Firewalls alone are simply not adequate enough protection for company e-commerce systems, says local IT security
expert Arran Pearson.
AUSTRALIA (ZDNet Australia)- In fact, says Pearson, 80 percent of successful
hack attacks are carried out on companies that have firewalls in place.
But the solution is not buying up on more state-of-the-art e-security technology, he said.
Continuous hands-on security management and clearly defined, across-the-board security policy are crucial for
companies that need to keep their e-commerce systems secure.
"You can have all the technology in the world, but if it's not set up properly, then you're essentially
wasting an investment," he said. Pearson is a senior IT security specialist at Unisys and a member of IT 12/4,
the IT security division of Standards Australia.
Without hands-on management and policy and procedure in place, "buying more software is just going to make
your problems worse," he said. "Complex programs have bugs. And Web servers and operating systems are
complex programs. Bugs lead to security holes. The more bugs, the more security holes."
Pearson believes that companies should buy more e-security products only when security management and policy
are "not cutting it".
"Without the backing of policy and procedure, the technology is not going to solve your problem,"
he said. "It's absolutely pointless having a content filter if there's no-one there to monitor it."
Without policy and procedure, Pearson said, employers are unable by law to fire employees who compromise their
company's professional image or divulge confidential information using company IT systems.
Pearson advises Web-connected organisations to employ electronic "risk management", rather than "risk
avoidance", e-security tactics.
He said an effective risk avoidance security program would preclude all electronic banking, broking and business-to-business
transactions carried out within a company's IT system.
A risk management security program would require the continuous hands-on supervision of a security manager,
but would not inhibit a company's day-to-day operations, he said.