According to a new survey by West Coast Publishing, many companies
underestimate the challenges involved in securing e-business
The problem
If the collective harping of the world's media is correct, the
Internet and, more specifically, e-business is the way of the
future. Soon we will all be shopping online and using technology to
make every part of our lives easier and more enjoyable. We have
come a long way from the 1950s and the growth of domestic
appliances, to the 1980s when PC's became more widespread, and now
to the 1990s and the new millennium where we stare at the entire
world through our TV and monitor screens and use email.Information
has become the currency of the future. Whether it is marketing
information about our buying habits, both personal and business, or
information about the price of soap, it's an asset that we must
protect. Companies who trade online already face a lack of loyalty
amongst their surfing audiences. They are charged with the
additional role of protecting their customers' data from prying
eyes in order to keep the confidence of their customers.According
to a recent West Coast survey, a third of organisations know that
their security systems aren't up to scratch. If you consider this
statistic, it means that a third of organisations that realise they
are at risk, know they aren't doing enough. This figure doesn't
even hint at companies who haven't realised there could be
problems.The study also found that one in three staff received no
training of any sort on security. Most training that is carried out
is done as part of an induction process for new staff (and may, due
to the stresses of settling in, be forgotten within days). This
lapse in information and control means that these businesses are
open to attack. It seems we are not ready for the e-business
revolution that is happening across the world. But there is no
reason for this; there are numerous products on the market and
information to help us protect our most valuable asset - data.
However, few companies fully appreciate the risks that affect their
business.As there have been moves made to classify levels of
protection - from the government's initiatives to increase
information security, to the BSI creating information security
standard BS7799, which is awarded to companies who reach certain
security criteria - it is hard to understand why security is being
awarded such a low priority. West Coast Labs, an independent
certification body, has recently introduced a Checkmark Level II
standard for anti-virus. This is awarded to anti-virus products
which disinfect programs, disks and documents that have been
infected by "in the wild" viruses listed in the past months list.
The reason this was needed, according to Paul Robinson, director at
West Coast labs is that: "We have witnessed a rise in virus
activity this year, and, most notably, in this increasingly
connected world, a great increase in the speed at which these
viruses can spread the globe. Melissa was reported in the US,
Europe and Asia within 24 hours. Anti-virus solutions must be able
to respond with a comparable level of swiftness if they are to
provide adequate protection. This new tougher standard demands that
anti-virus products deliver a level of protection appropriate to
their users' experience in the real world."
The present
situationTo tackle security threats, most businesses have
anti-virus software and around three quarters have some form of
access control software (software which protects against
illegitimate access to their systems). However, under two thirds of
companies have a firewall in place and only two in five companies
employ encryption software. It seems that IT buyers are
concentrating on anti-virus solutions more than any other security
measure. This is perhaps because of the continued high public
awareness of virus threats and their very real effects within the
UK. The Melissa and the Explore.Zip worm viruses very effectively
proved the point that a business without effective protection
against viruses was a business that could be instantly floored by
attack.Melissa effectively slowed down businesses across the world
by putting tremendous demand on servers (to carry replicated
messages to all addresses in the contacts list), and demonstrated a
point that shouldn't be forgotten - viruses are quicker to spread
than humans are to notice them. By the time you've noticed
something odd occurring, you're infected, and without quality and
up-to-date anti-virus protection, it could happen to you.Spending
on security is comparatively small compared to spending on other
business requirements. But this is necessary when you consider the
high cost of a virus-related incident and the subsequent breakdown
in productivity and access. Both physical and data security are
important to the IT world. It is not only necessary to protect your
PCs from physical damage, but from data loss and theft of
confidential information, which can have a value far in excess of
the cost of replacing a hundred or even a thousand
workstations.From the survey results, it appears that while
internal and external hacking has declined as a risk factor, what
is taking up the IT manager's time, however, is email related
problems. 35 per cent of companies said they had experienced email
related security breaches, and since a disgruntled employee can
instantly send confidential information to competitors or into the
public domain, or email a virus around the company and to
customers, it must be viewed as a major threat. It is, however,
difficult to discern the extent of damage caused by external
hackers because if they do not damage data it can be hard to
quantify damage. Another area of abuse that is rarely recognised is
the danger of denial of service subversions intended not to steal
information, but purely to disable systems for long periods of
time. Such attacks, whether they be sent as mail bombs to your mail
server or attacks via your website, can bring your systems to a
grinding halt.
