Be afraid, be very afraid

Fear is what drives most security decisions, says Julia Vowler, but do not let it stifle your business

Fear is what drives most security decisions, says Julia Vowler, but do not let it stifle your business

General McArthur once famously remarked, "There is no security, there is only opportunity." However, the problem for IT directors is that, when it comes to security, the opportunity seems to be on the side of those keen on breaching it.

The Internet has been a boon for the hacking community. As security expert and former hacker Robert Schifreen comments, in the pre-Internet era, hacking into US systems from the UK was an expensive business, incurring transatlantic phone charges. The Internet now allows hackers to roam the world for the price of a local call. The global village for hacking has arrived.

"Anyone in the world can get into your systems," warns Schifreen. But, although a counsel of paranoia is advised, it must not lead to a destructive siege mentality. After all, no system is breachproof. And a company cowering in its nuclear-proof bunker is not open for business.

It is too easy to make security a goal in its own right. The trick, says Helen Boardman, e-business infrastructure manager at United Utilities, is to turn that mentality around. Security, she emphasises, is not the key objective - a well-functioning business is.

"Security is a business enabler, not a restrictor," she urges. "It must not throttle business."

The right level of security must be applied, and this can only be done following the process of risk assessment, says Schifreen. First you must identify points of vulnerability and then map them to determine what potential damage a breach would cause, remembering that the value of data can far exceed the value of the system holding and guarding it.

He warns that $20 worth of storage can hold $2bn worth of research data. So do not carry it around on a laptop.

As a corollary, the in-your-face security breaches may not be as dangerous as the less visible ones, says Schifreen. Discovering that the corporate home page now sports a naked lady may be embarrassing, but it is quickly spotted and fixed - it may take a lot longer to discover a hacker has upped all the prices on the products pages.

High profile though hacking may be, it is not the major source of security damage. It is the fifth column within, not the foes without, that poses the greatest threat. More than 70% of security breaches are internal, warns Schifreen, and do far more damage. Disaffected - or bribed - staff are more dangerous than external hackers.

Ignorant employees are dangerous too, which is why security training is an essential part of a security policy. Staff have to understand what makes a system vulnerable, and what their responsibilities are - but there needs to be a balance between warning them and scaring them. Similarly, if security regulations are too draconian and onerous, employees will find them a burden and seek ways to evade them.

Senior staff, however, probably do need to be scared. Unless they see a clear and present danger from corporate security breaches they will prefer to spend their budgets elsewhere.

The way to convince senior management of the need to make investment in IT security is, advises Boardman, by a dual process of pointing out the high-profile security breaches documented in the media and then asking them just how much a similar security breach would cost their own company.

"Security does require a significant upfront investment," she acknowledges, "but it pays back later."

Not having your company listed in the litany of scare stories circulated at security conferences is one of them.

Robert Schifreen and Helen Boardman will be speaking at the IT Security Showcase on 14-15 February. Tel: 020-8394 5100

Hacker's guide to info security

Robert Schifreen's recommendations:

  • Although there are a lot of good security products, don't install them until you have carried out a risk analysis and understand where the problems are, what is worth protecting and for how much. Don't spend too much protecting low value data, or too little on protecting invaluable data

  • Staff are more dangerous than outsiders, so security training must target end-users, from sales managers to secretaries. But do not make them paranoid

  • You must carry out penetration testing of all systems at least once a year. Hire someone to break into your systems. They will succeed 95% of the time.

    Six golden rules for secure success

    Helen Boardman offers this advice:

  • Establish your security policy and procedures first, following your risk assessment process. Get the principles in place and roll them out in practice as they are needed

  • Do not embed security within individual applications. Keep security as a separate layer, then you can plug and play applications without redoing security. It is especially important to have this flexibility in an e-environment where security can be seen as slowing down implementation, yet it is even more important than in non-e-systems

  • The greatest security threat from the Internet is not external. E-systems potentially allow your own staff to open your core systems to outsiders

  • Make sure security is end-to-end, especially across the core systems/e-systems interfaces. Building e-systems will mean revisiting established security policies for core systems

  • Security policies are not cast in stone - they need to be adapted to changing technology

  • Regard security as a ticket to safe business, not a stifling choke. Management must see the value of investing in it.

    Barrier or boon?

    A recent survey by Xephon found that:

  • A third of large IT departments believe security concerns are slowing down their progress in e-business

  • A sixth believe security priorities are in danger of being overruled in the rush to e-commerce

  • Under half say corporate e-business and security strategies are progressing hand in hand

  • Users rated mainframes as the safest place to store data (scoring nine out of 10), Unix averaged 6.6, NT 5.5 and Linux 4.6

  • The vast majority reported sophisticated access management, firewall and anti-virus technologies in place

  • Most felt the activities of external hackers could be controlled successfully

  • Most felt viruses could usually be eradicated without serious damage

  • A fifth said they could protect their systems from malicious staff only occasionally or rarely

  • Three quarters said the impact of inside damage, though rare, was potentially very serious.

    Enterprise Security Strategies,

  • Read more on Antivirus, firewall and IDS products