InformationWeek
Defining The Business Value Of Technology
July 12, 1999
 Print this story |
Virus Attack
continued...page 6 of 6
More sophisticated cryptographic schemes such as public key infrastructure technology are gaining momentum. The number of companies using PKI software more than doubled from 6% a year ago to 13% this year, according to the survey. PKI software uses a string of numbers or keys to encrypt documents to protect them from unauthorized access and then decrypt them for authenticated users.
The system relies on certificate authorities, organizations that store in a database public keys that can be used to verify that the sender of a message or data is who he or she claims to be, and that the person who receives the message or data is the intended recipient. The certificate authority creates a digital certificate that verifies the sender's identity and that the document wasn't altered in transit.
Not surprisingly, industries that make the greatest use of encryption include banking (28% of data traffic is encrypted), telecommunications (24%), financial (24%), and computer (24%). Industries that encrypt 15% or less of their data traffic include insurance, retail, manufacturing, aerospace, transportation, energy and utilities, and education.
"Classifying data is pretty labor intensive," says Shaurette of American Family Insurance. Even companies that do categorize documents by security requirements only do so with the most sensitive documents, he says, and few bother to classify fields within a document such as Social Security or credit-card numbers.
In most cases, companies concentrate on protecting information in transit, Shaurette says, and that doesn't go far enough. "Data security implies securing something that is electronic," he says. "But it is information that is really valuable to the business--not pure data--so we need to put security practices in place that protect information when it is printed out and sitting on someone's desk or displayed on their screen."
Of course, monitoring how users treat information is made more difficult by the increased sharing of data between companies that are supply-chain partners or using an industrywide extranet. Shaurette says communications about security policies--to users, partners, and suppliers--is essential.
Commitment From Above
This seems to indicate that growing numbers of upper-level managers realize that to keep a business running smoothly requires creating and supporting a secure information infrastructure. That, in turn, means tying together policy, practices, and people through communication and execution.
"When it comes down to it, the biggest risk is ignorance," Shaurette says. "Actually, it's the only risk. Ignorance is what ties together all the exposures that exist."
Illustration by Teofilo Olivieri
Some 30% of respondents say they use Secure Sockets Layer, a communications protocol developed by Netscape to encrypt data during transmission from a client to a server. A common part of E-commerce transactions, SSL encrypts data in transit between the client and server, but doesn't rescramble the data at the server itself.
Related links:
Many respondents--40%--don't bother to classify their most sensitive data files and records. Of the 60% of respondents who say they do classify important data, 18% do it daily, 6% weekly, 10% monthly, 15% annually, and 11% occasionally.
For that kind of communication to become part of a company's culture, it takes a high-level commitment. The CIO, a VP, or a director of IS or IT is the one who sets the security policy at 52% of companies surveyed. And 47% say that same executive determines security spending levels. Interestingly, 30% say their company president, CEO, or managing director sets security policies, and 36% said the top executive sets security spending.
return to page 1, 2, 3, 4, 5
Back to This Week's Issue
Featured Microsite
