InformationWeek
Defining The Business Value Of Technology
| September 8, 1997 |
Security Survey: Is It Safe? (cont'd)
The fifth annual
InformationWeek
/Ernst & Young information security survey finds IT managers hiring more full-time security pros, centralizing protection, and drawing up recovery plans
Page 2 of 2
By
Beth Davis
Eye On The Spies
Although industrial espionage sounds like the stuff of spy novels, incidents are rising, experts say. This year's survey backs that: Of all U.S. respondents, 38% say they've
been the victims of industrial espionage, up sharply from about 6% last year. But when asked to estimate the financial impact of these probes and attacks, 84% said they did not know. "The real corporate jewels are a company's documents, CAD designs, marketing plans-things that you wouldn't want a third party to view and sell to the competition," says Steve Shaer, co-CEO and chief technology officer with Interactive Futures Inc., a security consulting and systems integration firm in New York. Interactive Futures helps client companies review security measures and test them against real threats. Often, the job includes trying to hack into a company's systems.
Industrial espionage is very real indeed, says David Remnitz, co-CEO and president at Interactive Futures. "We've run into it several times, and we've had customers ask us to investigate," he says. "Especially with the Internet making it easier to pass information, industrial espionage is a reality."
Oppenheimer's Patterson knows all too well abo
ut industrial espionage. In a previous job, he worked as an information security professional at an international shipping company. Several years ago, some employees obtained shipping schedules kept on password-protected systems and revealed the schedules to outsiders. Knowing when materials were being shipped, the outsiders were able to hijack the trucks and steal the goods.
The IW/E&Y survey shows that internal and external attacks are also up significantly. This year, 42% of all U.S. respondents reported external malicious acts, up from 16% last year. Similarly, 43% reported malicious acts from employees, compared with 29% last year. While the number of reported incidents has increased, the increases are tied to a greater number of Internet nodes, increased monitoring, and increased awareness.
Security experts say internal threats are far more common than outsiders hacking away at companies' systems to bring down the corporate network or steal valuable corporate data. "In my experience, we've never
been compromised nor experienced a loss from an unknown outsider gaining access and compromising a system," says Patterson. "But I've had lots of opportunities where people have pounded on the door and tried to get in."
Internal attacks are a different story. At Columbia Eastern Idaho Regional Medical Center, a recently fired employee compromised security. Before leaving the center, the employee--a member of the hospital's housekeeping staff-deleted several computer files, some of which contained historical data on the staff's budget, according to Frank Smith, director of IS at the center, a division of Columbia Health Care in Nashville, Tenn. Fortunately, Smith's staff had already begun an organizationwide project of backing up all files. "Had we not already done the backup, they would have had to go back and re-create all their budgets and re-key all the data," Smith says.
Don't Forget To Monitor
That's got some security advisers exasperated. "If you don't have some kind of process in place to do monitoring, then how are you going to know if you are attacked?" asks Ted Julian, a research manager with International Data Corp., a consulting and market research firm in Framingham, Mass.
In fact, it was constant monitoring and trend analysis that caught the thieves at the shipping company where Patterson worked. "We monitored employees' access to the particular transaction that contained shipping information, and they should have been accessing it only three or four times a day," he explains. "Just before the hijacking incident, it was accessed some 50 to 100 times a day." From there, the
FBI was brought in to set up a sting operation, and the hackers were caught.
Into The Breach
Unfortunately, 42% of the U.S. respondents who have business continuity plans don't test those plans. "Somebody has to do an ongoing assessment of the hardware and software security measures," says Beth Israel's Halamka. "Unless you have a person or a team doing that, the technology implementation will fail." (See chart "
Continuity Planning Rises. . . But Testing Stalls.
")
Centralizing security administration is a popular trend this year, with 82% in the Unite
d States and 80% worldwide doing so. This helps companies think in terms of security as a process, experts say. Companies should run their information security through a continuous loop that focuses on constant improvement. (See chart "
Centralized IS Security Is Popular Worldwide.
"
First, companies should develop and adopt corporatewide security policies. Then they should implement technologies to carry out those policies. Next, companies need to probe for security holes and monitor for intrusions. Then they should go back and review the policies. From there, they need to start the implementation process all over.
Still, companies should not view security measures as a way to eliminate all risks. Instead, they should see them as a way to manage those risks. The Internet boom, with all its risks, is driving corporate executives to do more than pay lip service to information security.
"It's like the automobile," says Machefsky of Giga. "If I told you 100 years a
go you'd ride around in a little steel box that could go 90 miles an hour, you'd have said that's crazy because it's dangerous. That's similar to the Internet. You accept the risks because the potential benefits carry the day. But it's all about risk management."
See related story "
Can You Trust Digital Certificates?
"
See related story "
The Government Eyes Encryption
"
|
