British American Tobacco (BAT) is hardening its networks
and applications to protect itself against
new cyber threats, as it switches increasingly to
web-enabled enterprise applications.
The move, which involves outsourcing network and security
management, is part of a long-term plan to consolidate and
standardise the £25bn tobacco company’s IT services across 180
countries.
Under three-year framework agreements worth tens of millions of
pounds, Orange Business Services will supply British American
Tobacco with bandwidth and network management, and ITC Networks
will provide managed security services to BAT’s operating companies
and distributors.
Gareth Lindahl-Wise, head of global IT security at BAT, said the
company intends to use the internet more for business-to-business
applications, potentially exposing the company to greater risk.
“The
threat profile changes, with attacks aimed at applications,
rather than the physical network. So we are looking to make
applications threat-aware and to harden them against attacks. For
instance, we think just doing proper input validation would halve
our risk,” he said.
“Much of what we are doing is not sexy, for instance, insisting
on compliance with RFCs [best
practice recommendations of the Internet Engineering Task
Force].”
Lindahl-Wise said ITC would be responsible for three main IT
security projects: managing British American Tobacco’s
external-facing communications, installing and managing
extra-secure document and password “vaults”, and application
hardening.
ITC is using Cisco technology for firewalls, intrusion
detection/prevention, and event correlation and reporting. ITC
managing director Tom Millar said no decision had been made as to
who would supply the vaults or the applications hardening, but
Cyber-Ark, F5 Networks and Juniper were front-runners.
Kevin Whelan, technical director at ITC, said
Cisco’s Security
Monitoring, Analysis and Response System was being used to
consolidate BAT’s security appliance logs worldwide to see
instantly if, where and when an attack is under way.
Only the paranoid survive in a web-enabled
world
Firms need to step up their security as hackers’ professionalism
increases, David Bradshaw, principal analyst at research firm Ovum
has advised.
“Everyone needs to take [Intel chairman] Andy Groves’ dictum –
only the paranoid survive – to heart,” he said.
Bradshaw said British American Tobacco’s aim of having fewer
datacentres was sensible. “It leaves fewer targets for attackers,
and makes them easier to defend,” he said.
Referring to BAT’s decision to outsource its IT security,
Bradshaw said, “The alternative is to become security expert, and
the rate of change in the type and number of threats makes that a
no-win proposition.”
BAT rolls out global SOA security infrastructure >>
Extra hour a day as BAT execs go mobile with SAP
>>
Tobacco firm picks Vordel web security
>>
British American Tobacco signs £6m apps deal
>>
Business focus is vital for SOAs, says BAT IT chief
>>