Securing e-business: get your share

According to a new survey by West Coast Publishing, many companies underestimate the challenges involved in securing e-business

According to a new survey by West Coast Publishing, many companies underestimate the challenges involved in securing e-business

The problem

If the collective harping of the world's media is correct, the Internet and, more specifically, e-business is the way of the future. Soon we will all be shopping online and using technology to make every part of our lives easier and more enjoyable. We have come a long way from the 1950s and the growth of domestic appliances, to the 1980s when PC's became more widespread, and now to the 1990s and the new millennium where we stare at the entire world through our TV and monitor screens and use email.

Information has become the currency of the future. Whether it is marketing information about our buying habits, both personal and business, or information about the price of soap, it's an asset that we must protect. Companies who trade online already face a lack of loyalty amongst their surfing audiences. They are charged with the additional role of protecting their customers' data from prying eyes in order to keep the confidence of their customers.

According to a recent West Coast survey, a third of organisations know that their security systems aren't up to scratch. If you consider this statistic, it means that a third of organisations that realise they are at risk, know they aren't doing enough. This figure doesn't even hint at companies who haven't realised there could be problems.

The study also found that one in three staff received no training of any sort on security. Most training that is carried out is done as part of an induction process for new staff (and may, due to the stresses of settling in, be forgotten within days). This lapse in information and control means that these businesses are open to attack.

It seems we are not ready for the e-business revolution that is happening across the world. But there is no reason for this; there are numerous products on the market and information to help us protect our most valuable asset - data. However, few companies fully appreciate the risks that affect their business.

As there have been moves made to classify levels of protection - from the government's initiatives to increase information security, to the BSI creating information security standard BS7799, which is awarded to companies who reach certain security criteria - it is hard to understand why security is being awarded such a low priority.

West Coast Labs, an independent certification body, has recently introduced a Checkmark Level II standard for anti-virus. This is awarded to anti-virus products which disinfect programs, disks and documents that have been infected by "in the wild" viruses listed in the past months list. The reason this was needed, according to Paul Robinson, director at West Coast labs is that: "We have witnessed a rise in virus activity this year, and, most notably, in this increasingly connected world, a great increase in the speed at which these viruses can spread the globe. Melissa was reported in the US, Europe and Asia within 24 hours. Anti-virus solutions must be able to respond with a comparable level of swiftness if they are to provide adequate protection. This new tougher standard demands that anti-virus products deliver a level of protection appropriate to their users' experience in the real world."

The present situation

To tackle security threats, most businesses have anti-virus software and around three quarters have some form of access control software (software which protects against illegitimate access to their systems). However, under two thirds of companies have a firewall in place and only two in five companies employ encryption software.

It seems that IT buyers are concentrating on anti-virus solutions more than any other security measure. This is perhaps because of the continued high public awareness of virus threats and their very real effects within the UK. The Melissa and the Explore.Zip worm viruses very effectively proved the point that a business without effective protection against viruses was a business that could be instantly floored by attack.

Melissa effectively slowed down businesses across the world by putting tremendous demand on servers (to carry replicated messages to all addresses in the contacts list), and demonstrated a point that shouldn't be forgotten - viruses are quicker to spread than humans are to notice them. By the time you've noticed something odd occurring, you're infected, and without quality and up-to-date anti-virus protection, it could happen to you.

Spending on security is comparatively small compared to spending on other business requirements. But this is necessary when you consider the high cost of a virus-related incident and the subsequent breakdown in productivity and access. Both physical and data security are important to the IT world. It is not only necessary to protect your PCs from physical damage, but from data loss and theft of confidential information, which can have a value far in excess of the cost of replacing a hundred or even a thousand workstations.

From the survey results, it appears that while internal and external hacking has declined as a risk factor, what is taking up the IT manager's time, however, is email related problems. 35 per cent of companies said they had experienced email related security breaches, and since a disgruntled employee can instantly send confidential information to competitors or into the public domain, or email a virus around the company and to customers, it must be viewed as a major threat.

