I attended a round table on Information Warfare, hosted by IBM
recently. The "men in blue" are about to push out a television
advertising campaign, alerting business to the threat posed by
hacking, and with the not-so-hidden message that you will sleep
better if you ask IBM to advise you on your security policy, all
for a small consideration of course.
IBM appears to believe that the threat of information compromise,
whether as a result of a virus attack, a deliberate hack attempt or
the mess left by an ambitious script kiddie, can be greatly reduced
by better education at all levels of the workforce.
This is not a profound discovery. Only this month, the
Confederation of British Industry produced a report which clearly
showed that, overall, business is being hammered by hackers and
viruses and, where having a good information security policy is
concerned, the penny hasn't dropped yet.
I have met some of the more skilled and necessarily anonymous
hackers. Sitting down with one and playing "where would you like to
go today?" one quickly realises that keeping "elite" hackers out of
your network is an expensive and serious exercise and that only
luck protects a business from being "mapped" for weaknesses and
worse.
With cybercrime and hacking growing exponentially, does IBM have
any real answers to this problem outside of encouraging education
and a firm security policy?
I don't think it has. It is much more of a confidence-boosting
exercise. So much of our technology is vulnerable to exploitation
but business remains reluctant to invest more than it feels it has
to on security measures with no visible return-on-investment
proposition. Sometimes, the finance director can be persuaded to
sign-off another expensive box, and often this is where the problem
begins, rather than ends.
I call this "the Gabriel Paradox". Buy some expensive intrusion
detection system tools, an anti-virus suite and a firewall and
relax into a false sense of security in the belief that you have
employed a guardian angel to protect your business from the imps of
Satan. Unless your network administrator is as sharp and tenacious
as the people he is trying to defend your company against, the risk
of compromise remains high.
Two new books should be added to the required reading list for
anyone who takes the threat to their network security seriously.
Both by John Chirillo, they are Hack Attacks Revealed and Hack
Attacks Denied. Both are part of the education process that IBM is
so keen on and the latter is full of good information on how to
better secure your infrastructure from the attention of unwanted
visitors.
There is no silver bullet to use against the hackers. There is only
common sense and a sound security policy. You may not even know
that an invisible someone out there "owns" a network near
you.
Simon Moores is chairman of the Research Group
www.drmoores.com