Software security: a case of winning hearts and minds?
The growing importance of computer software to a company's effectiveness is matched only by the risks involved in its improper use. Viruses, legal challenges and even innocent mistakes can all pose major threats to your success. Added to which, the availability of pirate software or dubious shareware from the web all represent a greater security risk to the company network than ever before.
We live in a world where data wants to travel
Today's MP3 players, digital cameras, pen drives and other tiny handheld devices all have memory capacities that dwarf their disk-based ancestors. A portable music player, for example, can store as much as 60Gb of data - enough to copy the average hard disk. Equally, a thumb-sized memory stick can store 512 megabytes, equivalent to 364 floppy disks and sufficient to replicate a personnel database or hundreds of Word files. Similarly, most mobile phones, PDAs and cameras can now be connected to PCs via cable or infra-red links and used to transfer data. What's more, almost all computers have in-built CD-ROM burners capable of copying 640 megabytes of data to a blank CD.
Growing concern over USB devices
Indeed the results of a 2006 survey by FutureSoft, a company specialising in endpoint security, highlighted that UK businesses consider USB devices brought into the workplace to be a threat to corporate security. No fewer than 88.7% of respondents from a cross section of key UK market sectors feared the risks of external devices to the corporate network, with over half of them naming employees' iPods as a particular concern.
"It is encouraging that so many savvy UK IT managers are aware of the problems that could derive from USB devices being connected to the corporate network, but of great concern that so few have measures in place to properly monitor their usage," says FutureSoft UK MD Andy Wooles. "Threats to security go beyond simply cleaning spyware infections and running virus scanners. Infections from spyware and viruses may simply be symptoms of a wider problem - the inability to manage and control desktop systems and their users effectively."
Is SAM sufficient?
This all means that whether you're a small business or a global enterprise, it pays to have an effective software asset management (SAM) policy in place. The question remains, however, will this be sufficient to protect the business from a security perspective if your employees introduce unauthorised software - knowingly or inadvertently - to their work PCs?
Over the last five years, companies have paid out around £1.8m in fines for using unlicensed software according to the Business Software Alliance (BSA), the international watchdog group representing software manufacturers. In July this year alone, it announced over $2 million in settlements with 19 US companies. In addition to coughing up fines, these companies were forced to delete all unlicensed copies and strengthen their software management practices. What's more, in excess of £5.5m has been recovered thanks to the activities of the Federation Against Software Theft (FAST), proving that prosecution is not a just a threat but a reality.
Infringement equals theft
As a result, the BSA has urged companies large and small to be aware of the importance of using only fully licensed software. Indeed, so determined is it to encourage company employees to report software piracy that it is now offering rewards of up to £100,000 to individuals with qualified information on infringements in their workplace. Says Jenny Blank, director of enforcement for the BSA. "Businesses should be certain that using fully licensed software is part of their corporate responsibility checklist."
To many senior managers, setting up a software policy takes lower priority than many other business issues. Yet without one your business may be exposed to a host of security threats. According to the BSA, nearly half of Manchester businesses, for instance, are managing their software assets purely by trusting their staff not to upload illegal software.
The BSA's 2005 survey of 200 Manchester-based companies revealed that whilst software is playing an increasingly central role in driving business productivity and performance, company directors surveyed confessed to not managing their software as a business asset due to lack of time, tools and processes – a situation that potentially exposes them to financial losses, legal action and data security risks. When asked why they weren't formally managing their software assets, the top three reasons were: losing track due to changes in IT processes, a lack of time and insufficient tools to help monitor their software assets.
Failure to act
The research found that 97% of Manchester businesses cite software as being either ‘crucial' or ‘important' to their business, yet 69% are not familiar with software asset management (SAM) and almost half (47%) have no rules for acceptable use of IT. Siobhan Carroll, Regional Manager Northern Europe at BSA says, "In other words, Manchester companies are telling us software is crucial to their business, but they're not putting processes in place to manage it."
Jim Norton, Senior Policy Advisor at the Institute of Directors (IoD), concurs with Carroll's assessment of the situation. "It is an irony of modern business that directors pay more attention to the control of assets such as company cars than they do to the management of business critical investments such as IT," he says. "Even more ironic is the fact that many organisations spend more each year on software than they do on their car fleet," he adds.
While most IT Directors would claim to know exactly how many PCs they have on the network, according to the analyst group Gartner, the reality is that 70% of organisations have as much as a 30% discrepancy between expected and actual IT inventories. "Delve deeper into a company's IT inventory, specifically the software, and you'll undoubtedly find the gap is even bigger," says Matt Fisher, VP Marketing at IT asset management and discovery solutions provider Centennial Software. "Research we carried out recently showed that, while 61% of IT managers believed they knew exactly what software was installed on each PC across the enterprise, the same number had not conducted an IT audit in the last three months, if at all."
