As physical security is tightened in the wake of the attacks in the
US, Paul Williams looks at the possibility of cyber-terrorism and
what can be done to prevent it.
There is much talk of "business as usual" as the world's financial
communities attempt to restore normal operations in a world that
may never be the same again.
In my last article I discussed the need in today's business world
for 24/7 operations enabled by technology. There is little that the
business world can do to protect itself against the physical
attacks that occurred last week, although many business continuity
plans will now need to be re-assessed in the light of the sheer
scale of those events.
Many assumptions will need to be revisited including the ease of
access to buildings and back-up sites, the potential loss of
personnel, and the impact of the disaster across multiple
businesses within the same trading community. But what about the
more subtle and potentially business-fatal attacks that could arise
from cyber-terrorism?
Will cyber-terrorism be next?
Given the recent events in the US, and the possibility of further
attacks on information networks as well as physical structures,
what are businesses doing to manage the risks to their business
from potential cyber-terrorism?
In the US, the FBI issued a warning that "Tuesday's attacks could
be followed by a series of cyber-attacks". Attacks on information
networks could cause not only financial losses: imagine if the
machines that were attacked were the ones that operated air traffic
control systems or controlled a nuclear power plant?
As strict physical security measures
 | | "Just as people are the heart and
mind of a business, IT and telecommunications networks are
increasingly serving as the nervous system" | | | | | |
| | Paul Williams | | |
|
|
are put into effect across the Western world, will terrorists
attempt to achieve their aims of disruption and destruction through
attacks against information networks? In the 1990s, the Pentagon
produced a number of studies that showed that a cyber-attack on
computer and communication systems could cripple the US as severely
as a physical attack.
What precautionary measures can we take to reduce the risks to our
IT infrastructures?
Risk identification and analysis
We must first be
confident that all relevant risks have been identified, and that
management understands which ones should have action taken to
reduce those risks.
There is a limit to the resources available for reducing risks, and
compromises will inevitably occur. Even huge expenditure such as
the proposed "Son of Star Wars" missile defence scheme would not
have prevented the attacks on the US. However, it is also important
to remember that no risk can ever be completely eliminated - no
country or business can ever be completely secure.
Building defences
A combination of measures such as
well configured firewalls, effective monitoring tools and high
levels of security awareness can help to reduce the damage caused
by cyber-attacks. However, companies have to remember there are
more than just tangible assets at risk. The damage to a company's
reputation resulting from a security incident can far outweigh the
loss of data or cost of rectification. Loss of reputation and
shareholder confidence can contribute to long-term damage and even
potential business failure or takeover.
Businesses should establish a Business Continuity Plan, taking into
consideration disaster recovery for events such as hacking or
intrusion as well as for the more traditional physical disaster
scenarios. The key to this being able to operate effectively is
awareness that an attack has occurred, and good communication and
training about the plan to enable it to be put into action quickly.
Be proactive
This is a time to focus your security budget on the key risks to
your enterprise.
Urgent and effective action is required in areas such as disaster
recovery planning and external back-up and storage solutions, both
of which can serve to mitigate the effects of cyber-attack. Many
companies in the World Trade Centre had set up dedicated back-up
sites following the 1993 bombing and were able to relocate their
operations quickly to New Jersey or elsewhere.
Just as people are the heart and mind of a business, IT and
telecommunications networks are increasingly serving as its nervous
system. It is becoming increasingly important that these business
assets are given adequate protection, and that this protection is
provided in a proactive rather then reactive manner.
Conclusions
To date there has been no coordinated cyber-terrorist attack in the
UK. However businesses should take notice of the increasing use of
hacking and other attacks as additions to traditional physical
threats.
Risk management should be considered at all levels with the
understanding that these risks are very real and that it is
everyone's responsibility to ensure that these risks are properly
managed. From a governance viewpoint, management boards and audit
committees should be seeking positive assurances that these threats
are being properly assessed and that there are adequate measures in
place to minimise the impact from such attacks.
Are systems more at risk than ever?
Do you believe that
terrorists will turn to cyber-attacks as physical security is
tightened in the wake of the World Trade Centre atrocity? And what
is the best defence?
Let us know with an e-mail.Paul Williams FCA, MBCS is immediate past international
president of the Information Systems Audit and Control Association
( www.isaca.org ) and a
partner with Arthur Andersen's financial markets division in
London.