InformationWeek

InformationWeek /Ernst & Young Security Survey:
SECURITY

The good news: Respondents to our third annual security survey say their top managers finally grasp the importance of data security. The bad news: Hackers, viruses, and other scourges continue to plague corporate data.

By Joseph C. Panettieri
Issue date: Nov. 27, 1995

After years of denial, corporate America has finally recognized the importance of computer security. The problem c an no longer be ignored. From the FBI's high-profile arrest of hacker Kevin Mitnick to Citibank's admission that $400,000 had been cyber-swiped from its electronic vaults, system breaches are prompting hurried meetings-not only in data centers, but also in boardrooms.

Now, the challenge is to convert fear and uncertainty about insecure data into an unwavering managerial commitment to that data's security. "Lack of management awareness and budget are becoming less of an impediment to information security," says Daniel E. White, a partner and national director of information security effectiveness at consultants Ernst & Young LLP in Chicago. "The greater focus is shifting toward acquiring human resources and evaluating security tools and solutions."

For good reason. Each time a company deploys a new Internet gateway, LAN, or distributed client-server system, it risks leaving another virtual window ajar for cyber prowlers, disgruntled emp loyees, or unethical competitors to climb through. Indeed, of the more than 1,290 respondents to the third annual InformationWeek /Ernst & Young Information Security Survey, nearly half say they suffered a financial loss related to information security in the past two years. The survey, which was completed in September, questioned information systems chiefs, information security managers, and other top-ranking technology managers in the U.S. and Canada.

Among the other revelations: At least 20 respondents say their information-security losses came to more than $1 million. Also, 85% of respondents say security risks have climbed in the past five years.

Much of the problem relates to client-server computing. "The escalating risks go hand in hand with the rise of distributed computing," says Ernst & Young's White. He notes that distributed systems are difficult to manage and secure, and they're often linked to the corporation's most precious data resource: the mainfram e. (For more of White's comments, see Final Word)

Ray Kaplan, a security analyst in Minneapolis, agrees: "As organizational structures are flattened, corporate reliance on the availability and integrity of information systems is becoming painfully obvious."

How painful? Just ask Greenwich Associates, a financial research and consulting firm in Greenwich, Conn., whose network was broken into via modem two years ago. The intruder, believed to be a former employee of the firm, used a stolen password to gain network access and deleted some of Greenwich's research information.

Special Threat
Teri Shaffer, senior manager of Ernst & Young's IS auditing and security practice in San Jose, Calif., says ex-employees pose a special threat. "Sloppy procedures around terminations and transfers of employees can result in a circumvention of even the best security controls," she says.

Greenwich has since purchased SecurID "smart cards" from Security Dynamics Inc. of Cambridge, Mass. The cards, which resemble credit cards, display a random access code for PC users. The code is updated every 60 seconds and is synchronized with Greenwich's server. "We're concerned about denial-of-service attacks, and SecurID has addressed that issue," says Mark Sirota, a systems and network manager at Greenwich who keeps a close eye on security issues.

One More Step
Many companies are going one step further by hiring an information security officer. These managers formulate and communicate a plan for guarding corporate data. Nearly 80% of companies surveyed-including giants such as Amoco, Boeing, Exxon, IBM, and Motorola-have at least one full-time information security director. That's up slightly from last year's 75%.

These information security officers are more likely to report directly to the IS chief. This year, nearly 45% of information security directors report directly to chief information of ficers, up about 25% only two years ago. That's a strong indication that CIOs-and their top corporate managers-are increasingly concerned about securing corporate assets, says Ernst & Young's White. "The reporting structure for the information security head has clearly improved," he says.

Amoco, for one, is forging a tight bond between the CIO and the information security director. The $25 billion oil giant has had an information security officer for more than a decade, but it was only last year that the company made that position report directly to the CIO. Dick Fenlon, director of security and business resumption in Amoco's Chicago headquarters, says that's a big improvement. "I get more attention, rather than just ear-space, reporting to the CIO," he says.

