Welcome Guest. | Log In| Register | Membership Benefits
News In Review

September 8, 1997

Security Survey: Is It Safe?

The fifth annual InformationWeek /Ernst & Young information security survey finds IT managers hiring more full-time security pros, centralizing protection, and drawing up recovery plans

Page 1 of 2

By Beth Davis

To discuss this story visit InformationWeek Online Shop Talk

illustration T he Internet's battle cry-Arm your defenses!-can be heard in corporate America's executive offices. And companies are responding: More are hiring full-time IT security professionals, more are centralizing their IT security, and more are developing business plans that include re covery strategies in the event of a break-in.

There are numerous tools available to help protect corporate networks. New technologies such as digital certificates and virtual private networking provide ever-higher levels of security. Finally, organizations can better manage their risks.

But according to the fifth annual InformationWeek /Ernst & Young Information Security Survey, the war's not over yet. The IW/Ernst & Young survey, completed in July, drew responses from 4,226 IS chiefs, information security officers, and other high-level technology managers worldwide. This is the first time that the IW/E&Y survey has included IT managers in countries outside the United States. Of the total group, 627 are based in the United States. (For more on the survey's methodology, see story, " How We Got The Numbers .")

Among the survey's main findings: Security breaches are on the rise; intranets bring vulnerability; viruses are still a threat; and industrial espionage is real.

Security breaches have made IT security professionals wary. Indeed, more than 75% of the 627 IT managers and professionals surveyed in the United States believe authorized users and employees pose a threat to the security of their systems. Also, nearly 70% of the U.S. respondents see computer terrorists as a threat. Another 42% also see a security threat from competitors. Even service providers, consultants, and auditors are suspect, according to 61% of the U.S. respondents. (See chart " Perceived Threats. ")

Slim budgets still inhibit many IT departments from protecting the security of their systems. Nearly 60% of the U.S. respondents to the survey cite lack of money as an obstacle in addressing security concerns. Without money, implementing security is difficult at best. (See chart " Top Security Obstacles. ")

Corporate America has long identified information security as a major concern. This year, nearly three-quarters of U.S. respondents say information and data security is important to their organizations' senior managers. Two years ago, less than 65% said the same thing. (See chart " Executive Buy In .")

But this growing concern hasn't always translated into action. Companies have been reluctant to spend money on security because it's so difficult to prove that security serves the bottom line. For all too many companies, security has been viewed as overhead.

The Internet is changing that perception. It's opening doors of business opportunity and giving top-level managers reason to get serious about security. But at the same time, the Internet is opening doors in IT infrastructures, making them more vulnerable to attacks.

"Security is being viewed as a business enabler," says Scott Ramsey, national director of information security services at Ernst & Young in Cleveland. "Management is beginning to understand that there's no silver bullet to security, so they have to provid e resources. They're realizing security is an ongoing process-not a project-so they're hiring full-time professionals."

Ira Machefsky, a VP at consulting firm Giga Information Group's Santa Clara, Calif., offices, agrees that IT security has become a vital issue to IT and senior corporate managers alike. "Security is off the back burner," he says. "In the old world of private networks, you get security through the privacy of the network. In the new networked world, you want to keep the bad guys out, but you also want to let the good guys in."

Of all respondents worldwide, 70% have Internet connections. The United States is more aggressive: Among U.S. IT managers, 82% link their corporate networks to the Internet. This year, 22% of U.S. respondents say they're moving vital data on the Internet. Worldwide, only 10% made the same claim.

Expert Approach
To beef up security, companies have been hiring full-time IT security experts. "We believe there are people out there who pose threats," says John Halamka, a senior associate at Harvard Medical School's center for clinical computing. Halamka, who is also an emergency-care physician at Beth Israel Deaconess Medical Center in Boston, is overseeing the development of an intranet called CareWeb that will be shared by six hospitals, including Beth Israel, in the Boston area. Partly in response to that threat, Beth Israel has hired a full-time IT security officer. "We need to be more savvy ourselves," Halamka says.

In this year's survey, 70% of the U.S. respondents say they have at least one and as many as four full-time professionals dedicated to information security. That's up from last year, when just 60% of those surveyed said they had one to six full-time information security professionals. (See chart " Increasing Security Staff ."

Not surprisingly, U.S. shops show a greater need for security professionals. Insufficient staff has always been an issue for IT shops in general, and even more so with sec urity. Last year, nearly 60% of the survey respondents cited human resources problems as an obstacle to ensuring IT security. The good news: This year, only 55% make the same complaint. Worldwide, the news is even better: Just 41% cite lack of human resources as an obstacle.

At Oppenheimer- Funds Inc., officials also realized that a beefed-up security team would let the company make better use of Internet access as well as remote access and telecommuting. The New York mutual funds firm recently hired its first VP of IT security, Jim Patterson, and 10 other IT security professionals. Oppenheimer also boosted its IT security budget by about 20%, with another 10% to 15% increase likely for the next budget. Before hiring Patterson's team, Oppenheimer didn't have anyone directly assigned to IT security. "Security is fairly important to OppenheimerFunds, and my being here is a manifestation of that," Patterson says from Englewood, Colo., where the company's IT unit is based.

Often, it's a breach of IT secu rity that propels a company to hire full-time security staff. National City Corp., a Cleveland bank that does business in Ohio, Indiana, Kentucky, and Pennsylvania, had always taken IT security seriously with a centralized, full-time staff of 15 devoted to data security. But when a computer virus recently brought down operations for two days, it cost the bank at least $400,000. That spurred the hiring of yet another full-time employee: a professional to launch a defense against viruses.

National City isn't alone, as computer viruses continue to be an expensive threat. A virus "infects" other programs by embedding a copy of itself in them, and it can do so without the user's knowledge. Viruses are most commonly spread on diskettes and files that contain embedded viruses. On PCs and other systems with poor security, a virus can even infect the operating system. Some 13,000 viruses have been identified, of which about 230 are circulating and able to harm computers. New ones are being written every day.

Paying The Price
With so many viruses at large, it's not surprising that slightly more than half the U.S. respondents to the survey have been hit by a macro virus. Of this group, 40% report losses of up to $100,000 from macro viruses. Similarly, nearly half (47%) report losses of up to $100,000 due to other types of viruses. The actual figures could be even higher, says Roger Thompson, director of antivirus research at the National Computer Security Association in Carlisle, Pa. "Pretty much everybody has been nailed," he says.

The Internet, intranets, and other corporate networks are making viruses even more dangerous. The virus that brought down National City's operations last year, for example, spread throughout the company's Novell NetWare environment to nearly all of the bank's 300 file servers and 10,000 client workstations across six cities in four states.

Originally, the virus infected the bank's network from eight newly purchased notebook PCs, according to Greg Schubert, National C ity's senior VP of corporate computers and communications. Though the bank's IT administrators checked two of the notebooks before hooking all eight to the network, the virus was too new for the company's antivirus software to detect. As the virus spread, users started to call the IT department, reporting that they couldn't log on to their computers. "We began looking at whether it was a security logon problem or a Novell NetWare problem. We concluded it wasn't either, and once we found out it was a virus, we shut down operations to contain it," says Schubert. "We had no idea whether it was affecting files, or what."

Luckily, the virus didn't wreak havoc on National City's corporate data. But because operations went down, the IT department had to mobilize application-development teams to build workarounds. "We had to provide ways for people to get information that they otherwise would have gotten from the network," Schubert says. That meant relying on hard-copy printouts and re-establishing 3270 terminal connections. Two days later, with the help of IBM, National City eradicated the virus. But the attack left an indelible mark. "It served as a serious wake-up call," says Schubert. "We now understand what risks are involved, and we're better prepared."

Today, for example, National City severely restricts the number of people who have universal access to file servers. In fact, only one or two people have systemwide access, Schubert says. Also, the full-time virus administrator makes sure that all the systems are protected and that all antivirus software updates are done at least once a month.

Unfortunately, there are fewer tools to help protect against more-abstract security threats, such as malicious hacks from both internal and external culprits, and industrial espionage.

Continue on to page 2


Back to News in Review

Send Us Your Feedback

Top of the Page