% of respondents to the PWC survey said they provide employees with security awareness training, up from 42% the previous year. But that still leaves 46% who don’t. Those Chinese and French masters of industrial espionage agents must be rubbing their hands in glee.

I think you get the point: whoever has been given responsibility for information security in a company – whether it is the IT department, the HRD department or whoever – needs to design holistic security policies and procedures.

The PWC report states bluntly: “Too many organisations still lack coherent, enforced and forward-thinking [information] security processes”. Such processes should encompass not only digital but also documentary, physical, technical, electronic and (above all else) personnel security. To neglect any one of these is to fail to appreciate the ingenuity of espionage agents or the depth of human failings. Ask me, an old industrial spook. I know.

With no South African government body mandated to investigate cases of suspected industrial espionage, a company’s management team is solely responsible for the protection of its own mission-critical information assets. And doing so implies much, much more than installing a firewall and some passwords.

This then is my bugle call: the struggle is not over. We need the veterans of the information revolution to come out onto the streets once again and provide leadership on an information security battlefield wider in scope than simply IT security. This is the struggle any company must win to continue flourishing in the Information Age.
And now I’ll toss my sleeping bag onto the back seat of my car, lock the doors and wait for the storm to blow over.

Aluta continua.
Yuno Woo

PS: If you need to meet with me, draw a chalk cross on the lamppost outside your office. Don’t phone me, I’ll phone you. And wear a moustache when we meet.

• Add New
• Search

Comments (0)

Write comment

Your Contact Details:

Name:

Email: do not notifynotify

Comment:

Title:

Message:

Security

Please input the anti-spam code that you can read in the image.

Powered by !JoomlaComment 4.0 beta2