Security Begins on Your Desktop
J. Dowling - April 18th, 2000

IT Management Issue

Consider this:

1. If the hard drive on your personal computer failed right now:
   
   
   • How long would it take for you to be as productive as you were yesterday?
     
     
   • Would any clients be inconvenienced?
     
     
   • Would you impact the productivity of others in the company?
     
     
2. Are you sure that no one else on your corporate network can access the files on your machine? How about when you connect to the internet from home? From a client's site?
   
   
3. Is your company providing the proper level of privacy and integrity controls over client and corporate data to satisfy contracts? Laws?

The enterprise runs on data, and not all of it is in the repositories that are managed directly by the information technology departments. Studies have shown that less than 20% of the data used to run a company resides in its mainframe systems. Older studies showed that more than 50% resided in unstructured formats in file cabinets and the remainder was stored in personal files. Today, the personal computer has assumed the role of personal and even work group file cabinet. However, it has not assumed its privacy, security, and asset management capabilities.

Work group file cabinets are obviously company property, as are their contents. Ownership of data in personal computers is not so obvious, by practice and it is rarely shared. Cabinets are locked to prevent accidental access and lock-barred to prevent intentional violation. Most personal computers have neither capability or if they do, often it is not engaged.

Consider also the use of spreadsheets, business modeling software, and personal databases. Hundreds of hours go into building data interpretation, translation, and presentation rules by individuals to enhance their personal productivity (hopefully) or knowledge-based power (unfortunately). These rules are used to make or guide business decisions, but they are not accessible or even decipherable by anyone other than the model creators.

Continued availability of such systems is an information technology management issue even though it is rarely incorporated into formal information asset protection systems. There are two principle threat sources that must be considered: Physical threats such as theft, destruction, or damage to a personal computer; and intrusion threats such as unauthorized use and network access.

The Chief Information Officer rarely gets involved in personal databases and information systems. The net result? A chief with domain over less than 20% of the corporate information assets.

Business Implications

Business continuity is an important issue for management. However, the impact of losing a personal data store or information systems is not often considered to be a business continuity issue. Some examples of business issues resulting from weak governance of personal computer personal data stores and information systems follow:

• A catastrophic hard drive failure causes the loss of years of accumulated e-mail, memos, notes and proposals, resulting in months of confusion among customers due to broken commitments.
  
  
• A stolen laptop computer places proprietary client data in the hands of unknown parties, jeopardizing a valued relationship and opening the company to legal action.
  
  
• Data extracted from several sources on mainframe systems is incomplete and not synchronized, causing a collections team to ignore high-risk accounts, resulting in a bad-debt bubble to burst weeks downstream.
  
  
• An employee's resignation places his personal computer into the hands of a supervisor who reassigns the machine without removing files, causing the loss of months of sales leads, proposals, and contract details.
  
  
• A work group shares files over the corporate intranet, where they are copied by a disgruntled employee and e-mailed to the press, resulting in significant internal conflict and public embarrassment.
  
  
• An employee whose machine is not equipped with updated virus detection software introduces an infected document onto the machines of the entire sales force, resulting in costly down time for sales and technical staff to inoculate and disinfect machines.
  
  
• An employee tele-commutes to work using a broadband (cable modem) service, which lays the machine open to hacking without knowing the implications, resulting in lost files.

IT Management Implications

Personal computers demand personal responsibility for information technology management. Many of the above business issues could be mitigated to a great extent through centralized or professional information technology management techniques. However, the scale of these issues is immense when one considers the number of people, the locations, travel, and other factors that drive the complexity of issues and responses. There is, however a short list of information technology implications that can be addressed to limit exposure.

• Provide education, policy, and means for backup, archive and recovery of personal computer-based data and systems.
  
  
• For laptop machines, provide hard drive encryption software and encourage the use of removable hard drives that can be encrypted and packed separately.
  
  
• Employ desktop computer monitoring software to identify failing hard drives and proactively replace them.
  
  
• Facilitate access to mainframe data stores to assure data integrity.
  
  
• Provide education and means for continually upgraded virus detection at the desktop, server, and mail gateway.
  
  
• Provide education, policy and means to assure data privacy in network environments.

Architecture Impacts

Information Technology Architecture is principally driven by the need to support enterprise applications and data access. Special consideration must be given to enable personal and workgroup productivity without compromising data integrity and business continuation. Architecture design must consider at least:

1. Workgroup file servers with backup, archive and recovery capabilities.
   
   
2. Workgroup level firewalls to control access to sensitive data such as is often shared within marketing, human resources, research, finance, and legal teams.
   
   
3. Personal computer-based firewalls to assure network security within the corporate intranet, when connected to other corporate internets, and when connected to public networks.
   
   
4. E-mail encryption at the desktop and e-mail gateways.
   
   
5. Virus inoculation at the desktop, servers, and e-mail gateways.
   
   
6. Remote diagnostics for personal computers.
   
   
7. Public data networks with and without Virtual Private Network capabilities.

Business Management Response

Share the responsibility for assuring business continuity and data security through policies, procedures, and education. Take active measures such as the following to create an informed and enabled workforce:

1. Incorporate data integrity and privacy into human resources policies and procedures and include in new employee orientation.
   
   
2. Reinforce established practices through operational reviews and audits that assess compliance with policies.
   
   
3. Question the source of data used to make management decisions to assure its integrity.
   
   
4. Encourage and support information technology management to develop workgroup-level architecture and infrastructure.
   
   
5. Treat business interruption and liability issues related to personal computer use the same as you would other risk management issues. Insurance companies can provide helpful data as can legal consultants.
   
   
6. Do not expect a higher degree of security than you are willing to invest in.

User Recommendations

The infrastructure and services that enable responsible computing among personal computer users is costly and not highly leverageable. Unlike the mainframe environment where one firewall, backup server, or uninterrutible power source, serves hundreds or thousands of users, many services must be implemented on each personal computer individually.

To make matters worse, personal computer management is a continual process even for an individual user. Each hardware or software upgrade, each new network, each new workgroup, and each new service requires personal attention. Standardization has the highest degree of impact of any actions that information technology management can take. Following lists high leverage standards and practices:

1. Workgroup servers allow user files to be stored and backed up inexpensively on high-availability hardware platforms.
   
   
2. Enterprise Management Systems enable the technical support teams to monitor the desktop and server network, responding to alerts and trends rather than incidents.
   
   
3. Segmented and Routed networks enable the use of filters and access control lists. They also make convenient firewall lines of demarcation.
   
   
4. Corporate accounts with Internet Service Providers can simplify configuration and technical support.
   
   
5. Inspect-and-Push software version management simplifies distribution and increases the probability that current virus detection and firewall software is in place.
   
   
6. Locked-down desktop and laptop configurations can help but generally they are bypassed to 'personalize' software and networking options. This only works in high control / high conformance environments.
   
   
7. Data-Marts improve data quality and access at the same time.
   
   
8. Education and proficiency for technical support staff assures that the tools at hand are employed properly and to their fullest value.