Business Technology: It's Time To Stop Playing Chicken With Cybersecurity
Why are so many of us doing so little about cybersecurity? Why do so many companies continue to tolerate unsecured systems? Some insight might lie in the research done by a physician in Vienna, Austria, more than 150 years ago, Bob Evans says.
Now, it's certainly possible I'm making way too much of this. But let's for a moment just pretend that I'm not--here are a few data points you can consider: in 2003, lost productivity caused by employees having to deal with spam cost companies an average of $874 per employee. Scary stuff, eh? But it's a fairy tale compared with this year, as that cost has jumped about 120% to $1,934 per employee. Say you work in a small-to-medium-sized business with 500 employees--that's almost $1 million flushed down the drain due to spam--and that doesn't even take into account some related costs such as IT personnel's time, software and hardware costs, and clogging of networks.
Or how about this: in a forthcoming InformationWeek Research global survey of 7,000 business-technology and security professionals, 83% of North American companies say that security breaches and malicious-code attacks will be more of a threat this year than they were last year. And in spite of those escalating threats, 38% of North American companies say they will be spending less on information security in 2004 than they did in 2003. Have those 1,200+ companies that say the threats are escalating but their spending's diminishing found a truly better way to spend less and get more, or are they being monstrously irresponsible?
Six-year-old Donnie Hauser-Richerme knew he couldn't swim, but he also knew the little girl in the murky, debris-filled swimming pool was in trouble. Donnie jumped in and helped save 5-year-old Karah Moran's life before becoming stuck in five feet of blackened rain water and muck at the bottom of the deep end. Paramedics eventually rescued him, but he was in critical condition and on life support Thursday.
Here's one reader's view of what might happen: "It will be some whopping, system configuration/registry eating, denial-of-service, file-corrupting polymorphic stealth goody. It could install through a fundamentally nonpatchable design flaw in a ubiquitous piece of software that has massive distribution. Or maybe it will be just another stupid-user E-mail attachment trick. To be truly deadly it will activate itself just a bit here and there, so that by the time people figure out they're infected they don't really know what they lost or when it started, but certainly, most people won't even have enough generations of backup to recover their lost files and data. If it's really clever, it will modify a program that's often running anyway. (Quite frankly, I feel many people are capable of creating this monster, but are at least for now wise enough to direct their talent elsewhere.) But I believe it's coming. And so do others. The resulting chaos and loss of productivity will be unbelievable. And then there will be outrage and change that will cause software to be rewritten the way it should have been to begin with."
Is your company prepared? Do you have unsecured systems? Do you have a rigorous information-security strategy and set of policies that the executive committee has read, understands, supports, and promotes?
To shed some light on our widespread denial, here's a life-and-death story from 157 years ago in Vienna, Austria. But more important, it also sheds some hope that tells us that if we act now, and if we animate the corporate will to make this a top priority, and if we recognize that unsecured systems and other security vulnerabilities are financial time-bombs ticking away in our midst, and if we take the steps necessary to mitigate that risk, then we will have won a great victory. The story involves a Hungarian physician by the name of Ignaz Semmelweis, and no, he didn't have to deal with cybersecurity in the middle of the 19th century, but he confronted a problem every bit as vexing: he set out to convince the scientific community and the world that germs exist, and that germs can cause disease. When he first raised this theory, he was greeted mostly with scorn--and those who didn't call him a fool laughed at him. But he persevered in his work, and his breakthrough came in 1847 when he reduced the mortality rate in a maternity ward from 13.1% to 2.8% by convincing doctors that if they continued to go directly from examining cadavers to examining expectant mothers without vigorously washing their hands in between, then the invisible germs on their hands would continue to kill 13 out of every 100 pregnant women they treated.
Today, in our modern world of objective research, it seems almost impossible to believe that anyone could ever have disagreed with Semmelweis's theory. Yet here we are, under siege and increasingly mortal danger from cyberattacks that we tend to dismiss as either not there at all, or as harmless; or we view ourselves and our companies as beyond their reach, securely outside their infectious embrace. And each time we do, we provide more material for others a few years from now to look back upon and wonder, "What were those people thinking? Why didn't they do anything?"
There's still time. But not much.
To discuss this column with other readers, please visit Bob Evans's forum on the Listening Post.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.