Corporate ICT security has taken on a new face. It has matured from the age of simply putting up "picket fences" in the form of firewalls on company servers and anti-virus software on client desktops, to adopting a blended approach that incorporates a host of security elements.
Most companies in today`s business environment have warmed to the idea of security policies. This is partly a result of research showing that, in addition to threats from outside, many security threats are inherent within the company.
Gary Middleton, Dimension Data GM for security practice, says the past 18 months saw companies changing focus on major security threats. Macro viruses and hackers have taken a back seat, while malicious code, distributed denial-of-service (DDoS) attacks and employee abuse of ICT assets have come to the fore.
"Although hackers and viruses are still in the top 10, the threat landscape has changed and they are now very much down the line," says Middleton. He adds that corporate governance and legal issues have also raised the security bar.
The guidelines
The King II report on corporate governance and the ECT Act are encouraging adherence to high security standards. However, many industry players argue that interpretation of the Act is still "fuzzy" as there has never been a major court case involving breach of a company`s security systems.
"CEOs and CIOs have taken cognisance of this and have taken a legitimate business stance towards putting together security policies. ICT security has evolved from being merely a technological issue to being a business issue as well," explains Middleton.
The huge business drive in the arena of corporate governance is pushing companies to adopt best practices, and DiData says it is seeing a lot of interest in its solutions and best practice models.
Firewalling, anti-virus software and content filtering are still popular for companies looking to better their data security. However, medium and large companies are showing increased interest in having security policies implemented throughout their firms. They are also tying security to human resource policies.
Although it has been said that SA has not been hit hard enough to stimulate any real interest in security, the fact is that when the Blaster worm struck last year, it managed to affect the operations of at least 26 government departments.
"Even with this in mind, I think the most damaging malicious code is still on its way; and, as mobility becomes more widespread, attacks from things like the cellphone virus will become more prevalent," says Middleton.
Faritec head of security services Gordon Love says the local market seems dominated by product vendors selling firewalls and anti-virus software, and adds that technology is not enough without guidelines to manage the processes around it.
"According to a recent BMI-TechKnowledge report, almost 80% of companies interviewed in the research admitted to having had their corporate security breached."
He explains that ICT security is now being viewed as a specialist function. This is evident in the fact that most new agreements between corporates and security service providers have service level agreements tied into them.
The intelligence factor
It has always been said that security should involve people, process and technology. But Love says a fourth element - intelligence - should be added for companies to get the most out of their security solutions.
"Last year saw over a $1 billion being spent on security worldwide, 65% of which was spent on product, with the balance going to services. I see the trend changing and services around security moving up to 50% as the demand in specialist services grows, coupled with the influence from the likes of the King II report and ECT Act on risk management," says Love.
Tiscali`s head of enterprise services Larry Paslovsky echoes Love`s sentiments, adding that while most companies have some sort of security in place, they sometimes lack a system or policy to manage it.
He comments that, according to a survey his company undertook recently, viruses, spam, theft of machines and hackers are the top concerns for small to medium companies.
Paslovsky says companies do not seem to acknowledge spam as a security concern, while they could gather a lot of information from monitoring their spam and picking up on what could be suspicious mail.
There are few organisations that do not, in one way or another, use the Internet. In doing so, they expose themselves to a variety of risks, many they may not even be aware of.
Even the most basic use of the Internet, such as browsing and e-mail, provides gateways into an organisation, thereby inviting unwanted attacks from both hackers and viruses, which can be costly in a number of ways.
Backdoor
One just needs to look at the latest vulnerabilities in Microsoft Internet Explorer 6 for a clear example of the risk an organisation faces through simple browsing. These vulnerabilities created the means for hackers to turn Web sites into conduits into organisations` networks and transmit devastating viruses or spyware. Businesses using the browser were effectively opening up their entire internal infrastructure to unauthorised people.
The most frightening aspect of this is that users need not actively do anything other than browse. They are not asked to open, execute or download files. Internet Explorer does this without their knowledge or intent. This vulnerability is in no way negated by expensive firewalls.
A number of businesses use the Internet for more sophisticated transactions that have a direct impact on their company. Businesses have functional applications developed specifically for the purposes of making their company an e-business.
Unfortunately, in most cases, no risk assessment is performed and only the benefits of the application are considered. The consequences can range from simple inconvenience, to loss of productivity and income, to loss of reputation and clients, and, ultimately, to serious and costly legal action.