Mind the (reality) gapThere is a disparity
between IT manager's concepts of what risks they are exposed to. IT
managers appear to rate theft and disaster recovery as more likely
to affect them than email and Internet-related security breaches.
However, the opposite is true. A third of IT managers have suffered
at the hands of emailed jokes or hoaxes. These attacks tie up
network availability and may engender fear of further attack by
users. If you combine email-related problems (i.e. virus attacks,
pranks and jokes sent by email), you see that email is responsible
for a large percentage of attacks on corporate networks. Virus
hoaxes, in particular, are a very real danger to companies who
suffer the effects of lost trust in their security systems from
management. These fears may or may not be justified. But simply
because they fear they may be the next target, productivity may be
affected across the whole company. There is a clear belief amongst
most companies that most security risks come into the company from
outside. This is clearly a fallacy, according to the comparative
costs to business of internal and external attacks coupled with the
high level of opportunities for maliciously motivated employees to
cause damage. One disgruntled employee with a fair level of
computer knowledge could commit industrial espionage or simply
attempt to damage the network or the data travelling on it.
Information only retains its value if it's controlled, and for most
businesses who don't run security suites that scan all incoming and
outgoing email (like Mimesweeper), it is likely that control will
be compromised.
If attack occursIf a virus or hacker managed
to get into your systems at 2 am tomorrow, how soon could you
recover? This is the question that all companies must ask their IT
managers. The traditional disaster plans for fire, flood and
electricity losses, while still real, have been overshadowed by the
need to be able to keep on working even in the event of problems.
Today's IT manager must be ready for the worst to happen and have
plans in case it does. If your web server blows up, do you have a
back up? Do you have a UPS in case of an electricity fault? These
sorts of questions will not only affect your company, but the
companies who rely on your staff. According to the Business
Continuity Institute, 80 per cent of companies who suffer a major
disaster go bust within 13 months. Whether or not your consider a
virus infection, hacker stealing data or server crash a major
disaster depends on how you handle the crisis. If you have no
protection and you lose all your data - that's a major disaster. If
your business can't get back online (or at least working at a
reasonable rate) in time to fulfil your obligations, you have
little chance of recovery. Your customers are unlikely to accept
the excuse that you didn't think anything would happen to you as a
reason their order hasn't been met or service has
ceased.
ConclusionNearly all organisations are expanding
their information systems in critical parts of their business. One
of the most obvious benefits of this is their ability to
communicate over Local Area Networks or via the Internet. The
growth of email has been swift and almost universal as the choice
of communication medium for businesses. However, there is now a
chasm between the amounts of power given to every employee to
communicate and the amount of control administrators have over
content and activity. The widespread access to data common in
business today creates challenges for IT staff. They can use
products like the ISS Security Suite to scan their databases and
systems for potential problems and attempt to put in place a very
comprehensive security policy. They can also scan mail with
products like MAILsweeper for confidentiality breaches or
prescribed content. These business solutions are only as good as
the staff administering them, who must know the risks in order to
be able to protect against them.Overworked IT managers are not able
to take in all the information they need to keep their systems
safe. The Y2K problem has taken its toll in that. In concentrating
on ridding networks of the Millennium bug, there has been little
time or budget to spend on protecting security. One good thing to
come out of tackling Y2K has been the development of business
continuity management and planning. IT managers now can identify
not only what can go wrong, but what they can do if the worst does
happen. They can now budget accordingly, and if afforded sufficient
funds, there is no reason why, by using an integrated suite of
protection software, the average business can't be (almost)
completely safe from attack.
Rachel Hodgkins