IT departments are fighting an increasingly fraught battle to keep
their systems free of security vulnerabilities. In just the past
three months, more than 600 new vulnerabilities have been
discovered in operating systems and applications. Fifteen of these
have been rated as critical by US security organisation the Sans
Institute. IT departments have little choice but to fix them
immediately, if they want to protect their systems from hackers and
malware.
Software suppliers must take much of the responsibility. Microsoft
and others are getting to grips with securing operating systems,
but there is still a long way to go. Many application developers
have yet to secure their products adequately. Increasingly,
software applications could become the weak link in corporate
security.
But corporate IT departments also have something to answer for.
Industry estimates suggest that the most secure organisations have
only patched between 30% and 70% of the most critical
vulnerabilities. That leaves a large number of corporate systems as
sitting targets for hackers and organised criminal groups.
Managing vulnerabilities effectively is not difficult, but it does
take organisation. ICI, featured in Computer Weekly this week, is
one example of a company that has grasped the nettle. By the end of
the year it will have the ability to scan 35,000 devices across
sites in 35 countries for security vulnerabilities. ICI will be
able to ratchet up its security over time, prioritising problems
according to their potential impact, and eliminating them.
Unfortunately, with the problems showing few signs of abating,
ICI's approach must become a benchmark for all corporations. The
growing threat from organised crime groups has been highlighted
dramatically over the past three months, with high-profile hacking
cases in the US and the UK. More than one company has suffered
severe damage to its reputation and its bottom line after hacking
groups copied thousands of customer credit card details from their
systems.
In five years, the world will be as astonished at companies that do
not run vulnerability scanning, as it is now incredulous at
companies that do not have anti-virus software. By then, the battle
will have moved on. The next front, the Sans Institute predicts,
will be vulnerabilities in printers, photocopies, and other
hardware devices that could provide entry points for hackers into
the corporate network.
Fixing these hardware-based problems could prove a lot more tricky
than the current generation of software-based threats.