Andrew Wilson, a security expert at DVT, a business systems solutions company, says vendors punting anti-virus and firewall products lead organisations to falsely assume they are protected from all online ills. "But the appearance of a new threat can bring organisations to a standstill, costing millions in lost productivity and revenue, not to mention the costs associated with removing the virus," says Wilson.
When it gets complex
For organisations that use the Internet only for e-mail and browsing, it is critical that processes are put in place to ensure service packs and patches are installed the moment they are released. Prevention is always better than cure and, in almost every instance, the fix to prevent virus infection is available before the virus is out in the wild. The experts say awareness campaigns are so important it is worthwhile considering monthly awareness workshops for users.
"For organisations with more complex online relationships, where Internet-based transactions take place between the organisation and clients, affiliates, suppliers and partners, a thorough examination of the environment from end-to-end must be undertaken so that a comprehensive understanding of the risks facing the organisation, along with the likelihood of exploitation, are known and can be addressed," says Wilson.
"In addition, there are legal standards that must be met where transactions over the Internet are concerned."
Simply adding a firewall and demilitarised zone does not meet the strict standards required by law. A risk assessment must also ensure an organisation is not exposed to liability as a result of not meeting legal requirements.
"The only way to substantially mitigate risk is to have a qualified expert examine your environment, including the architecture of the application and all systems that it may have an impact upon," says Wilson. "It is important to remember that as quickly as new technologies are developed so too are new threats, so security should be reviewed on a regular basis."
Chris Wilkins, CEO of DVT, comments that security has been an under-managed and fragmented function in many organisations.
"Information security began as simple data centre security, and then grew as the IT environment expanded to include online computers on every desk. Today organisations require a higher level of security than ever before, but often they don`t have enough money or other resources to implement every available safeguard," he says.
Stressing the importance of assessing security across the entire organisation, Wilson says a holistic security programme must be based on risk management. "Applying the principles of risk management provides a sound foundation for effective security as it looks at all variables including threats, potential losses, environmental vulnerabilities and existing controls. It then calculates a risk factor and a cost-based prioritisation of solutions that are robust, cost-effective and all-encompassing."
Product hawking
Wilson adds: "Most vendors are more interested in punting their product lines than in actually providing clients with a comprehensive solution that addresses all key security considerations."
He points to the stringent legislative requirements and compliance codes of good governance that require South African companies to retain and protect pertinent data for a period of time.
"The ECT Act and the King commission have focused attention on the necessity for the appropriate management and storage of information. Specific solutions that address only certain aspects of security do not meet the security requirements of an organisation either practically or legally. Our assessment process identifies and examines the key information assets of the organisation, including all networks, data centres, computers, hardware and software applications, as well as all processes and policies surrounding key data. Only once we know what a company`s risk profile is, and what the impact of these potential threats are, will we recommend a solution that addresses company-wide security requirements," says Wilson.
He believes security need not be costly or complex - but is a priority.
"It all starts with defining and classifying the data you want to protect, and what you want to protect it from. Once that task has been accomplished, you can begin to prioritise according to your available budget. This ensures security becomes recognised as a critical component of your business operations," he says.
Danny Ilic, security expert from Computer Associates, explains that ICT security has reached its "fourth generation" of evolution. The first level was security card-based; the second was anti-virus- and firewall-oriented; the third was focused on identity management, and now the fourth is linked to legislation, with responsibility lying in the hands of management.
"According to our statistics, 98% of frauds nowadays originate from an internal source," comments Ilic. "Internal traffic has become critical to a company and should be managed in a way that does not compromise security within a company`s network.
"At the moment, the biggest crimes involve the theft of sensitive information. The theft of hardware is minute in comparison to the losses being incurred by the theft of such data," notes Ilic.
The seriousness of the problem can be assessed from the fact that no company has ever had to close down due to a virus attack, but some have had to as a result of insider trading and similar crimes.
Ilic comments that, although the ECT Act does focus on security, it does have loopholes. For example, a person cannot be criminally charged if they do not physically break into a premise and pilfer documents. But the reality is that most criminals are stealing important information electronically.
He says South African companies are taking too long to get their security in order, and attributes this to the fact that there has never been a major security breach locally.
