Starting with the cornerstone of all good information security management, the information security policy, what’s changed?
Personal Device Usage in the Workplace
In the year 2000 a typical policy would warn employees against using the company's 128K Internet access for personal usage, and not to connect their own devices to the network, a rule insisted upon by the business management not based on rational risk or a threat, but based on concerns about staff productivity and hogging the limited bandwidth. There wasn't the proliferation of personal devices we see today, although I recall there was the odd Palm Pilot around. In 2013 users are permitted to use the Internet for personal usage, and are actively encouraged to bring their own devices into the workplace in many businesses in the UK. The business cost saving Bring Your Own Device (BYOD) culture has risen from nowhere in recent years, and has taken a grip up and down the land as business desire to cash in on the benefit of not having to provide expensive smart phones and laptops to their staff.
In 2000 the idea of encrypting a laptop’s hard drive would be considered a crazy notion from the realm of a James Bond plot. Laptops of the day tended to really struggle performance wise, and yet even though laptop theft by shell suit clad spotty teenagers was just as common as it is today, businesses were not over concerned about the loss of data via laptop theft. The business was more concerned about the cost of replacing the laptop, meanwhile employees were only concerned about the cost of fixing their smashed car windows.
Back in the year 2000 the storage media everyone had floating around their desks was CD-Rs, the idea of encrypting them was pretty much unheard of in most UK offices. Main stream business got a wake call when one day in 2007, the HMRC lost a couple of unencrypted CD-Rs which held millions of UK citizen’s personal data, a huge media storm ensued highlighting the government’s bad security practices, and to this day those HMRC CD-R have never been recovered. But the HMRC breach served to wise up many UK businesses to the huge potential reputational damage that losing those circle pieces of silicon could generate. MDs in boardrooms quaffed “look how stupid the government (HMRC) are” then asked their executives “we encrypt all our CDs, don’t we?”
Automated Security Management
IT Security controls have become easier to implement since 2000, no longer is applying anti-virus and software patches a manual 'walking on eggshells' task, but can be done with confidence, centrally managed and fully automated. It doesn’t stop there either, system monitoring and alerting has improved leaps and bounds, with security managers now having access to a NASA style mission control suite of screens brimming with real time stats and turnkey reporting metrics.
The Crown Jewels that doesn't tour, now on tour
The security doctrine of 2000 was all about protecting the important data within the onsite network, a castle and moat approach to security was taken. Great care was taken with remote access, securing perimeter firewalls and with any connectivity to third parties who you dared to share your network and sensitive data with. Those were the security battlefields, with firewalls rule-sets and VPNs the weapons of the day.
One of the reasons marketing use the word ‘Cloud’ so much, is it makes something that is in reality highly complex, sound very simple to the service user. However businesses need to take a good look under the bonnet of the simple ‘cloud’ front, properly assess and vet the security of third party service provider, applications and infrastructure, ensuring their third parties are aligned to their business risk appetite, and have at the very least the same appropriate level of security controls as their business's internal infrastructure and systems.
I think it is fair to say there hasn't been a vast improvement in staff security awareness in since 2000. Of course we seen some changes with the introduction of Computer Based Training Courses and employees signing declaration forms, but nothing ground breaking has really happened. Security awareness still tends to be a flash in pan campaign and a tick box assurance, and is often a poorly done afterthought rather than a sustained process. Yet for me it would appear we are coming full circle, and we are placing security control and trust firmly back into the hands of employees, with personal cloud solutions and personal device usage making it more easier than ever for employees and contractors to bypass the once clever endpoint castle moat extending security controls.
The Biggest in the last Decade
Finally, and perhaps the biggest evolution over the years has been with the humble information security professional. Back in the day I remember it being a struggle to be even recognised as a information security profession in the UK, hence why this blog which I started in 2007 is called “IT Security Expert” not “Information Security Expert”.