Business Issues
Security Failure
Understanding security risk and strategy in the Telecommunications,
Media and Entertainment sectors
‘Security Failure’ may be defined differently from
business to business, and person to person,
depending upon specific viewpoints and
experience. ‘Security’ in itself can also vary in
scope and definition and might be considered very
broad or very narrow. Generally, whatever the
definition, any failure to consider, defend against
or mitigate any attack or risk incident might be
considered a security flaw irrespective of
consequential loss. The stark reality is that
security failure remains a very common
occurrence in many businesses through the lack
of an holistic perspective on security management.
Security might commonly be considered as being
applicable to the following business areas:
Information – all types of information but
especially customer and market-sensitive
business data that may appear in any form –
electronic, printed etc.
Information Technology/Systems, Network and
other Operational Technologies – commonly
allied to Information Security as a means to
process and store data and are critical to the
operation of the business.
Physical infrastructure components – office
buildings, network sites, data centres and other
constructions or sites hosting the technologies and
people within the business.
People – employees, customers and suppliers –
surprisingly-often not the first consideration in
terms of risk or protection but essential to protect
operations and the good name of the business.
Suppliers and/or business partners – although
some employ decent security policies and
practices, these are often not reflected within the
operations of key suppliers or partners.
Business Continuity Planning – incorporating
mitigation, disaster recovery and incident
management practices.
Business Assurance | Revenue Assurance | Fraud Management | Receivables Management
The issues
Good security protects assets, revenues,
reputation and people and provides for a
sustainable business. However, because of the
difference of opinions and approaches to security,
a fragmented security regime can easily develop,
especially if security is not coordinated across
business divisions or operations. An example may
help illustrate this point:
A Communications Service Provider (CSP)
operating across major cities in Europe was
especially focussed on the corporate customer
sector. Their security budget was allocated to
each division head and there was no coordination
across divisions. One city of operations was
subject to periodic terrorist attacks, particularly
bombing of targets of key infrastructure
components and business operations to affect the
economy. To protect service to customers, the
head of networks decided to encase a key
switching centre in a robust metal ‘room’ within the
building effectively shielding the equipment from
blasts. On the floor above in the same building
was the billing system (and other important billing
and operational support systems), but the head of
IT decided that the security budget would be
diverted to other projects.
In analysing the exposure based on a bomb
targeting the communications facilities, the
network would still be able to function (albeit
probably with some damage repair) and services
provided to customers after a very short
downtime, if any. However, the billing system
would probably be totally destroyed and the
recovery plan was based solely on the vendor re-
installing a new system. Such a recovery plan
would take between 4-6 months. Unfortunately,
the network data could only be stored for up to 2
weeks and so a significant revenue loss would be
likely in the event of a targeted bombing.
1
 Business Issues
Security Failure
Understanding security risk and strategy in the Telecommunications,
Media and Entertainment sectors

This illustration of security risk is not as uncommon IT and Network Security has a strong element of
as one might think. And when you consider the Information Security embedded within, but more
principle illustrated here in other areas of security, fundamental logical, physical and people security
then the issues become even more significant. concerns should also be considered as part of an
overall plan. Although certain systems may not
Many issues arise from the poor operation of host or process data that might be considered
security controls that are put in place, i.e. the sensitive, security failure might result in lost
human factor. Any security defence is only as revenues or increased costs. For example, internal
strong as the weakest link and all too often that is fraud is a very common problem and every CSP
our people! Security practices are often perceived will suffer to an extent (in one operation in Asia
as a hindrance and so many will passively or 11% of revenue was lost to internal fraud). Many
deliberately not comply, without really seeing the such frauds are facilitated by poor security.
bigger picture and the damage that can be done.
How do you know if you have a
What are the common problems
problem?
leading to security exposure?
The range of security issues is broad so the nature
Information Security is probably one of the most of the problems will reflect that. There will always
commonly addressed areas of risk, but in practice be specific incidents that bring security failure to
there tends to be much room for improvement in the attention of management; however, it is the
many organisations. Accentuated by the need to security failure that remains undetected that
protect certain types of data through regulation, causes the most concern. Apart from responding
e.g. ‘personal data’ protection laws, the highly to incidents, the only real way to identify security
competitive nature of some markets, and the risk is to be proactive and assess risk throughout
increasing dependence on IT systems for business the business.
operations, Information Security usually draws the
most attention. However, in reality this
responsibility tends to be focussed on IT teams
where IT is actually just one facet of Information
Security – the basic issues are often not
addressed and sensitive information may be
exposed through other (non-technical) means. For
example, the head of marketing that had the
company’s new strategy document taken from his
desk when the office was unlocked; or the early
release of market-sensitive business performance
data through a disgruntled employee that was able
to lay hands on a print-out left on a photocopier; or
the selling of VIP address and personal details
obtained from forms or returned bills stored in non-
secure facilities; or the non-secure disposal of
waste paper providing a fraudsters dream!

Business Assurance | Revenue Assurance | Fraud Management | Receivables Management

 Business Issues
Security Failure
Understanding security risk and strategy in the Telecommunications,
Media and Entertainment sectors

Managing the problem

Security failure can arise from any aspect of the

operations. Incidents might be man-made or
natural in origin, and may result from deliberate
and planned attack or opportunist activity. It is
impossible to prevent all security failure, but
focussing on the key risk mitigation, management
and prevention (deterrence) for certain risks will
help maintain a cost-effective and pragmatic
security risk management approach.

Incorporating security as part of a Business

Assurance strategy is essential. The cost of
security will be outweighed many times by the cost The Business Assurance Cycle may be
of security failure which may lead to business- applied to Security practice as with any
critical exposure. However, to be effective, security other Business Assurance domain
must be coordinated across the business and
sensible judgements made to balance risk and
costs, customer experience and people protection.

Any security policy should be augmented by

guidelines on how to apply policy in practice –
without this, application will be varied and often
weak. These in turn should also be subject to
awareness activity to maintain a focus on security
throughout the operations and keep the people
motivated to play a key role in good security
practice.

Security risks will arise through partnering with

suppliers or businesses – it is imperative to protect
your interests through ensuring good security
practices with partners.

ISO27001 (ISO/IEC 27001:2005) is an

international security standard for Information
Security Management System (ISMS) that might
be considered as a target for operations.

Contact Us to discuss building a security strategy

or plan or to discuss other areas of interest.

Business Assurance | Revenue Assurance | Fraud Management | Receivables Management