Adedoyin Odunfa

Security breaches and violations are shockingly commonplace in our corporate organisations today.  Recent events on a global scale and in our national life however portend theneed for responsible and responsive security precautions to protect our information assets

 

 Today, I start with the premise that there is a need to pay increasing attention to electronic security. Recent events such as the US September 11 attack and indeed our own Lagos bomb blast disaster only serve to accentuate this point. Electronic security or e-security is broadly defined here to encompass the security of all information stored in digital form that may or may not run on private (e.g. LAN, WAN) and public networks (such as the Internet).

 In Nigeria today, we find our corporate organizations increasingly dependent on the use of computers, albeit sub optimally. Given our exchange rate, any investment in Information Technology does not come cheap - has the thought “why am I spending more when technology is getting cheaper” ever crossed your mind?. It may therefore seem obvious that such investment should be adequately protected. Unfortunately, it seldom is – particularly given the dismal level of security awareness in Nigeria today. The reasons range from ignorance to complacency.

Security breaches arise from simple ignorance as well as mischievous and/or malicious intent. To be sure, the enemy maybe within, 58% of security violations arise from within the organization. Some of these vivid examples may be familiar…

 

 

 

Real Life Illustrations

To drive home this point, I will take a few examples of real life occurrences that help to vividly illustrate our lackadaisical attitude to e-security.

 

At the CBN???

An expatriate business associate once gave me a first hand account of his experience at the CBN, Abuja where he had gone to attend a meeting. Out of sheer curiosity, he set out to test the security awareness of the Apex Bank. He approached the Computer Services Department and headed for their Computer Room. Although unauthorized to do so, he managed to bluff his way past several security men by looking confident, arrogant and gruffly murmuring, “I’m a consultant here – we are working on your computers”.

 He was able to get as far as the main door to one of the computer rooms without showing any identification. Unbelievable, but true. Could this ever happen in the US Federal Reserve Bank, The Bank of England or any such organization? Clearly not. Could it have happened if the impersonator was Nigerian? Probably not, but that is no excuse. This is an example of a very serious security breach – perpetuated with little or no effort. Imagine if his intent was malicious rather than merely mischievous? Can this happen in your organization? Don’t be too quick to dismiss it - it probably can. Responsible and responsive security precautions start from basic physical security precautions often taken for granted.

 

Open sesame!

A client  once confessed(innocently) that he made a habit of leaving his PC logged onto the network even when he was out of the office (for lunch or for other appointments). This was an alarming confession considering that he was Financial Controller for a Bank based in Abuja.

According to him, he certainly wasn’t alone in this practice as it appeared to be the norm in his organization.  Only after I explained the risks he was opening himself and his organization up to, did he appreciate the gravity of his action.  What he had done in effect was to license anyone to sit at his workstation and have access to privileged information under his name (since it was he who was logged on). What about your own organization? How security conscious are you? Do you have a valid security policy to guide and inform your staff -one, which everyone is familiar with and stringently conforms to?

 

A hackers delight

Hacking the average Nigerian web site is a painfully easy task – according to those I know have tried it– primarily out of mischief rather than malice, I must hasten to add. Some people publish editable versions of their websites such that you can literally edit the site off the Internet by guessing or returning a blank password field.

I know of a high profile ISP site that was recently hacked – the layout of the home page was changed slightly just as a warning to the company. From all indications, it does not appear this alteration or intrusion was noticed.

 

 

The Rogue Modem

These days as IT is becoming more ubiquitous, it is common practice to purchase laptop or notebook computers for senior members of the organization. Although intended and beneficial to those who work outside the office frequently (at home or on the field), it tends to be used more as a status symbol in these parts. I digress.  Most corporations have Local Area Networks these days, and the more progressive have even attempted to secure those networks with security devises such as firewalls. Nevertheless, it is common to overlook the security breach that laptops can introduce. Aside from making your data extremely portable, it can also circumvent your security devises, which are typically attached to the server. By connecting a laptop that is already logged onto your network to the Internet through a phone line, you place your entire network at risk of virus attacks, hacking and other security violations. Does this situation sound familiar? How many of you can swear that this does not happen in your organizations with alarming frequency?

 Consider this scenario: imagine if the recent Ikeja cantonment bomb blast had taken place in Victoria Island (on Oyin Jolayemi perhaps) or Lagos Island (the Marina for example). How quickly will the banks or other corporations who have their corporate structures in that area be able to recover – if at all. Frightening though, but one we should consider seriously nonetheless. If nothing else, the events of the last six months on a global and national scale has taught us that indeed… “;’”.

 The Conspiracy of Silence

I can an continue to unfold my extensive catalogue of examples of potential and actual security breaches and violations which take place in our every day life. However, I think the above examples help to illustrate how painfully easy it can be to permit access to your valuable information resources – your organizations digital wealth – either out of ignorance or from mischievous or malicious intent. Many security breaches and violations take place in our everyday corporate lives – you may know of some examples yourselves. The problem is compounded because of what appears to be a conspiracy of silence - people within the organization tend to be wary of blowing the whistle, everyone keeps numb, does some window dressing and pretends nothing has happened. This attitude is particularly prevalent amongst banks who would rather not court the negative publicity incidents like this tend to attract with its attendant undesirable effects on customer confidence. This is especially the case when the violation results from negligence (i.e. the lack of adequate precaution) on the part of the organization. Sadly, this is the case more often than not.

 

The problem is compounded because of what appears to be a conspiracy of silence - people within the organization tend to be wary of blowing the whistle, everyone keeps numb, does some window dressing and pretends nothing has happened. At worst the suspects are carefully “settled out” of the system.

 

 

 

 So what can you do to secure yourself? The following questions may be racing through your mind?

 

• How can I protect my corporate information?

• How can I protect internal group assets from potential internal transgressions?

• How can I leverage the Internet securely to grow my business?

• How do I use IT & the Internet to reduce time to market, improve overall efficiency and grow my business – securely?