Fighting fire without firewalls

AUSTRALIA (ZDNet Australia)- In fact, says Pearson, 80 percent of successful hack attacks are carried out on companies that have firewalls in place.

But the solution is not buying up on more state-of-the-art e-security technology, he said.

Continuous hands-on security management and clearly defined, across-the-board security policy are crucial for companies that need to keep their e-commerce systems secure.

"You can have all the technology in the world, but if it's not set up properly, then you're essentially wasting an investment," he said. Pearson is a senior IT security specialist at Unisys and a member of IT 12/4, the IT security division of Standards Australia.

Without hands-on management and policy and procedure in place, "buying more software is just going to make your problems worse," he said. "Complex programs have bugs. And Web servers and operating systems are complex programs. Bugs lead to security holes. The more bugs, the more security holes."

Pearson believes that companies should buy more e-security products only when security management and policy are "not cutting it".

"Without the backing of policy and procedure, the technology is not going to solve your problem," he said. "It's absolutely pointless having a content filter if there's no-one there to monitor it."

Without policy and procedure, Pearson said, employers are unable by law to fire employees who compromise their company's professional image or divulge confidential information using company IT systems.

Pearson advises Web-connected organisations to employ electronic "risk management", rather than "risk avoidance", e-security tactics.

He said an effective risk avoidance security program would preclude all electronic banking, broking and business-to-business transactions carried out within a company's IT system.

A risk management security program would require the continuous hands-on supervision of a security manager, but would not inhibit a company's day-to-day operations, he said.