General McArthur once famously remarked, "There is no security, there is only opportunity." However, the problem for IT directors is that, when it comes to security, the opportunity seems to be on the side of those keen on breaching it.
The Internet has been a boon for the hacking community. As security expert and former hacker Robert Schifreen comments, in the pre-Internet era, hacking into US systems from the UK was an expensive business, incurring transatlantic phone charges. The Internet now allows hackers to roam the world for the price of a local call. The global village for hacking has arrived.
"Anyone in the world can get into your systems," warns Schifreen. But, although a counsel of paranoia is advised, it must not lead to a destructive siege mentality. After all, no system is breachproof. And a company cowering in its nuclear-proof bunker is not open for business.
It is too easy to make security a goal in its own right. The trick, says Helen Boardman, e-business infrastructure manager at United Utilities, is to turn that mentality around. Security, she emphasises, is not the key objective - a well-functioning business is.
"Security is a business enabler, not a restrictor," she urges. "It must not throttle business."
The right level of security must be applied, and this can only be done following the process of risk assessment, says Schifreen. First you must identify points of vulnerability and then map them to determine what potential damage a breach would cause, remembering that the value of data can far exceed the value of the system holding and guarding it.
He warns that $20 worth of storage can hold $2bn worth of research data. So do not carry it around on a laptop.
As a corollary, the in-your-face security breaches may not be as dangerous as the less visible ones, says Schifreen. Discovering that the corporate home page now sports a naked lady may be embarrassing, but it is quickly spotted and fixed - it may take a lot longer to discover a hacker has upped all the prices on the products pages.
High profile though hacking may be, it is not the major source of security damage. It is the fifth column within, not the foes without, that poses the greatest threat. More than 70% of security breaches are internal, warns Schifreen, and do far more damage. Disaffected - or bribed - staff are more dangerous than external hackers.
Ignorant employees are dangerous too, which is why security training is an essential part of a security policy. Staff have to understand what makes a system vulnerable, and what their responsibilities are - but there needs to be a balance between warning them and scaring them. Similarly, if security regulations are too draconian and onerous, employees will find them a burden and seek ways to evade them.
Senior staff, however, probably do need to be scared. Unless they see a clear and present danger from corporate security breaches they will prefer to spend their budgets elsewhere.
The way to convince senior management of the need to make investment in IT security is, advises Boardman, by a dual process of pointing out the high-profile security breaches documented in the media and then asking them just how much a similar security breach would cost their own company.
"Security does require a significant upfront investment," she acknowledges, "but it pays back later."
Not having your company listed in the litany of scare stories circulated at security conferences is one of them.
Robert Schifreen and Helen Boardman will be speaking at the IT Security Showcase on 14-15 February. Tel: 020-8394 5100
Hacker's guide to info security
Robert Schifreen's recommendations:
Six golden rules for secure success
Helen Boardman offers this advice:
Barrier or boon?
A recent survey by Xephon found that:
Enterprise Security Strategies, www.xephon.com/rarz.html