Background to network security

Background to network security


An effective security strategy will of necessity include highly technical features. However, security must begin with more mundane considerations which are often disregarded: for example, restricting physical access to buildings, rooms, computer workstations, and taking account of the ‘messy’ aspects of human behaviour, which may render any security measures ineffective. I shall remind you of these issues at appropriate points in the unit.

The need for security in communication networks is not new. In the late nineteenth century an American undertaker named Almon Strowger discovered that he was losing business to his rivals because telephone operators, responsible for the manual connection of call requests, were unfairly diverting calls from the newly bereaved to his competitors. Strowger developed switching systems that led to the introduction of the first automated telephone exchanges in 1897. This enabled users to make their own connections using rotary dialling to signal the required destination.

The importance of effective network security strategies

In more recent years, security needs have intensified. Data communications and e-commerce are reshaping business practices and introducing new threats to corporate activity. National defence is also vulnerable as national infrastructure systems, for example transport and energy distribution, could be the target of terrorists or, in times of war, enemy nation states.

On a less dramatic note, reasons why organisations need to devise effective network security strategies include the following:

  • Security breaches can be very expensive in terms of business disruption and the financial losses that may result.

  • Increasing volumes of sensitive information are transferred across the internet or intranets connected to it.

  • Networks that make use of internet links are becoming more popular because they are cheaper than dedicated leased lines. This, however, involves different users sharing internet links to transport their data.

  • Directors of business organisations are increasingly required to provide effective information security.

For an organisation to achieve the level of security that is appropriate and at a cost that is acceptable, it must carry out a detailed risk assessment to determine the nature and extent of existing and potential threats. Countermeasures to the perceived threats must balance the degree of security to be achieved with their acceptability to system users and the value of the data systems to be protected.

Activity 1

Think of an organisation you know and the sort of information it may hold for business purposes. What are the particular responsibilities involved in keeping that information confidential?

Box 1: Standards and legislation

There are many standards relating to how security systems should be implemented, particularly in data communication networks, but it is impractical to identify them all here. A visit to the British Standards Institution is a suitable point of reference.

ISO/IEC 17799 (2000) Information Technology – Code of Practice for Information Security Management sets out the management responsibility for developing an appropriate security policy and the regular auditing of systems. BS 7799–2 (2002) Information Security Management Systems – Specification with Guidance for Use gives a standard specification for building, operating, maintaining and improving an information security management system, and offers certification of organisations that conform. Directors of UK businesses should report their security strategy in annual reports to shareholders and the stock market; lack of a strategy or one that is ineffective is likely to reduce the business share value.

Organisations in the UK must conform to the Data Protection Act of 1998. This requires that information about people, whether it is stored in computer memory or in paper systems, is accurate and protected from misuse and also open to legitimate inspection.