By Simon Duddy
IT belt tightening can have a detrimental effect on security says Robert Hillery, senior security consultant with Intelguardians.com. He believes it is difficult to apply ROI calculations to security but that doesn’t mean such solutions don’t pay off.
Information security is not new. Let’s face facts – it’s been around as a specific concern for more than five years in the current form, much longer than that in pre-internetworked systems. So, why are our systems still successfully attacked with numbing regularity? Why are we no longer shocked when we read about a breach that exposes millions of clients’ information?
I suggest it’s because we may have focused too much on checklists and too little on real behaviour changes. Changing the behaviour of people and changing business processes are difficult, time consuming, expensive and the effort must be repeatedly applied — to new hires as well as refreshers for old hands.
It all begins, of course, with policy but companies must follow through and actually implement and audit those policies. For example, all of us have passwords and most of us have policies regarding their proper selection. Yet, Microsoft’s own client incident response support team reports that more than 80% of successful network compromises are still rooted (pun intentional) in poor administrator passwords.
The web is now the preferred medium for business. Applications, services, financial transactions, and university courses are all online and web-enabled. One would think this would make web security a high priority, but as I write this (24 July at 0430 GMT) Zone-h (www.zone-h.org, a web defacement mirror) has reported more than 310 defacements already today.
As intelligent people, we exercise due diligence and read contracts, review the agreements online, research the company to which we are about to entrust our data. What we do not know, and generally cannot know, is the extent of third and fourth party agreements. We do not know where our data is really stored.
One example is CardSystems Solutions, which held records for credit card firms and suffered a serious security breach. Many customers were surprised that their data was not held directly by credit card companies. In addition to the data not being sufficiently protected, long transaction histories were kept for ‘research purposes’, according to the head of CardSystems. Do users have any real idea about where their data is? Who is storing it and with what security?
This is made more challenging as many firms out-task, with out-tasking stretching from call centres and data entry to code development, web hosting and storage. Companies are embracing out-tasking, outsourcing and offshoring as the next revolution in cost-benefit management.
But it can come with many hidden costs that are generally not well understood by financial types. What is the price of lost data? What is the price of lost opportunities, because customers are unable to connect in a manner they expect? What is the cost to a company’s reputation when data security and management is questionable? The expense of in-house IT security or auditing may seem difficult to apply to ROI (return on investment) calculations. But it may be much cheaper than rebuilding a company, or paying solicitor’s fees to control losses.
As a result we cannot blindly put trust in others or simply say we have policy, when in many cases it is demonstrable that these policies are not being properly applied. We should learn that while success starts with policy, it does not end there. We must ensure we have processes that can be monitored and audited. We cannot be complacent and assume that external audits will truly secure our reputations.
Robert HillerySenior security consultantIntelguardians.com