This might also be because local companies tend to adopt a reactive, not a proactive, stance. Another reason could be that a lot of firms focus on return on investment when it comes to technology, and that is one thing that is not easy to calculate when it comes to implementing security solutions.
Education needed
SA clearly needs a lot of educating on the security side. Ilic estimates that only half the country`s big firms have security policies, and even fewer ensure their policies are adhered to.
Although hackers and viruses are still in the top 10, the threat landscape has changed and they are now very much down the line.
Gary Middleton, GM for security practice, Dimension Data
Sean Reuben, CIO of Computer Sciences Corporation`s South African operations, says it is not only client interface via Internet and e-mail that needs protection, but also every process level in the back-office. This is essential if a company is to assure data privacy, non-repudiation of the transaction, data integrity and trust to its clients.
"Robust security measures need to be in place to cover the communication links over which the information travels, the servers on which the databases and applications are hosted, the databases where information is stored and the application level, where there needs to be control over access levels and authorisation limits," says Reuben.
He adds that trust should be fostered between companies` IT security advocates and business users. However, attaining the correct level of assurance is essentially a cost-benefit trade-off, believes Reuben. Information security is first and foremost a business process. A well-defined security strategy is an enabler of business success, not an unnecessary burden on profitability.
By incorporating information security into their basic business plans, organisations are more likely to understand what vulnerabilities to act on, the risk they can afford to absorb and the risk they need to manage.
The cost-benefit of an investment in information security needs to be thoroughly understood, Reuben says - and that doesn`t mean just in monetary terms.
"The cost of ultimate security is very rarely commensurate with the business value that is understood or realised. The only practical recourse is to identify the level of risk that an enterprise can safely tolerate, and implement safeguards to reduce the risk to that acceptable level," he says.
This concept of information risk management recognises that risks can be identified and mitigated, but never eliminated.
"Add to this most basic of business requirements, the legal compliance issues, privacy protection obligations and very real technological challenges, and you begin to form a picture of the complex interdependences that make the practicalities of true information risk management both a challenge and a booming business," Reuben explains.
Race for compliance
Meanwhile, the race to comply with increasingly specific ICT security legislation holding company executives personally responsible involves acquiring the right tools to get the job done. If executives don`t give the ICT department the right tools they can absolve it of liability, taking it all on their own shoulders. It is the executives that have a duty to customers, shareholders and employees to deliver effective ICT security.
The list of case studies where this was not achieved grows by the day. European examples include an Internet service provider (ISP), Exodus Communications, which was forced by a judge to temporarily shut down a few Web servers when it was found it was propagating a DoS attack on a Web hosting company.
A British ISP was forced to close its doors when a malicious hacker hit it with a DdoS attack.
The challenge companies such as these face is the pervasive use of the Internet, mobile workforces and advances in technology that have created a culture that expects real-time access to information and the ability to perform transactions at any time, anywhere.
Constant workforce changes stress manual business processes and information security and yet, to stay competitive and survive, companies must meet staff, client, partner and supplier access demands.
Careful management is the order of the day because one of the most common reasons for a failed security infrastructure is the lack of an information management system. But, in rushing to meet demand, identity information often proliferates across the organisation with the result that costs are increased, productivity reduced and security policies are inconsistently applied.
Unisys recently completed a primary research study, which yielded information on the mindset of security managers. They often cited the need for information security strategic planning, particularly relating to users.
According to the company, business challenges can be met with an effective identity and access management programme, and with a strategy aligned to address key business issues.
The problems
* Real-time access expectations;
* Collaborative business models;
* Regulatory compliance;
* Increased operational costs; and
* Mobility and volatility of the workforce.
Steps to resolution
* Executive sponsorship and consistent communication;
* Divisional support - everyone sponsors it in theory but nobody takes ownership;
* Stakeholder understanding of tangible business benefits;
* A detailed assessment of the current state of identity and access management systems, processes and procedures, and
* A well-prepared case, showing opportunity cost reductions, increased customer loyalty, revenue wins and stakeholder support.
Properly approached, the programme can support a powerful business strategy delivering improved quality management, efficient workflow and better relationships by empowering employees and enabling increased customer, supplier and partner intimacy.
James Lewis, Burton Group`s CEO and research chairman, says: "The ability to manage identity has a direct impact on your company`s brand and its ability to adapt to new business models. Do it well and your company can make money in new ways. Do it poorly and your company will be damaged severely."
Share