Security hits top of IT agenda

IT security, once a problem delegated to programmers and technical specialists, is now a critical business issue for chief...

IT security, once a problem delegated to programmers and technical specialists, is now a critical business issue for chief executives. Bill Goodwin reports

Over the past year, computer security has become a top priority, not only for IT and e-commerce directors, but for many chief executives.

Highly-publicised blunders have helped to transform IT security from a problem for programmers and technical specialists into a critical business issue.

Each year, Web site security breaches cost companies more than $15bn (£10bn) in repair costs and lost revenue, according to market analyst Datamonitor. But the costs to a firm's reputation can be far greater.

When customers lose confidence in a Web site, it is not only the site that suffers but the whole organisation.

Microsoft, NASA and the Israeli government hit the headlines after their sites were attacked by hackers. But many more incidents go unreported. One hacker's Web site alone, recorded more than 100 successful hacks within the first four days of 2001.

Companies often assume that a firewall will be sufficient to protect their systems from malicious hacking. But programming errors in the operating systems and software applications hidden behind the firewall, can leave Web servers wide open to attack and confidential data open to public viewing.

The number of new programming vulnerabilities reported each month has risen from about 40 to 100 over the past 12 months. They are well documented on the Internet and provide hackers with a ready-made catalogue of tools to attack Web systems.

IT departments can minimise the risks by ensuring they install the most up-to-date service packs and fixes issued by suppliers. But this is far from fool-proof. Service packs may fix old vulnerabilities but they are notorious for introducing new errors that leave systems exposed.

For thousands of examples of Web sites hacked in year 2000 visit: www.attrition.org

Security healthcheck

To give companies a helping hand, Computer Weekly has teamed up with consultancy Internet Security Systems to offer readers £10,000 worth of security advice. The Computer Weekly Security Healthcheck will provide two free security audits of their Web sites plus help and advice to make sites more secure. Computer Weekly will report on the results of the work, setting a best practice benchmark that other IT departments can follow.

Breaches that hit the headlines in 2000

January

  • The World Intellectual Property Organisation forced to close Web site after hackers replaced its pages with the lyrics of a Bruce Springsteen song.

    February

  • Reed Executive reviewed security on its Web site, after Computer Weekly revealed that customers' CVs could be accessed without a password.

    May

  • Computer services group Bull blamed human error for a security flaw that left details about its customers' contracts, including the French and Russian Police and Barclays Bank, exposed on the Web.

    June

  • Hacker placed an offensive message on the Visa.com Web site.

    July

  • Seven thousand people were advised to cancel their credit card accounts after it emerged that confidential details were freely accessible on the Powergen Web site.

  • Confidence in Barclays' online banking site was dealt a blow when customers found they could look at other people's financial details.

    August

  • An organised crime gang attempted fraudulently to gain hundreds of thousands of pounds from the Egg online bank.

  • Names and work addresses of customers registered on the BT.com Web site were left exposed by a password error.

  • Woolworths shut down its Web site after customers found they could read each other's credit card and telephone numbers.

    September

  • Web hosting company Netcetera was forced to repair a server after Computer Weekly reported a security error that allowed corporate customers to view each other's confidential files, including customer credit card details.

  • Online auction broker E-Trade fixed a security glitch that allowed users to recover names and passwords of other customers.

  • Western Union blamed human error after a hacker copied debit information about 15,700 customers.

    October

  • A glitch on the Buy.com retail site exposed names, addresses and telephone numbers of customers.

  • The MBA International business school Web site was attacked by pro-Palestinian hackers.

    November

  • A well known American credit card company threatened to sue a UK university student after he discovered and informed customers of a major security flaw on its Web site. The company, which had failed to fix the site despite warnings from the student, backed down after a report in Computer Weekly.

  • Hackers gained entry to Microsoft servers. They viewed, and possibly copied, Microsoft source code, believed to be of a forthcoming product release.

  • Arab Internet users gained control of several Israeli government Web sites. Companies with business links with Israel, including Lucent, were also attacked.

    December

  • Hacker claimed a successful attack against the British Technology Group, replacing the Web site with the message, "Pathetic security like this makes me sick".

    How UK.com is coping with Internet attacks

    Public sector

    Andrew Pinder, the acting e-envoy told Computer Weekly, "It is vitally important that citizens and businesses trust the security of their electronic interactions with government.

    "The Office of the E-envoy is working closely with central and local government, regional authorities, the devolved administrations and particularly with industry, to develop the policies and mechanisms to ensure this trust is established and maintained.

    "The pace of technical developments and the increasing threat to business critical systems make this a challenging and continuing task. But it is one to which the Office of the E-envoy is very committed."

    Society of IT Management (Socitm) consultant Martin Greenwood added, "Security is central to e-government. People have got to trust local authority systems in the same way that they trust a hole-in-the-wall cash machine. Socitm members shouldn't underestimate the challenges we face and neither should central government policy-makers.

    "Some councils have begun moving towards transactional-based processes, such as offering online council tax payment. We need to look at their experience and spread best practice."

    Greenwood also highlighted concerns around data protection. "We need clarification about what the Data Protection Act allows local authorities to do and not do."

    Retail

    Prominent players in retail have emphasised the continued importance of IT security this year, citing it as a major factor in delivering their promises to customers.

    As more retailers offer goods and services online, it has become necessary for them to differentiate from their competitors - it is no longer enough simply to be "on the Internet". And retailers that are seen to have secure online transactions will have a competitive advantage.

    "If you have issues around security this will damage your reputation in customers' eyes," said Paul Worthington, chief technology officer at Kingfisher, which owns a number of retailers including Wool-worths and Superdrug. "And the sheer volume of traffic we deal with means more people are going to be affected.

    "Reliability is vital to ensuring that we deliver our promises to customers - security is a key issue," continued Worthington.

    He said Kingfisher takes as much external advice as possible and in addition carries out "as much testing as we conceivably can".

    Manufacturing

    Security headaches for manufacturing in the Internet age are being compounded as firms reach out towards partners in the supply chain and link processes to internal and external networks.

    Simon Pollard, vice-president for European research at AMR Research, said, "Most manufacturers have changed from an internal focus to being externally enabled - upstream and downstream to customers and suppliers. Until recently manufacturers' IT systems stood alone, but with the trend towards greater collaboration, concerns over security centre on the reliability of partners.

    "Also, with the advent of manufacturing execution systems, physical processes are potentially insecure. The possible outcomes of security breaches in, say, pharmaceuticals are unthinkable."

    Finance

    After a string of Internet banking and share dealing security breaches last year, financial organisations need to boost public confidence in the security of Web-based products and services.

    The changes needed are not rocket science. Many recent security breaches in the sector were the unexpected by-products of relatively minor upgrades.

    More care must be taken with software testing before new services are launched. Analysts have urged firms to make better use of security assessment tools which check passwords and security problems.

    Public key infrastructure technology provides more heavyweight security. But it is expensive and there are only a limited number of suppliers. For lower value retail banking transactions password protection is set to remain the norm.

  • Read more on Antivirus, firewall and IDS products

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.

    -ADS BY GOOGLE

    SearchCIO

    SearchSecurity

    SearchNetworking

    SearchDataCenter

    SearchDataManagement

    Close