It is, however, difficult to discern the extent of damage caused by external hackers because if they do not damage data it can be hard to quantify damage. Another area of abuse that is rarely recognised is the danger of denial of service subversions intended not to steal information, but purely to disable systems for long periods of time. Such attacks, whether they be sent as mail bombs to your mail server or attacks via your website, can bring your systems to a grinding halt.

Mind the (reality) gap

There is a disparity between IT manager's concepts of what risks they are exposed to. IT managers appear to rate theft and disaster recovery as more likely to affect them than email and Internet-related security breaches. However, the opposite is true. A third of IT managers have suffered at the hands of emailed jokes or hoaxes. These attacks tie up network availability and may engender fear of further attack by users.

If you combine email-related problems (i.e. virus attacks, pranks and jokes sent by email), you see that email is responsible for a large percentage of attacks on corporate networks. Virus hoaxes, in particular, are a very real danger to companies who suffer the effects of lost trust in their security systems from management. These fears may or may not be justified. But simply because they fear they may be the next target, productivity may be affected across the whole company.

There is a clear belief amongst most companies that most security risks come into the company from outside. This is clearly a fallacy, according to the comparative costs to business of internal and external attacks coupled with the high level of opportunities for maliciously motivated employees to cause damage. One disgruntled employee with a fair level of computer knowledge could commit industrial espionage or simply attempt to damage the network or the data travelling on it. Information only retains its value if it's controlled, and for most businesses who don't run security suites that scan all incoming and outgoing email (like Mimesweeper), it is likely that control will be compromised.

If attack occurs

If a virus or hacker managed to get into your systems at 2 am tomorrow, how soon could you recover? This is the question that all companies must ask their IT managers. The traditional disaster plans for fire, flood and electricity losses, while still real, have been overshadowed by the need to be able to keep on working even in the event of problems.

Today's IT manager must be ready for the worst to happen and have plans in case it does. If your web server blows up, do you have a back up? Do you have a UPS in case of an electricity fault? These sorts of questions will not only affect your company, but the companies who rely on your staff.

According to the Business Continuity Institute, 80 per cent of companies who suffer a major disaster go bust within 13 months. Whether or not your consider a virus infection, hacker stealing data or server crash a major disaster depends on how you handle the crisis. If you have no protection and you lose all your data - that's a major disaster. If your business can't get back online (or at least working at a reasonable rate) in time to fulfil your obligations, you have little chance of recovery. Your customers are unlikely to accept the excuse that you didn't think anything would happen to you as a reason their order hasn't been met or service has ceased.


Nearly all organisations are expanding their information systems in critical parts of their business. One of the most obvious benefits of this is their ability to communicate over Local Area Networks or via the Internet. The growth of email has been swift and almost universal as the choice of communication medium for businesses. However, there is now a chasm between the amounts of power given to every employee to communicate and the amount of control administrators have over content and activity.

The widespread access to data common in business today creates challenges for IT staff. They can use products like the ISS Security Suite to scan their databases and systems for potential problems and attempt to put in place a very comprehensive security policy. They can also scan mail with products like MAILsweeper for confidentiality breaches or prescribed content. These business solutions are only as good as the staff administering them, who must know the risks in order to be able to protect against them.

Overworked IT managers are not able to take in all the information they need to keep their systems safe. The Y2K problem has taken its toll in that. In concentrating on ridding networks of the Millennium bug, there has been little time or budget to spend on protecting security. One good thing to come out of tackling Y2K has been the development of business continuity management and planning. IT managers now can identify not only what can go wrong, but what they can do if the worst does happen. They can now budget accordingly, and if afforded sufficient funds, there is no reason why, by using an integrated suite of protection software, the average business can't be (almost) completely safe from attack.

Rachel Hodgkins

Read more on IT risk management