In-Depth

E-Security: Growing Threats Require New Strategies

Reaching out to as many customers as possible means corporate e-business strategies need to consider strategic approaches to e-security as well.

• By Judy Silver and Lane F. Cooper
• 08/01/2001

The networks and information systems that bind corporate trading partners to each other and to consumers are at the root of the information age economy, but they are also its Achilles’ heel. In an effort to reach out to as many customers as possible, corporate America has opened a huge electronic window into the core of its operations, and that’s a big temptation to cyber thieves and mischief-makers. As corporate e-business strategies, they need to consider strategic approaches to e-security as well.

A recent study published in searchsecurity.com revealed that for 85 percent of organizations, losses due to computer security breaches were up 50 percent over the previous year. The same study estimated that approximately 4,000 denial-of -service (DoS) attacks are launched every week. Losses at this level are only the tip of the iceberg, however.

"Enterprises today need to understand that the currency they really deal in is consumer confidence. Anything that threatens that confidence in a highly competitive market has to be considered a very real and substantial threat," says Phil Lacombe, president of information and infrastructure protection at Veridian in Arlington, Va. "DoS attacks that clog your bandwidth so customers, clients or suppliers can't get to you—or you to them—affect confidence and have an impact on the enterprise far beyond the loss of immediate business," he adds.

Then there is the value of corporate information itself. Protecting intellectual property is at least as important to companies whose stock in trade are patents, mailing lists, customer profiles, trademarks, business plans and strategic alliances. Who knows what, and when they know it, separate winners from losers in today's economy, and what companies know often resides on enterprise information systems.

External and Internal Threats
Although high-profile news items about computer security breaches tend to focus on sexy external attacks, 80 percent of all attacks or security breaches come from within the organization, according to the FBI. Some are malicious, from disgruntled employees, but many are inadvertent, caused by well-meaning employees who fail to observe security policies.

As organizations deploy extranets and accommodate home and mobile workers, they open a series of security holes. Web environments are particularly vulnerable. Web servers and some database servers are often fully or partly outsourced because they are shared by multiple organizations.

So in addition to deploying firewalls and intrusion detection, enterprises need to monitor web traffic and collect logs. Further, since some attacks happen over extended periods, the ability to aggregate and analyze information over time is critical, according to Matthew Kovar, director of Yankee Group’s Security Solutions Practice in Boston.

But there is a bigger issue here than responding to specific threats with point solutions. For many organizations security is a tactical consideration, often an afterthought to line-of-business technology initiatives. Significant savings and considerably more security can be gained by taking a strategic approach to security.

Strategic Security
Every major organization in the country is aware of the major security issues, but security has not managed to get onto boardroom agendas. Security, especially if you attach a term like "strategic" to it, sounds expensive, and does not appear to have much to do with generating sales.

Making a strategic commitment to security requires a corresponding financial commitment, one that corporations apparently are reluctant to make. Security spending today averages a mere two to three percent of organizations’ total information technology budget.

As companies move even more aggressively to e-business, using the Internet to bring in significant portions of their revenues, security spending will at a minimum have to move up into the five to eight percent range, according to John Pescatore, research director for Internet security at Stamford, Conn.-based Gartner.

Not all the blame for lax security can be laid at the door of the executive suite, however. Overworked network administrators looking for simple solutions contribute to strategic security inertia. Among the rank and file, complicated and frequently changing passwords may seem a hindrance in their day-to-day functions.

"There's a big difference between awareness and commitment," says David Klug, strike force manager, vulnerability, assessment, attack and penetration specialist, at Computer Sciences Corp., El Segundo, Calif. "Awareness is higher, but there's not enough money to address the problem and to nip it in the bud, rather than after the fact."

For the time being, most businesses seem to be reacting to security threats, rather than assessing risks and steering a safer—and ultimately more profitable—course. But this does leave the door open for those who seek to surge ahead of the competition by differentiating themselves in the marketplace as trusted players in the digital economy.