InformationWeek

North America, Western Europe, and Asia accounted for 83% of revenue losses from pirated software. If business leaders fail to maintain lawful standards within their own companies, internal E-security vigilance is doomed. This is particularly true for unauthorized internal access.

And the feedback is consistent. About 90% of the security in place across the Internet is ineffective. Only 10% of Web sites practice good security methods, says Thomas Longstaff, manager of research and development for the Computer Emergency Response Team at Carnegie Mellon University's Software Engineering Institute.

An Internet security task force with members such as Cisco Systems, CMGI, and Verio found in a survey of E-businesses that as many as three-quarters of the businesses connected to the Internet have at least one of 20 known security holes. While some businesses take steps such as installing firewalls to protect themselves, most fail to employ adequate safeguards.

There's room for corporate E-security improvement. It may sound simplistic, but failing to plan will result in failure.

More than 1,800 security experts at last year's SANS99 Federal Computer Security Conferences identified the top seven management errors leading to computer security vulnerabilities:

• Ignore the problem and hope that it will disappear.
• Install reactive, short-term fixes and watch the security problems rapidly reappear.
• Ignore the value of information and reputation.
• Implement firewalls as the primary or only defense.
• Deal with operational security on a "quick-and-dirty" basis.
• Ignore relationships between information and physical security.
• Assign untrained staff to handle E-security as an additional duty.

Your review should include the following checklist of questions:

• Are mobile workers using computers that belong to the company?
• Do they logon only when on the road during business trips?
• Are they primarily entering intranets when at home on their own equipment?
• What percentage of their computing amounts to off-site telecommuting, and at what times?

Next, establish E-security requirements by employee status and the content being accessed. Employee level does matter. A security breach at the executive level vs. the clerical level can create enormous differences in threat profiles. Professional ranks, particularly for those who are assigned IT duties such as programmers, analysts, communication specialists, and database administrators, are particularly sought after as telecomputer intrusion or theft targets.

The content being accessed should also be assessed. Is the information secret, confidential, internal, or public?

Information access directly related to duties, employee level, and functional relationship, such as external supplier, contractor, or consultant, interact to create an authorized access profile of the mobile worker.

The next step involves evaluating mobile Internet-access resources for potential E-security threats. Remote access is typically through an Internet service provider, digital subscriber line, or cable-services provider. Typically, mobile workers are supported by IT, and the Internet service provision is a company responsibility not normally subject to individual worker preference.

For policies in this arena, security administrators must establish vendor guidelines that fully support effective data and worker protection. When mobile workers use personal equipment and select online vendors, major security gaps are likely to occur. The challenge here is to balance privacy, cost, and protection. The company's security administration should be responsible for this.

Next, the IT department should review the interaction between system access policies and worker privacy and access rights. Not only must there be sophisticated worker and usage profiles, but there must be an examination of how access relates to responsibilities. Once the function-content relationships have been established and risk profiles defined, ISP security profiles become important.

Once policies and procedures have been put in place, it's time to select and install E-security software to maintain security from the outside in. Finally, the security infrastructure should be tested to ensure it works as envisioned.

Is all this possible? Yes. Should this take forever? No. The size and nature of your company will, to some degree, dictate the way in which you'll implement your security plan. These factors will also influence your security plans. Dictating that all systems be totally secure, regardless of exposure, isn't always realistic. Small companies with limited intranets and brochurelike Web sites have a few critical segmented systems to protect.

Midsize companies with some distributed systems, linked WANs, integrated enterprise systems, and interactive Web sites will require significant security upgrades to counter the visibility and attention they draw.

Large enterprises with major stakes in E-commerce, online sales, and supply-chain operations will require ultimate security protection, with constant vigilance to avoid catastrophic system intrusion, compromise, and damage.

Obviously, agreement among security administrators, senior IT managers, and company executives is mandatory to implement the necessary security.

Identifying the security threats, establishing new communication paths internally, and gaining high-level commitment are essential to ongoing security maintenance. E-commerce requires consistent and effective security protection. Anything else spells expensive and potentially devastating destruction.

Dr. Martin Goslar is a principal analyst and managing partner of E-PHD.COM, an E-security research and analysis firm. He can be reached at Comments@E-PHD.COM

return to page 1