Complex IT security policies lead to greater internal risk: Telstra

Frustrated staff will interpret policies their own way warns Scott McIntyre

Companies have more to fear when it comes to security within its four walls than from outside because of complex security policies and an experience generation gap, believes one industry expert.

Telstra security operations senior technology architecture specialist, Scott McIntyre, told Computerworld Australia that a big problem for organisations is that IT security policies address the minutiae, rather than the wider details and staff are left confused about what they can do on the network.

"If the policy says `you must not do this or use that port’ it creates a culture of frustration," McIntyre said. "Most people want to do the right thing but if you make it too complicated for them to know what the right thing is that’s where the, shall we say, more `creative’ interpretations in policy start happening.”

For example, he said staff may say `fine, I’m going to do it my way’ and start accessing information they are not meant to do.

"That's where the risk and over exposure comes into a company, so they need to kill the silo mentality," McIntyre said.

According to McIntyre, this mentality occurs because organisations are structured in a very vertical orientation but security is a horizontal issue.

"It’s something that needs to address all of the aspects of the company," he said. "It’s a new way of thinking because you don't just turn on security it goes into understanding information as an asset. You don’t want people to walk off with a computer but data itself and the access that is allowed to that is what people need to understand."

He adds that if people keep these concepts in mind, than as they open their networks to social media or using the Internet in general, than data loss prevention can come more in focus.

"Companies can say `I have secured access to this information, and it is stored in an encrypted format’. They also know when, why and by whom that data is being accessed."

Turning to what he calls the IT security generation gap, McIntyre was quick to put out this was one of experience, not age.

“Some policy makers take the deny all access approach and that needs to be revisited," he said. "Have you, as an IT security manager, realised that there is a benefit for your organisation by using these technologies such as social networking to engage with customers? They can be managed securely without people posting everything online."

McIntyre also said companies could avoid security headaches by not deploying what he called "archaeology ware" or old software.

"Companies are not using the most up to date soft ware that they should be using internally and they don’t necessarily have a good patching program in place. They don’t have an incidence response team or that view to security or data integrity."

He also took issue with managers who see IT security as another cost centre. Rather than taking the "do more with less" approach, McIntyre warned that now is not the time to skimp on costs.

"More organisations have to wake up, plan accordingly and find space in the budget," he said. "That’s what it is to be a good IT corporate citizen these days, you have to care about the data you have within your organisation."

On another note, McIntyre who is a self confessed Apple fan, said tablets such as the iPad 2 needed to be allowed for in policies.

“I have been poking at my new iPad2, I’m not an Apple security expert, but I take my own computer security extremely seriously with malware and firewalls.”

He isn't the only one to have taken a crack at the iPad 2, US iOS hacker George Hotz recently jail broke the iPad 2 after accepting a challenge from another hacker, Joshua Hill.

McIntyre is scheduled to present at the upcoming security conference AusCERT in May.

IDG Communications is an official media partner for AusCERT 2011.

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the CSO newsletter!

Error: Please check your email address.

Tags securityauscert 2011Telstra

More about AppleCERT Australiaetworkf2IDGIDG CommunicationsIDG CommunicationsIDG CommunicationsTelstra Corporation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Hamish Barwick

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts