InformationWeek
Defining The Business Value Of Technology
The Security Facade
Are organizations doing enough to protect themselves? This year's IW/Ernst & Young survey will shock you.By Bob Violino
Issue date: Oct. 21, 1996
Threats against corporate data are on the rise, and more companies are suffering financial losses because of attacks on computer systems. A greater amount of information is vulnerable to theft, and senior management is becoming more aware of the need to boost security. That means companies are doing more to guard their information assets, right ?
Wrong. Despite a plethora of new security tools, all the publicity about attacks, and the focus on the Internet, many organizations--and their top managers--still don't get it. What it all comes down to, experts say, is a dangerous security facade.
Indeed, information security at many organizations is still woefully lacking, according to results of the fourth annual InformationWeek /Ernst & Young Information Security Survey. "Everyone says awareness is up," says Scott Ramsey, Ernst & Young's national director of information security services in Cleveland. "Yet when you look at the security problems organizations are having, and [the] budget issues that keep them from hiring people and buying the technology they need, you see they're unwilling to make the investment in an adequate security strategy."
The IW/ Ernst & Young survey, which was completed earlier this month, queried more than 1,300 IS chiefs, information securit y officers, and other high-level technology managers, both in the United States and Canada.
Perhaps the most disturbing finding is that measurable financial losses related to information security are appearing at a majority of organizations. Some 54% of the survey respondents said that their company suffered a loss related to information security and disaster recovery in the past two years. Include losses due to computer viruses, and that the proportion rises to 78%.
Among organizations that suffered a financial loss:
- Nearly seven in 10 couldn't even estimate the amount.
- More than a quarter suffered losses of up to $250,000.
- Some companies reported losses of as much as $1 million or more.
How did the losses occur? Here's what the IW /Ernst & Young survey revealed:
- Some 63% of respondents (and 76% of those at companies with more than 1,000 employees) cited computer virus outbreaks.
- A third (42% at larger companies) cited malicious acts by co
mpany insiders.
- 17% (25% in larger companies) reported malicious acts by people outside the company.
More Risk
Organizations' information security risks have increased over the past two years, according to nearly two-thirds of the respondents. Nearly 40% said risks increased at a faster rate than the growth of computing resources in their companies.
A growing number of organizations are relying on the Internet and intranets--among the biggest perceived security risks--for vital business functions. About one-third use the Net for the exchange of important business correspondence or information externally, up from about one-quarter in 1995.
Recent, highly publicized attacks have brought heightened awareness about Internet security risks. In mid-September, business at Internet access company Public Access Networks Corp. (Panix) in New York was brought to a standstill after intruders bombarded the company's systems with electron ic requests for information that disabled Panix applications for days.
This so-called denial-of-service assault has security experts particularly concerned. "There's no known solution," says Ken Cutler, a VP and security director at the MIS Training Institute in Framingham, Mass. "No one knows how to deal with it."
Even the most secure are not immune. Weeks earlier, hackers had broken into Web sites operated by the U.S. Department of Justice and the CIA, adding inflammatory text and messages to their sites.
Of those companies that monitor Internet activities within and outside of their walls, one-quarter reported that someone had attempted to break into their systems via the Internet. More than two-thirds of the managers are not confident that their organization's networks are protected from internal and external attacks.
But outsiders are hardly the only threat. "Disgruntled current employees and malicious former employees initiate most of the reported security incidents and probably cause most of the damage," says Bob Fish, senior VP of business development at WheelGroup Corp., a San Antonio provider of security services.
Many corporate chiefs are aware of the importance of data security: Nearly three in four survey respondents said their senior managers consider information security important or extremely important.
Yet despite this high level of awareness, many measures of information security are shockingly low. Nearly three-quarters of surveyed organizations have just three or fewer employees dedicated solely to information security. More than one in five said they have no employees dedicated to this function at all.
But when asked to identify obstacles to addressing security risks, managers most often cited a lack of personnel. "In a lot of cases, it's a budget issue," says Ramsey. "Organizations bring in more technology so they need fewer people. But management often doesn't take the time or spend the money to train people in
how to use or protect the technology. Ironically, some of those people who are losing jobs end up becoming threats to the organizations' information security."
Both CEOs and chief operating officers need to be more sensitive to the "people issue," says Dennis Saccente, manager of information security at the Human Resources Information Services subsidiary of Fiserv Inc. in Melville, N.Y. "Because of downsizing, we don't have the people or resources to devote to training and testing new security tools," he says.
One huge problem for companies seeking help is that the demand for skilled people outstrips supply. "Companies are looking for information security people; I hear from headhunters all the time," says Tom Peltier, manager of computer security at Detroit Edison Co., a Michigan utility.
The smaller the number of security experts, the lower the awareness of the problem. "Security is still an afterthought at many companies," says one data security manager who recently quit his job at a major oil company because he felt he didn't have his bosses' support. "They knew it was something that needed to be addressed, but they were putting dollars into other things."
A recent mock "penetration attack" conducted by Ernst & Young against a multimillion-dollar manufacturing client illustrates just how lax some companies' physical and information security can be. A team of E&Y security specialists launched a simultaneous assault on the company's headquarters and five other sites. "They wanted us to hit them hard, as if we were hackers, to figure out where their holes were," says Ramsey.
Ramsey walked into the main office and distracted a receptionist by asking for directions while two cohorts walked up to a third-floor conference room. "That was the first hole," he says. "The receptionist shouldn't be responsible for security, but in that case she was."
Havoc Wrought
Later, Ramsey joined the others, and the group spent eight uninte
rrupted hours wandering through the client's building. By nightfall, Ramsey had entered the president's office. The executive's computer monitor was off but his CPU was on and he was still logged on to
the network.
"I read his E-mail, looked at merger and acquisition material, and sent an E-mail to the VP of IS complaining about security and telling him he was fired," recalls Ramsey. "The point was, if I was someone else, I could have wreaked havoc on the organization."
Even more telling is that the president of the company and a handful of other managers knew about the mock intrusion in advance. "And yet they left doors wide open, documents and disks laying around with confidential information," Ramsey notes. The VP of IS, who wasn't really fired, knew about a lot of the holes and had told senior managers, but to no avail.
As part of another consulting engagement, Ramsey broke into a client's facility and walked out with $35,000 worth of notebook computers loaded with valuable data. "We waved in front of the video cameras, fully expecting to be caught, but no one came to get us," he recalls. "We see this all the time. Companies have an attitude that they won't be hit or that they've done enough. You can't put in monitoring and surveillance devices and then not use them."
Adds Winn Schwartau, president of security consulting firm Interpact Inc. in Seminole, Fla.: "It comes down to arrogance and apathy, the 'It can't happen to me' syndrome."
What's the answer? Security proponents say business leaders need to look at information security as a "value-add" or a perceived benefit that directly adds to the bottom line. "It can be an enabler, a technology weapon," says Ramsey. "But most managers don't look at [it] this way."
"Right now it's viewed as an overhead," adds Joe Bentfield, manager of security consulting at Ameritech's offices in Waukesha, Wis. "Unless there's a quantitative risk, business decision-makers are reluctant" to spend money on security. "We need to find ways to show that som ething such as access control is worth an increase in revenues or in productivity," he says.
MIS Training Institute's Cutler adds, "A lot of organizations don't put their best people, their shining stars, on security. It's seen as a necessary evil, with no perception of value. CEOs don't see benefits such as more reliability of systems, less confusion and better productivity."
This will change, Cutler believes, as more financial audits reveal that lax security translates into unavailable systems, jeopardized resources, lost money--and a compromised competitive position. "We find that if a company has an audit practice, it will have to upgrade security, especially if it has links to the Internet."
Says Fiserv's Saccente: "There are more audit concerns, and rightfully so. They are coming in and putting a new emphasis on data security." He says auditors are pushing for the same levels of data security that existed when mainframes dominated the computing scene.
Cutler says it takes "an IS or secur ity officer with some vision" to change attitudes about security. That raises the question of whether information security should be a function of IS at all, and whether security--as a corporate function--is moving away from IS responsibility. About one-third of this year's IW /Ernst & Young's survey respondents said the most senior information-security person in their organization reports to a non-IS executive, up sharply from 1995 results.
Don't Pass The Buck
Joseph Thompson, VP of MIS at Stone Container Corp., a Chicago manufacturer, speaks for many CIOs: "IS management needs to be proactive in ensuring that the corporation has secure data," he says. "I may not have direct control of security, but I have to make sure we have someone who does. Management looks to me as the person they're relying on for security."
Many companies, of course, already have the full support of senior management when it comes to security--and it's pay
ing off. Bell company SBC Communications in San Antonio has a "security awareness campaign" that includes a video on policies, intrusions, and how technology and good work habits can prevent breaches.
"Everyone in the company [including the CEO] is required to watch the video," says Jackie Grindler, manager of technical security at the telecom company. "It's easier to get people to watch a video than read a 60-page manual."
SBC also gives out cards with security tips and it awards employees when they take steps to boost security, Grindler adds. "Every employee in the company knows they're responsible for security," she says. The campaign has resulted in a huge increase in the number of employees reporting what they suspect are security breaches.
Eliminating Weaknesses
A CIO at a large manufacturing company, who asked not to be identified, said his company conducted a major study to determine security strengths and weaknesses. "We're eliminating the weaknesses wherever we can, and we'r
e hiring someone who will be dedicated to information security," he explains.
Certainly, there's no shortage of software tools to boost security. Vendors are developing stronger firewalls, more effective encryption technology, and even hardware devices to prevent theft. Even so, "technology keeps evolving and security has to catch up with it," says Ameritech's Bentfield. "We're one step behind, like the Panix attack showed."
But all the technology in the world won't help if no one knows how to use it. "Technology alone cannot provide security," says Bentfield. "It takes an entire process or methodological approach to provide constant awareness of potential vulnerabilities."
See sidebar: " Security Survey Data Points ", and get more more data collected from the Security Survey.
Interested in benchmarking your security strategy against the results of our survey? Click here to see how you compare.
http://www.informationweek.com
BP seeking Regional Desktop Coordinator in Houston, TX
Agilent Technologies seeking Marketing Manager in Melbourne, AU
US Civilian Research and Development seeking Web App Developer in Arlington, VA
Citrus Community College seeking Programmer Analyst II in Glendora, CA
Lowes seeking ITE Project Manager in Mooresville, NC
For more great jobs, career-related news, features and services, please visit our Career Center.
