Actually, when it comes to computer security, it's a small--and threatening--world. A global reach calls for global security measures.
The main problem for many businesses is simply keeping up with the number of threats, the speed with which they attack, and the number of patches they must test and deploy to protect their systems. The Blaster worm first struck on Aug. 11 and within a week infected more than 1.4 million systems worldwide, even though a patch was available to protect systems. Clearly, many people--mostly home users, but many businesses and government entities around the world--hadn't bothered to install the patch; those who had installed it helped keep disruption to a minimum.
ABN Amro moved fast to patch systems, minimizing Blaster's effects, Hollenbaugh says.
Photo of Craig Hollenbaugh by Brent Stirton/Getty Images
ABN Amro, an international bank with 3,000 branches in more than 60 countries, understands the importance of keeping security up to date. Following the Nimba and Slammer attacks, "we identified impacts on revenues in the tens of millions of dollars, mostly because of trading systems that went down," says Craig Hollenbaugh, head of standards and controls in the bank's wholesale division.
ABN Amro relies on a technology unit in the United Kingdom to analyze security threats and determine how urgent it is to install patches. Based on the unit's evaluation that Blaster posed a high-risk threat, the bank moved aggressively to patch systems. "We threw everybody at it and performed integration testing to make sure the mission-critical applications worked with the patch," Hollenbaugh says. "We fared well with this one."
Even when the threat is clearly understood and a patch is available, security managers can face resistance. At Prudential Financial Services Inc., which has offices in more than 25 countries, some business units didn't want to take the time to install software fixes. "They were questioning why we were putting them through this patching misery," says Ken Tyminski, chief information security officer. "They had to bring in developers who had to work late, and other projects had to be put on the side."
The cost of being secure can be daunting: Between 200 and 300 application developers did tests to make sure the patch wouldn't hurt Prudential's most-important applications, and more than 150 people spent several days installing the patch throughout the company's IT infrastructure.
Prudential's Tyminski says some of the company's global units questioned the need for security patches.
Photo of Ken Tyminski by Rachelle Mozman
Those efforts, combined with tighter security policies, ongoing security-awareness training, and properly placed defensive technology, all worked together to keep Blaster at bay. To improve security even more, Prudential is completing a rollout of 20,000 copies of Sygate Secure Enterprise, which provides desktop firewall and system-security policy enforcement, to remote and mobile employees. That should help the company enforce security polices, as well as increase control over and reduce the cost of managing remote systems, which often provide the hole through which viruses and worms enter company networks. "It was a good feeling knowing it was out there," Tyminski says. "We had another layer of protection in our defenses."
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.