Protecting the enterprise

Five years ago, when Martin Roberts first took charge of security at BT, he quickly got to know just how extreme the threats to the company could be. In the early hours of one Saturday morning, a month into the job, he received a call informing him that a gang of 12 people had forced their way into BT's computer centre in Salisbury, and had taken a security guard and the three operations staff hostage. Having bound the hostages, the gang demanded that the building was emptied so they could then make off with the IT equipment.

The cost was high, says Roberts. "The building was shut down for four hours. We lost several million pounds in products and in the services that the centre should have provided the next day." It was quite a wake up call, he recounts: "We had all the security systems there, but the people involved hadn't set the alarms." It seems they used to leave the alarm unset so they could take a pizza delivery around midnight and have occasional smoke breaks through an unlocked fire exit.

Such levels of drama are rare, says Roberts, but they have forced a realisation at BT that the company needed to take a much more holistic, tightly governed and watertight approach to security – at both the physical and digital levels.

Certainly, the scale of that task is daunting. Aside from a primary responsibility for protecting BT's 100,000 employees and 100,000 contractor staff around the world at 9,000 locations, Roberts manages the security for BT's assets – its data centres and switches, a network supporting over 200,000 devices, 75,000 laptops and, critically, the company's intranet.

"The intranet has become our bread and butter. We now do most of our business by email, very little by telephone. And of course telephone is going to become a free service, anyway, with IP telephony," says Roberts. "So the intranet has to be accessible 24 hours a day, seven days a week to people wherever they are – especially as 15% of our company is now made up of home workers."

Sheepdip test

The security issues that can undermine that structure are as numerous and potentially damaging. However, through strict policy enforcement, some of the threats, such as viruses, have been able to be contained.

"We used to have a enormous problem with viruses, but that has largely gone away since we brought in a much better asset management system. We think we probably know where 99.9% of our [IT] assets are at any one time. We also ensure that contractors don't bring in their own devices. They either have to use our devices or theirs have to go and throw a ‘sheepdip' to bring them in. By knowing the status of each asset we can therefore apply all the appropriate patches. Our network is pretty well patched."

To demonstrate its seriousness about the ban on outside devices connecting to the network, BT has sacked individuals who have tried to get round it.

The last major virus attack that hit BT was over a year ago. It started in Germany after a contractor, unaware of the company's rules, attached an infected device to the network. However, even as the virus started to spread and take down the network, administrators at BT's control centre in Sheffield were able to exploit the network's partitioned structure to close down only the infected segment.


Security and the CIO

Security and IT have been kept at a distance from each other within BT. Group security director Martin Roberts works alongside the CIO, but they report to separate board members.

"That, from our point of view, is very important. He watches me; I watch him – in a nice way. He has the budget and in charge of operations, and it's his job to run [security] and to do it day to day," says Roberts. It is Roberts' job to set the policy overall.

"If he has a problem, I don't sweep it under the carpet. And I will make a point of reporting it very openly and very freely."

Roberts writes a weekly report to the CEO and chairman on security incidents – warts and all. "Everyone knows that report goes in and they don't want to be on it," he says.

Roberts also liaises with the head of audit, the head of legal counsel and head of risk. "Risk is very important, because they own the insurance policy. If we can tell a good story [to insurers] we can reduce the premium."

"So there is really a financial benefit if you have a [solid security] story to tell," he says.



However while viruses may have become less of an issue, the security issues surrounding laptops still present major headaches. "Laptop theft is a big issue," says Roberts. Although the industry average loss rate is about 3% year, BT's is running at about 1%. "Seven hundred a year is still is a hell of a lot," says Roberts.

Every BT engineer is issued with a laptop, and most thefts are from BT vans. But BT employees often report their laptop stolen "from the boot of the car when they go to the supermarket," says Roberts sceptically, intrigued to know how the thieves know which cars to target – unless, of course, the laptop was actually on the backseat rather than in the boot. The other classic place for laptop theft is, of course, the pub.

For employees, there is a penalty to pay. "We do actually punish people. We make people pay for losing laptops now," says Roberts – although the exposure of the data on the device is increasingly less of a worry. The majority of hard disks are now encrypted, he says, and BT is trying to mandate that for every single device.

With laptops and all of its devices, BT also uses electronic tagging and ‘smart water', the invisible DNA-like identifier that is painted on the device and can be read by police or second hand goods retailers. "That is proving quite useful," says Roberts. "We are getting quite a lot of devices returned to us."

Device tracking is going to prove even more essential as BT rolls out its 21st Century Network, the recently announced refresh of its core infrastructure. "We are going have circuit boards that are worth £250,000 a time, so smart water and tagging are going to play a big role there."

Criminal watch

But BT does not always have direct control over the people and assets. "Outsourcing is a challenge for all of us. We are outsourcing to India, and [finding] there are challenges there of things like dishonesty creeping into call centres." BT already bans mobile phones and personal digital assistants to prevent employees using the devices to capture customer data as it appears on screen and selling that to fraudsters.

"The challenge is to make sure that people are put through a vetting process before they join the company," says Roberts. Since October last year any new employee to BT has to produce evidence of their criminal record – or lack of one – a procedure that cost the individual £13. "We are putting that into the contracts for all of our suppliers too," says Roberts.

Dealing with security at an individual level is vital, says Roberts. Until four years ago, BT turned a blind eye to Internet abuse and got caught out, he says. "One individual was part of a paedophile ring and he and three others were arrested." Since then, BT has monitored activity closely. "We have caught over 1,000 people, and 400 have since left the company."

At the same time, the reporting of incidents by individuals is one of the primary means for establishing much of the security problem – and the budget. "We do report the cost of every failure and every bit of down time. That is terribly important, because if you know what you are losing, you can then put a price on that and get the accountants and line management interested. And then you can get investment when it's appropriate."

BT has a 24 x 7 security helpdesk for reporting incidents as well as an online and email reporting service. "No one can get a new laptop, or anything repaired unless they get a BT crime reference number. Two years ago we had 21,000 incidents reported; that is down to 13,000 this year. So we are actually bringing down the cost of loss within the company."

Within IT, that is mandated. "Everyone in the IT community has to report, even if they have done something wrong – whether it is a security failure, an operational failure or a hardware failure. These mustn't be pushed under the carpet," says Roberts.

Every incident is priced – the loss of a laptop, the cost of cleaning up a virus and so on – and these are tallied and the cost for different categories reported to the board. "With those clear metrics we can make our investment cases," he says.

Reporting incidents between companies is also key, says Roberts. BT is a member of a security forum through which various organisations exchange insider information on emerging security issues. And that can sometimes close the loop.

Two years after its Salisbury computer centre had been raided, BT cooperated with another target of the same criminal operation, leading to the gang's arrest and sentencing to a combined 34 years in prison.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics