Axon helps to keep lid on information

By ADAM GIFFORD

IT services firm Axon has created an enterprise security division to help companies cope with the technical and organisational steps needed to ensure corporate information is secure.

Manager Kirsty Shore said more than half of New Zealand companies and organisations were likely to have inadequate information security and would be, or had been, affected by hackers or information thieves.

Local companies lagged behind their international counterparts.

"It's not enough to have a firewall on your network and standard password encryption. New Zealand companies are still just focusing on the technology, rather than the people and business processes that support and use the technology. You need both."

Ms Shore has spent the past two years as information security group programme manager for British company Energis Communications. At Energis she overhauled information security to meet the BS7799 standard now approved by the ISO.

"That's what the New Zealand AS/NZS 7799 information security standard is modelled on," Ms Shore said.

The cost to organisations of information security breaches can be enormous. "One company I worked for spent £1 million paying out to customers after a breach," she said.

A British Department of Trade and Industry survey last year found 60 per cent of British companies experienced breaches of information security over the previous two years.

Some 13 per cent said the breach was caused by equipment failure, and 6 per cent cited software error; 6 per cent blamed incompetent staff and 5 per cent were compromised by contractors and others working on-site.

Some 11 per cent of companies thought the serious breach was caused by deliberate malicious action - 2 per cent of this by employees.

"Some hackers are doing it for possible financial gain where they will look for credit card numbers, some are doing it for political gain by defacing web sites," Ms Shore said.

"In some cases people are looking for corporate information they can use for blackmail ... "

Whatever the reason, she said, once data were compromised and news got out, customer confidence suffered.

She said that if companies did not have the right tools in place, they would not know what data were gone or compromised, and might have to engage in time-consuming, expensive data cleansing.

Much of the work of the enterprise security group will be strategic, doing gap analysis and risk assessment, helping companies to assess the value of their information and deciding what controls need to be put in place.

"If you don't understand the value, you can't look at appropriate controls. There may be some information you don't mind if people get hold of, other critical stuff can just be protected behind a firewall, and there may be other material needing encryption."

Axon chief executive Matt Kenealy said the enterprise security group, which included 12 specialists in Auckland and Wellington, would support existing Axon customers as well as offering a standalone information security service.

"Information security is not just about security of IT systems, but must extend into every facet of the business which handles or contains confidential business information," he said.