No matter how many millions of words get written about IT security, or how many millions of euros, dollars and pounds get lost as a result of policy failures, no one seems to be getting any better at making it work.
And we still don't really know the full extent of the problem. "Small companies tend to get hit more often than big companies," says Bill Hancock, chief security officer at Exodus, Cable & Wireless' Internet outsourcing arm. "But they don't tend to report it to the police."
The most common external threat that organisations face are viruses, followed by denial of service attacks. The third most frequent problem is hackers attempting to penetrate companies' Web sites. Matt Tomlinson, business development director at security consultancy MIS, estimates that between five and 10 new viruses appear every four weeks or so, and that hackers come up with up to 20 new exploits - new ways of breaking into a network - every month.
The external threats are the ones that grab the headlines. A bigger danger is the internal threat, however, Robin Dahlberg, managing director of Internet Security Systems (ISS), a company that sells intrusion detection software, says about 60% of security breaches are staff-related, albeit generally through ignorance rather than malicious intent.
This tells us, yet again, that companies need to devise a sensible company-wide security policy and ensure that staff are aware of it. "You would be amazed how many technical people still use Star Trek names as their passwords. All hackers know this, so it is the first thing they go for," says Dahlberg.
But adopting a coherent security strategy costs money. In the past, this has not been forthcoming. But the rise in Web usage and increased interest in collaborative commerce means purse strings are starting to loosen.
Analyst firm Meta Group expects security budgets as a percentage of IT budgets to increase from their current 1% to 2% level to between 5% and 7% over the next five years. Research from IDC predicts the total European market for IT security products is set to explode from $1.8bn (£1.25bn) in 2000 to $6.2bn in 2005. If security services are added to the mix, the total size of the market will increase to almost $10bn within three years.
Thomas Raschke, programme manager for IDC's European Internet security research, believes that services - and in particular managed services (see page 20) - will become increasingly important. "A lot of customers just don't have the in-house expertise or money to tackle the issue. More companies will start outsourcing security, especially small to medium-sized firms that tend to have less resources," he says.
But not everyone wants to outsource. Is there a product solution? A bundle or suite that IT managers can install on their network to solve their security problems and then simply update regularly?
Suppliers say yes. Symantec and Computer Associates (CA) are among the companies that are working towards integrating security products into their wider portfolios.
CA, for example, will launch its eTrust Portal at its CA World user conference this month. The move is an attempt by the company to make its security product family more coherent and easy to administer by bringing it together under one management interface. The portal will also support third-party offerings.
Suites suit some, but other IT managers feel more secure with best-of-breed mix and matches. "There is no such thing as 'one size fits all' in security," says Tomlinson. "Two solutions are never the same because of the different concerns that users have. The security you build on top of a network protects only that network: no two networks are ever the same."
While Dahlberg believes that a properly configured firewall and up-to-date anti-virus software can handle 98% of attacks on a network, he acknowledges that IT managers always have to look at their own specific business requirements.
"Security should be appropriate to what you are trying to protect," he says. "It is like buying a burglar alarm. You wouldn't spend thousands on a system to protect a rabbit hutch, but you would if you are running a trading system that you cannot afford to be disrupted even for a few minutes."
This sentiment is seconded by Hancock. He believes that the issue of what technology to buy boils down to operational security or the minimum level of security that an organisation needs to get its goods or services out of the door. "You need to ask yourself: what are my assets? What am I trying to protect? And what technology will enable me to protect them? You need enough to do that, and any more is just a waste of money."
So a good starting point for building or revising a security policy is to assess what assets the business has and what it would mean in terms of lost revenue, market share, or damage to reputation if security were breached.
The second stage is to assess what potential threats may occur, who or what they might be, and how they can be dealt with.
The third stage is to establish what technology is likely to provide adequate protection. Tarken Maner, Computer Associates' vice-president of marketing, has come up with a six point checklist for those implementing a security strategy:
Create a policy
Come up with a corporate security policy before buying anything. It is vital to establish who is accessing your systems and for what reason, who is using which IDs and passwords, and who is authorised to do what and when.
It is also important to define acceptable procedures. "Each policy has a birth, life and death and so it has to be flexible to enable change," Maner explains. "Security is there to enable the business to work successfully, and so it has to complement an enterprise's business model."
Define an architecture
Define a security architecture and establish what kind of IT is needed to do the job. "Policy defines architecture, although most companies make the mistake of putting architecture first, which is why line-of-business folk need to be involved from early on," says Maner.
Staff and any external people who access the corporate network have to be made aware of security procedures and what is or is not acceptable behaviour. Providing training may be necessary at this stage.
Shortlist and evaluate products and suppliers to see which fit your requirements most closely.
Undertake an audit of your policy, architecture, processes, procedures and products.
The sixth and final stage is to check that your processes are working and ensure that any changes are included in your policy document.
These steps should be common sense to any IT manager used to implementing new systems, but when it comes to security you have a smaller margin for error. "You can never make your business 100% secure, unless you had one PC with one Internet connection in a room with eight-inch walls and a steel door," says Tomlinson. "But you can achieve a balance: security good enough to ensure your
commercial needs are met."
- Security 3A software is used to administer security on computer systems. It includes the processes of defining, creating, changing, deleting and auditing users.
- Authentication software verifies users' identities to ensure that repudiation does not take place.
- Authorisation software is used in conjunction with business policy to determine what resources users have access to.
- Administration software covers Internet access control, e-mail scanning, intrusion detection, vulnerability assessment and security management.
- Firewall software identifies and blocks access to certain applications and data.
- Anti-virus software identifies and/or eliminates harmful software and macros.
- Encryption software uses cryptographical mathematical algorithms to protect the confidentiality of data, applications and users' identities.
- Firewall appliances comprise a single-board computer with a hardened operating system and a limited applications set, which can include a virtual private network, URL filtering or security management software.
- Biometrics technology measures and analyses human body characteristics such as fingerprints or voice and facial patterns to authenticate users' identities. Suppliers include Visionics (facial scanning), Communication Intelligence (signature verification) and Iridian (eye scanning).
- Tokens are used to authenticate users' identities and either have a one-time-use password encrypted onto them or are synchronised with an authentication server that they communicate with in a challenge-and-reply format.
- Smartcards are cards that are carried by users to authenticate their identity. They include a microprocessor and software to store user data.