Strengthening national security – important insights from corporate ICT

We began the discussion on how we could improve the state of  our national security  by borrowing best practices from the ICT world in the previous article.

The Security Governance Framework was introduced and some of its components - Security Structure, Roles and Responsibilities,  Information Assets and Risk Management – were discussed.

Today we conclude the  national security discussions by looking at the other components of an IT Security Governance Framework, including the Security Policy and Procedures, Security Training and Awareness, and Security Monitoring and Business Continuity.

An IT Security Policy provides a broad statement of intent in terms of how the organisation plans to secure corporate information systems and infrastructure. It would define the scope of coverage as well as the roles and  responsibilities of the various actors expected to secure corporate data.

Security procedures would drill down the policy statements into implementable steps aimed at securing different aspects of the ICT domain. As such, most organisations would include defined password procedures, data backup procedures, internet access procedures among others. Security procedures essentially aim to standardise security practices in order to generate uniform protective outcomes irrespective of the individuals executing the tasks .

At a national level, one would expect that indeed we do have a national security policy, and this is not supposed to be a top-level, secret, confidential document. It should rather be a shared public document describing the expected security roles and responsibilities between the state, the legislature, the judiciary and the citizens.

In the absence of such a document, one begins to get resistance from the citizenry when they are reminded, quite correctly, that security does indeed begin with them.

The national security policy would contextualise this statement by showing that whereas security does begin with the citizen, it does ultimately end up with the State – each party simply has to shoulder their portion of responsibilities.

Security Training and Awareness recognises that the human element is actually the weakest link in the security chain.  It does not matter how expensive and sophisticated your security systems are, if, for example, the secretary to the CEO can easily be socially engineered into sharing an email password.

TEACHING CHILDREN DRILLS

All the countermeasures installed would never protect against a compromised password, so employees must be perpetually trained and appraised on old and emerging tricks used by hackers to gain access.

Furthermore, employees should also be able to tell when they have been hacked and what steps to follow in trying to restore security.

Clearly, the Kenyan public has not been trained nor appraised on what to do in the event of an attack. The recent stampede at the University of Nairobi campus at Kikuyu, where a student died following an explosion from an electrical fault serves as a stark reminder of how we are all likely to react under similar circumstances.

In other terror-prone states such as Israel, all citizens, including primary school children, know the various drills to execute depending on the nature of the  threat, be it a warning, fire, bullets, bombs or whatever the case is.  It is inevitable that to minimise casualties, the state must begin to invest in public training and awareness on security matters.

Security Monitoring means that corporates should have personnel constantly capturing and reviewing computer logs to understand the nature and number of times hackers have attempted to break into their systems. In some cases, vulnerable 'fake' or decoy servers are deliberately set up to attract hackers in order to study the origin, behaviour and focus of their attacks.

INABILITY TO REBOOT

Whereas setting up vulnerable targets in the real world maybe dangerous and unacceptable, the idea of understanding the psychology of the attacker cannot be overemphasised.  We could perhaps - if we are already not doing it – set up fake youth to be “radicalised” who would eventually be recruited into  the terror cells but with a view of understanding what drives the evil mind of a suicide bomber.

Given that these terror cells have infiltrated our security agencies, nothing should stop us from infiltrating their domains if indeed we want to stay one step ahead of them.

Finally, Business Continuity entails defining procedures to be undertaken in order to restore corporate services in the event of disasters. 

When the Twin Towers were attacked on September 11, 2001 close to 80 per cent of businesses were up and running 24 hours after the attack. Closer home, Co-op Bank, whose headquarters was next to the bombed US Embassy was also up and running soon after being disrupted by the attack in 1998.

On a national level, Westgate remains closed two years later while Baragoi, Mpeketoni, Kapedo and now Garissa University College are likely to remain locked-down for some time, a clear testimony of our inability to reboot following a disaster.

Indeed, there are big lessons to learn from the corporate sector on how to deal with our national security and the government should not shy away from taking such lessons.

Mr Walubengo is a lecturer at the Multimedia University of Kenya, Faculty of Computing and IT. Twitter:@jwalu; email: [email protected]