Explain the implications
Without doubt, the safest strategy is to make sure your employees don't install anything on their work computers. Besides the threat of unwittingly being party to software piracy and falling victim to viruses, allowing staff to install software willy-nilly will invariably lead to a support nightmare. So how then do you go about ensuring that your employees fully appreciate the security implications of introducing unauthorised software, how do you make this part of your SAM policy and how do you enforce it?
"We believe the only way to control your IT systems is firstly to ensure you have a full set of company policies and procedures regarding the use of computer equipment by employees," says John Lovelock, Director General at FAST. "These need to be endorsed by the board and CEO and the company handbook should make it clear that the organisation's policies are to be strictly adhered to at all times. In other words, everyone should know the instructions come from on high.
"A well managed organisation will have a SAM programme and get its IT department to conduct audits on a regular basis. Such audits will tell them exactly what software and programmes is on each PC."
"The company's software policy should also dictate who may and may not download software or content onto the company's systems. Each employee should have specific instructions on how they can use the systems in accordance with their job role. It needs to be clearly stated what each individual may or not do. When an employee starts with the organisation – even before they are allowed to turn on their PC – they should be inducted and spend several hours or days learning what their job function entails and what they are allowed and not allowed to do on the company equipment. After that, they must agree to abide by the company procedures and where appropriate you should get them to sign off that they understand, agree and will abide by the system rules while in the employ of the organisation."
Stone tablets not the answer
You would expect FAST's opinion to be draconian. The IOD's Jim Norton takes a slightly different view. "The company's senior management has to win the hearts and minds of its employees if its software policy is to be truly effective," he says. "They won't achieve that by simply laying down controls and rules. They have to get across to employees exactly why it's important – what they can and can't do and why.
"If the rules are handed down like tablets of stone by the IT department then they tend to be seen as a bit of a challenge," he remarks. "You have to put yourself in the shoes of the user and ask yourself ‘if someone else promulgated this would I put up with it if I was simply trying to get my job done?' You have to build something that's user friendly and explain it fully to employees."
Policies mean protection
Lovelock claims director-level complacency is also playing its part. He says all too often company directors assume that software licensing is a matter for the IT department. "Directors who leave company software licensing to others will find that it is not only the employee who is culpable - they too can be jointly liable. The employer company is vicariously liable for acts or omissions by IT employees whether or not such act or omission was specifically authorised by the company. Directors become liable when they have induced or consented in the acts."
At the end of the day, Daryl Platt, Corporate Sales Director at dabs.com, a Bolton-based online electronics retailer believes technology assets should be managed like any other business asset. "It's all too easy to take software for granted as it's less tangible than a company car or laptop but if software fails it has a far greater impact on the business. Companies need to have policies in place on acceptable technology use to prevent staff from downloading illegal software, games and music on company networks. "
Platt's thoughts are echoed by Mike Ashton, chief executive at ChamberLink, the information and resources arm of the Greater Manchester Chamber of Commerce who says: "All companies - large and small - need to protect themselves from the data risks, potential security breaches and financial risk of using illegal software. We urge the 30,000 businesses we work with each year to take a measured approach to eradicating illegal software from their networks to help combat the software piracy problem."
Wake up call
Regular audits, combined with a centralisation of software purchasing, will help ensure that the IT department knows what is on the network and can spot if unauthorised or potentially dangerous software is installed on a PC or server. An effective SAM strategy can also help organisations address the associated risks. By effectively managing software assets, organisations can ensure license compliance and prevent copyright breach, legal action and fines.
"Regulatory compliance requires a broad range of security procedures, and security technology flexible enough to implement them," says FutureSoft's Wooles. "You need the capability to actively manage and control what applications are running, what unsecured peripheral devices are being installed, and what data is being accessed. UK IT Managers need to do this now, or face the consequences."
FAST's Lovelock concludes: "A clearly defined software policy will help protect you against possible legal transgressions, such as the wrongful use of software for which the penalties can include unlimited fines or even a prison sentence. Company directors need to wake up to their responsibility imminently before the business finds itself in court. It's only a matter of time."
Useful links:
 | About the author
Paul Curran is a writer, journalist and commentator on business and technology issues. In a career spanning 25 years, he has acted as a senior media consultant to many pan-European, American and Asian companies in the UK and Europe.
|
Subscribe
to feed