Tightened bonds between security officers and CIOs have improved corporate awareness about security. Slightly more than 40% of survey participants consider management awareness a major obstacle to security, down from 50% last year.

Still, not all corporate security trends are so overwhelmingly positive. Fewer than a quarter of the survey respondents say CEOs and other senior managers view information and data security as extremely important, up a mere 2% from last year. "Without management commitment, the rest of the security effort means nothing," says consultant Kaplan. "If you're prepared to do whatever it takes to solve a [security] problem, you'll prevail. But companies have to remember that applies to security managers and determined hackers alike."

"Information security is not only a technical problem, it's a business issue," adds Fred Jones, director of information security services at systems integrator EDS in Dallas. "Companies with true vision are pushing information security beyond CIOs and out to the business managers."

Key to securing company data, Jones says, is informing employees of enterprisewide security policies. That's because one of the biggest security threats is employees, either disgruntled or simply lazy. "You can't hold anyone accountable if they don't know your policies," says Jones.

Boeing Co. agrees. The $20 billion aerospace giant posts security information on its internal World Wide Web server. Also, Boeing shows in-house-produced security videos to its 120,000 employees as part of their mandatory training. Only weeks ago, the company's CEO Leadership Council requested a two-hour security update from Rhonda MacLean, the Seattle company's senior manager for computing and communications security. "We've got executive buy-in at the top level," says MacLean. "Without it, we can't compete for funding."

Tools They Can Trust
But even with sufficient funding, corporations still struggle to find security tools they trust. In fact, 56% of survey respondents consider a lack of tools a major obstacle to information security, up sharply from 45% last year. "Vendors are behind the power curve," says Boeing's MacLean. "There are obviously more tools coming, but security is often an afterthought in their products."

Yet already the product choices for technology managers can be overwhelming. They include hundreds of firewalls that deny Internet joyriders corporate network access, and dozens of encryption packages that scramble data so it can't be read by wiretappers. "We're still not quite to a point where there's gobs of money being allotted to security," says Christian Byrnes, a program director specializing in computer security at the Meta Group in Stamford, Conn. "But at the rate we're going, it looks like 1996 is going to be the bust-out year for technology security gear."

Adds Bob Steinkrauss, president and CEO of Raptor Systems Inc., a firewall maker in Waltham, Mass., "Some companies need new workstations, others need new operating systems or messaging software. The one thing they all need is security gear. "

One promising innovator is RSA Data Security Inc. of Redwood City, Calif. It develops encryption and authentication software that has been licensed by nearly 200 hardware and software suppliers. Among the latest licensees is Spyglass Inc., which plans to add RSA's security technology to its Web browser by year's end.

Though Netscape Communications, Microsoft, IBM, Digital Equipment, and a list of startups are developing Internet security gear, many questions remain. RSA and the U.S. government are locked in a patent dispute (IW, Nov. 13, p. 20) , the government is limiting the power of encryption software for export, and Netscape has conceded security flaws in its Web software twice in recent months.

Predictably, vendors say brighter days will soon arrive. "A year ago, there were security concerns and no solutions," says Bill Gassman, technical marketing manager for Internet security at Digital Equipment. "Now we have a whole bunch o f companies with solutions fighting to make one the standard."

A security standard would surely boost corporate use of the Internet. That's key, because the Net is the most promising infrastructure for "anywhere, anytime" electronic data interchange (EDI) between manufacturers and their customers and suppliers.

Fewer than a third of survey respondents say they're satisfied with Internet security, and only about a quarter of them are willing to use the Net for business purposes. "Everyone wants to conduct business on the Net, but they're not sure how," says Don Bromley, senior service manager at IBM Global Networks. "Some are scared silly of the Net; others don't know what it's all about. But most are on the scared-silly side."

"MIS says, 'Don't link to the Internet until we outline policies,' but business managers are jumping onto America Online and other services," says Steinkrauss of Raptor Systems. "It's similar to how LANs came in the back door a decade ago."

