As with many executives, security wasn’t something Rev. Canon Derwyn Shea thought much about — that is, until it was brought topmost to his mind in a most alarming way.
While at St. Hilda’s, an Anglican church that also houses St. Hilda’s Towers Retirement Residence, a young lad had opened his
laptop to check his messages and suddenly found himself tapping into St. Hilda’s wireless network. This was a grave concern to the canon, as the Towers has some 550 residents, many of whom are receiving special medical care. This means the not-for-profit organization has a lot of personal and medical information in its files.
Security “”hadn’t really come to the front of my consciousness until this young man came into my office and said, ‘Well, you know what’s happened, Canon?’ And proceeded to tell me what he’d just gotten into. My hair kinda fell out, my teeth dropped out, and phone calls were being made within the minute,”” says Shea, who is both the CEO of St. Hilda’s Towers and the rector of St. Hilda’s Anglican Church.
This isn’t unusual. While larger companies typically take a proactive approach to security, smaller organizations such as St. Hilda’s take a reactive approach all too often, says Steve Poelking, director of security and infrastructure management research for IDC Canada in Toronto.
“”What we realize is that events trigger action,”” he says.
And Shea acted right away. He contacted Cyrca Solutions Ltd., a Toronto-based company that specializes in security, to assess St. Hilda’s IT infrastructure and fix any flaws it found.
The first step, says Hari Venkatacharya, the president and CEO of Cyrca, was to do a through audit of St. Hilda’s existing policies and procedures. Making sure comprehensive policies and procedures are in place and that they are being adhered to is the key to securing your IT infrastructure, he says.
“”We’re finding that any solution, any client engagement we have is about 80 per cent policy-procedure, 20 per cent technology,”” Venkatacharya says. “”It’s not about plugging in more boxes.””
It was with policies and procedures that St. Hilda’s needed help more than with the technology, according to Venkatacharya. He was not able to go into details about the cause of the breach.
Organizations such as St. Hilda’s, which doesn’t have a dedicated tech person on staff, find it difficult to keep abreast of constantly-changing and ever-increasing regulations, he says. “”There are so many regulations out there now, especially today compared to 18 months ago. It really is a whirlwind for most organizations to interpret those regulations.””
And once the policies are in place, staff must be educated on how to understand and follow them. For this to succeed, senior management buy-in is key, Venkatacharya says.
“”Some people don’t understand the human factor involved in implementing such policies. But by having senior management on board and being very co-operative, people realize they are individually accountable to senior management.””
Companies must also put policies in place for everything from what to do when an employee leaves to how to handle mobile devices, he says.
When employees leave an organization, it’s imperative their e-mail is cut off the moment they leave. It’s not OK to put if off for a few hours. Ex-employees can potentially download many confidential e-mails from their home in a matter of hours, Venkatacharya says.
It’s also important to keep things simple, he says. If the procedures you put in place are too complex, people won’t follow them. Public key infrastructure (PKI) is a good example of this, he says. Very few people use PKI systems because they are too cumbersome to implement. Instead, Cyrca uses S/MIME (Secure/Multipurpose Internet Mail Extensions) protocols to encrypt and exchange e-mail messages with its external partners. This is much easier to implement, but just as secure, he says.
Organizations must also create policies around the use of mobile devices. Information on mobile devices must be encrypted. And as it is easy to carry sensitive information out on mobile devices, companies also have to consider policing the types of devices employees are allowed to bring to the office.
Now that Cyrca has assessed St. Hilda’s security, Shea plans to do regular checkups. Cyrca masked St. Hilda’s wireless network using a series of protocols and algorithms so outsiders can’t detect its presence.
“”They have given us a fairly decent defensive posture. Nothing is foolproof, but we have at least done more than our due diligence.””