IT security, once a problem delegated to programmers and technical
specialists, is now a critical business issue for chief executives.
Bill Goodwin reports
Over the past year, computer security has become a top priority,
not only for IT and e-commerce directors, but for many chief
executives.
Highly-publicised blunders have helped to transform IT security
from a problem for programmers and technical specialists into a
critical business issue.
Each year, Web site security breaches cost companies more than
$15bn (£10bn) in repair costs and lost revenue, according to market
analyst Datamonitor. But the costs to a firm's reputation can be
far greater.
When customers lose confidence in a Web site, it is not only the
site that suffers but the whole organisation.
Microsoft, NASA and the Israeli government hit the headlines
after their sites were attacked by hackers. But many more incidents
go unreported. One hacker's Web site alone, recorded more than 100
successful hacks within the first four days of 2001.
Companies often assume that a firewall will be sufficient to
protect their systems from malicious hacking. But programming
errors in the operating systems and software applications hidden
behind the firewall, can leave Web servers wide open to attack and
confidential data open to public viewing.
The number of new programming vulnerabilities reported each
month has risen from about 40 to 100 over the past 12 months. They
are well documented on the Internet and provide hackers with a
ready-made catalogue of tools to attack Web systems.
IT departments can minimise the risks by ensuring they install
the most up-to-date service packs and fixes issued by suppliers.
But this is far from fool-proof. Service packs may fix old
vulnerabilities but they are notorious for introducing new errors
that leave systems exposed.
For thousands of examples of Web sites hacked in year 2000
visit: www.attrition.org
Security healthcheck
To give companies a helping hand, Computer Weekly has
teamed up with consultancy Internet Security Systems to offer
readers £10,000 worth of security advice. The Computer
Weekly Security Healthcheck will provide two free security
audits of their Web sites plus help and advice to make sites more
secure. Computer Weekly will report on the results of the
work, setting a best practice benchmark that other IT departments
can follow.
Breaches that hit the headlines in 2000
January
- The World Intellectual Property Organisation forced to close
Web site after hackers replaced its pages with the lyrics of a
Bruce Springsteen song.
February
- Reed Executive reviewed security on its Web site, after
Computer Weekly revealed that customers' CVs could be
accessed without a password.
May
- Computer services group Bull blamed human error for a security
flaw that left details about its customers' contracts, including
the French and Russian Police and Barclays Bank, exposed on the
Web.
June
- Hacker placed an offensive message on the Visa.com Web
site.
July
- Seven thousand people were advised to cancel their credit card
accounts after it emerged that confidential details were freely
accessible on the Powergen Web site.
- Confidence in Barclays' online banking site was dealt a blow
when customers found they could look at other people's financial
details.
August
- An organised crime gang attempted fraudulently to gain hundreds
of thousands of pounds from the Egg online bank.
- Names and work addresses of customers registered on the BT.com
Web site were left exposed by a password error.
- Woolworths shut down its Web site after customers found they
could read each other's credit card and telephone
numbers.
September
- Web hosting company Netcetera was forced to repair a server
after Computer Weekly reported a security error that allowed
corporate customers to view each other's confidential files,
including customer credit card details.
- Online auction broker E-Trade fixed a security glitch that
allowed users to recover names and passwords of other
customers.
- Western Union blamed human error after a hacker copied debit
information about 15,700 customers.
October
- A glitch on the Buy.com retail site exposed names, addresses
and telephone numbers of customers.
- The MBA International business school Web site was attacked by
pro-Palestinian hackers.
November
- A well known American credit card company threatened to sue a
UK university student after he discovered and informed customers of
a major security flaw on its Web site. The company, which had
failed to fix the site despite warnings from the student, backed
down after a report in Computer Weekly.
- Hackers gained entry to Microsoft servers. They viewed, and
possibly copied, Microsoft source code, believed to be of a
forthcoming product release.
- Arab Internet users gained control of several Israeli
government Web sites. Companies with business links with Israel,
including Lucent, were also attacked.
December
- Hacker claimed a successful attack against the British
Technology Group, replacing the Web site with the message,
"Pathetic security like this makes me sick".
How UK.com is coping with Internet attacks
Public sector
Andrew Pinder, the acting e-envoy told Computer Weekly,
"It is vitally important that citizens and businesses trust the
security of their electronic interactions with government.
"The Office of the E-envoy is working closely with central and
local government, regional authorities, the devolved
administrations and particularly with industry, to develop the
policies and mechanisms to ensure this trust is established and
maintained.
"The pace of technical developments and the increasing threat to
business critical systems make this a challenging and continuing
task. But it is one to which the Office of the E-envoy is very
committed."
Society of IT Management (Socitm) consultant Martin Greenwood
added, "Security is central to e-government. People have got to
trust local authority systems in the same way that they trust a
hole-in-the-wall cash machine. Socitm members shouldn't
underestimate the challenges we face and neither should central
government policy-makers.
"Some councils have begun moving towards transactional-based
processes, such as offering online council tax payment. We need to
look at their experience and spread best practice."
Greenwood also highlighted concerns around data protection. "We
need clarification about what the Data Protection Act allows local
authorities to do and not do."
Retail
Prominent players in retail have emphasised the continued
importance of IT security this year, citing it as a major factor in
delivering their promises to customers.
As more retailers offer goods and services online, it has become
necessary for them to differentiate from their competitors - it is
no longer enough simply to be "on the Internet". And retailers that
are seen to have secure online transactions will have a competitive
advantage.
"If you have issues around security this will damage your
reputation in customers' eyes," said Paul Worthington, chief
technology officer at Kingfisher, which owns a number of retailers
including Wool-worths and Superdrug. "And the sheer volume of
traffic we deal with means more people are going to be
affected.
"Reliability is vital to ensuring that we deliver our promises
to customers - security is a key issue," continued Worthington.
He said Kingfisher takes as much external advice as possible and
in addition carries out "as much testing as we conceivably
can".
Manufacturing
Security headaches for manufacturing in the Internet age are
being compounded as firms reach out towards partners in the supply
chain and link processes to internal and external networks.
Simon Pollard, vice-president for European research at AMR
Research, said, "Most manufacturers have changed from an internal
focus to being externally enabled - upstream and downstream to
customers and suppliers. Until recently manufacturers' IT systems
stood alone, but with the trend towards greater collaboration,
concerns over security centre on the reliability of partners.
"Also, with the advent of manufacturing execution systems,
physical processes are potentially insecure. The possible outcomes
of security breaches in, say, pharmaceuticals are unthinkable."
Finance
After a string of Internet banking and share dealing security
breaches last year, financial organisations need to boost public
confidence in the security of Web-based products and services.
The changes needed are not rocket science. Many recent security
breaches in the sector were the unexpected by-products of
relatively minor upgrades.
More care must be taken with software testing before new
services are launched. Analysts have urged firms to make better use
of security assessment tools which check passwords and security
problems.
Public key infrastructure technology provides more heavyweight
security. But it is expensive and there are only a limited number
of suppliers. For lower value retail banking transactions password
protection is set to remain the norm.