To put it politely, they are less than ideal.
Two years ago, I became friends with someone who specializes in something called 'deep security'. The nature of his work is clearly specialized and, naturally, rather secretive. I was able, however, to get a tiny glimpse of what he does. and it was fascinating.
One of the tasks of a 'deep security' expert is to perform a security audit of a computer system--both network and applications. This entails examining a firm's entire IT system for security holes. It is a difficult task for many reasons. Most IT people are not security experts, so when they put a system together they naturally concentrate on the job at hand: focusing on such issues as scalability, reliability, uptime and all those other things that fall within the umbrella of 'mission critical'. Security, if it comes into it at all, comes as an afterthought.
I am tempted to call this the 'Microsoft Security Syndrome' (MSS), for that has always been the approach of the world's largest software company: create a product and then (maybe) add on some kind of security afterwards.
For clearly obvious reasons, I cannot sit in and watch a complete security audit, but I have been able to get an idea of how it works. My friend begins with a simple examination of the network. In every case (and it does not matter if it is a multi-billion-dollar global player or a small regional bank) whatever the IT people show him is wrong. This is not out of any desire to deceive but is due to the fact that IT systems grow and change. Documentation is not always up to date, department heads do not always follow 'security policy' (assuming there is one and, well, there usually is not) and sometimes a job has to be done quickly and security would just "get in the way."
If the IT boys and girls play nicely with others, then the structure of the network becomes visible to the auditor fairly quickly. Nevertheless, one must remember those immortal words of Ronald Reagan's speechwriter: "trust, but verify." After verification, it is common to find things that were overlooked. It doesn't matter why they were missed--what matters is that they are found.
The process continues for days until it is believed that every possible network security vulnerability has been found. It may or may not be the auditor's job to make recommendations, but that's another story. In his final report, he will (or should) shock the living daylights out of the corporate bosses.
This service is not cheap, but then, what's the alternative? Having seen a little bit of the process, my immediate reaction is: Why isn't every bank and financial institution hiring someone to do this kind of audit for them--something thorough and complete that will identify the weak links in an IT security chain? It is disturbing to think that institutions that have control over billions of dollars of our money (and pay their top executives a king's ransom) seem to have little interest in a comprehensive security audit.
A book could be written on the excuses people make for ignoring security, and if it were not so serious it would be hysterically funny. While people make noises about the latest virus attack, they pay no attention to any company's prime asset: its data.
As a financial center for the region, Hong Kong needs to be leading everyone else in IT security best practices. Those who are so keen to invest in new companies might want to think about how 'secure' that investment is.
Danyll Wills is an independent consultant and writer on technology. Contact him at dwills@netvigator.com