Clearly, the Internet remains a hacker's paradise. On Internet forums such as alt.2600, hackers openly discuss security weaknesses in Internet protocols, the telephone system, computer operating systems, messaging software, and desktop applications. The Net was also the highway allegedly used by hacker Mitnick to access Motorola's corporate network. It also was home turf for Justin Tanner Petersen, a hacker and former FBI informant who awaits sentencing for several computer-related crimes, including last summer's electronic heist of $150,000 from Heller Financial of Glendale, Calif.

In fact, one in five survey respondents say intruders broke into, or tried to break into, their corporate networks via the Internet during the past year. Of course, those are only the ones who know they've been hacked. "Intrusion detection is very difficult," says MacLean of Boeing. She believes it's "very fortunate" when companies identify a network breac h because most go undetected.

One solution: Hire an outside firm to manage and monitor firewalls, which guard corporate networks from "curious" Internet wanderers. BBN Planet Corp., for one, offers round-the-clock firewall monitoring to customers that lack the time or expertise to guard against Internet break-ins. "Our engineers can watch your firewall and look for intrusion," says Paul Gudonis, CEO and president of BBN Planet in Cambridge, Mass.

But even this solution can bring trouble, industry analysts warn. Though outsourcing firewalls "can be a wise move," says Bill Malik, security research director at Gartner Group Inc., an IT advisory firm in Stamford, Conn., "such deals have to be negotiated with the potential damages in mind. Too often, such contracts are signed the way a kid signs his first lease out of college." A company that negotiates poorly, Malik says, could find itself with no legal recourse after a security breach occurs.

Forgotten Devices
Other critics argue that corporations are so preoccupied with Internet security that they've forgotten about securing desktops, servers, and other gear on private networks. After all, they explain, firewalls are required only because many devices on the corporate network are completely insecure. In fact, 60% of survey respondents who run vital business applications across LANs or Unix servers say these systems' level of security leaves them dissatisfied. Critics of Unix also note that it was designed to be an open operating system, with early iterations offering little or no security considerations.

Vendors are working hard to make Unix, Windows NT Workstation, and other operating systems comply with C2, a popular security standard that many government agencies and large companies are increasingly demanding adherence to. "I consider NT ahead of its time because of its C2 compliance," says Clea Bowe, a network specialist at Chevron Canada Ltd. in Vancouver, Brit ish Columbia, which runs NT.

Other operating systems are also acquiring security features. Novell's NetWare and IBM's OS/2 are expected to gain support for DCE (Distributed Computing Environment), which includes Kerberos, a highly regarded security scheme. Though Kerberos is promising, security analysts say server applications will need tweaking to leverage its technology.

The situation is no better on desktops. Microsoft's Windows 95, which seems likely to become the next corporate computing standard, has already suffered one known security scare. The problem was related to users leveraging Windows 95's peer-to-peer features to gain unauthorized "read-only" access to a networked PC's hard drive. Microsoft shipped a software patch in late October that corrects the problem, and it recommends NT Workstation rather than Windows 95 for PCs that require rigorous security.

"When you begin to think about a desktop being the client in a mission-critical client-server network , you begin to worry about security," says Bob McDowell, VP of Microsoft's enterprise customer unit. NT, he adds, is more secure than Win95.

Also of concern are new strains of computer viruses. Though viruses have stopped grabbing newspaper headlines, nearly 70% of survey respondents say their companies have suffered a serious virus attack in the past year, up from 54% two years ago. Boeing, for one, tracks the number of virus incidents it detects, as well as the impact of such incidents. That allows the company to properly adjust its antivirus efforts, if necessary.

Therein lies the lesson: Information security must be practiced each and every day. The good news is that top corporate and IS managers are increasingly tuned in to the issue. The bad news is that the challenge of finding the tools and recruiting the right people to achieve that goal has never been more difficult.