Tags Strategy, Security, Risk Compliance Governance (GRC), Innovation

Top security for an insecure world

High-tech skulduggery is more sophisticated than ever, but security remains a hard sell, says Graham Jones, COO of Integralis, even among vulnerable growing businesses. By John Hutchinson.

Heard the one about the man who walked into an Israeli bank and stole £400,000 without anyone noticing? For Graham Jones, chief operating officer of business security experts Integralis, the story is a powerful reminder of why his company exists.

“The chap simply arrived at the bank dressed as a technician carrying some PC kit and was immediately shown into the data room,” Jones explains. “He then installed a wireless network card in one of their computers, fired up his own computer in a room next to the bank and siphoned off the money.”

The facts that nobody challenged him and the system allowed him to do it highlight a whole range of security threats now facing companies, from unauthorised intruders to electronic thieves and fraudsters. Keeping on top of security is a challenge for even the most stable organisations.

For fast growth companies, or those going through reorganisation, mergers, demergers and acquisitions, it's even more of a headache. As the organisation expands and the internal landscape becomes even more complex and dynamic, so do the areas of vulnerability.

And while some modern thieves may be swapping their stocking masks and sawed off shotguns for digital weaponry, they're by no means the greatest menace to most businesses.

Jones estimates that around 80 per cent of losses to companies are caused by internal staff, including disgruntled employees, people who have been deliberately planted in organisations with criminal intent and personnel who are simply reckless or incompetent.

“One of the best ways to think about company security is in terms of door keys – who is allowed to hold them and which keys open which doors?” Jones says. “It's a massive issue for growing companies where employees are constantly arriving and leaving, or that have contract employees on-site. How do you manage access to information and resources that are critical to the security of the business?

“It's also a major worry for companies driven by the need for compliance. In addition to any loss in itself, they increasingly face the prospect of stiff penalties if they fail to have the right preventative measures in place.”

The right tools for the job

As an independent systems integrator, Integralis knows it has to use all the tools in its arsenal to ensure security is top of the bill for the enterprises on its client roster. Tools like IBM's Tivoli Identity Manager and Tivoli Access Manager (TIM and TAM) are the kind of big padlocks that companies want to have in place before they even think about handing out keys. As Jones points out, you need systems that ask the questions “who are you and can you prove it?” and you need to be able to control who gets access to what, and what they can do with it.

“It’s not about commodities or boxed products, though,” he’s quick to point out. A successful partnership depends on mutual understanding of the business goals involved and high levels of service. “We have to forge the vital links between the product supplier and the end user.”

Jones believes businesses need to adopt an enterprise-wide view of risk – not just standalone security for specific vulnerabilities. And they should embrace the idea of a fully integrated and managed approach to security: “It’s like insurance: nobody would dream of having separate cover for different rooms or items of furniture in their office or home, so why view business security measures separately?” he says. And it’s not just about effective security systems – businesses need security policies on every level, “from email usage to data access and firewall management”, he adds. Only by assessing your weaknesses can you ensure secure business growth.

Integralis identifies pretty much every weakness and vulnerability in a system by using ethical hackers in its 100-strong UK team – good guys who know all the tricks and can mount highly realistic simulated assaults (also known as penetration – or “pen” – tests) on everything from your wireless network to your central server. They can even send in digital detectives to track down virtually any type of electronic wrongdoing, whether the culprits are rogue employees or criminal outsiders.

Growing pains

Integralis’ preoccupation with business need and service is in large part due to its own adaptation to life after the boom years around the Y2K panic – it enjoyed quick growth, followed by a slowdown. In the years leading up to 2000, clients clamoured to protect themselves from the so-called Millennium Bug and demand was huge. But when the computers of the world failed to collapse at the strike of midnight and the crisis passed, the phones almost stopped ringing. The company had to find its footing in very uncertain, ever-changing times.

In the post-Y2K world, security is a harder sell, despite the fact that the range and sophistication of possible high tech assaults on business continue to expand. Clients now need to be convinced that the threats are real and that any solutions put forward will bring measurable business benefits – they expect a return on investment.

Jones explains that it’s been all about “adapting to continuous change and maintaining the status quo”. For “status quo”, read commitment to the core values that made the company the European market leader in security – technical ability, service and client focus.

“In the last few years, we’ve rotated maybe 40 per cent of our sales staff, but none of our technical people,” he says. “We have two technical personnel for every sales person, because they’re the ones our clients want to work with. In most companies, the ratio is exactly the reverse. We’re achieving controlled growth because we’ve adapted to long sales cycles, which involve listening to what clients want.”

And listen they do – of all the technical issues raised with the company’s 24/7 helpdesk, nearly 60 per cent are resolved within 40 minutes. Any service level problems that aren’t resolved immediately will ultimately land on Graham’s desk within four hours – not that his intervention is often required. After all, if you’re running a fast-growing business and trying to keep your assets safe, the last thing you need is to be kept on hold or given the run-around.

And the only certainty in an increasingly insecure world is that there’s no such thing as too much security.

In brief: Integralis

Integralis started life in 1988 as the first company in Europe to specialise in business security and remains fiercely proud of its independence and specialist nature. The company is extremely good at security – because, as Graham Jones, chief operating officer for the company, insists, that’s all it does.

The company markets itself as “Your Trusted Security Partner” and, far from being an empty slogan, Jones and his team are deadly serious about their notions of trust, security and partnership. Whereas most security solutions providers are divisions or departments of larger companies, Integralis’ focus is 100 per cent.

“More than half of The Times 100 listed companies are our clients. In the UK as a whole,we look after more than 800 clients and 3,000 in Europe,” Jones points out. “People need to trust us, so we need to provide the best products and service levels on the market.”

Printer Friendly Email This Article