Why are business technology professionals so ambivalent about IT security? They acknowledge that the threats to computer systems keep growing in number and sophistication, yet they think they've got the problem under control. For the naively confident, there could be costly consequences for their companies and customers.
InformationWeek Research's ninth annual Global Security Survey, conducted in partnership with Accenture in May and June, shows across-the-board threats to business computing environments. Fifty-seven percent of U.S. companies surveyed report being hit by viruses in the past year, 34% by worms, and 18% by denial-of-service attacks. Network attacks and ID theft were experienced by 9% and 8%, respectively. It's no wonder that 48% of the 2,193 security professionals and business technology managers who completed the survey say managing the complexity of security is their top challenge.
GM's Litt: Safer software is the answer
Photo by Chris Lake
We thought they were overly optimistic then, and we'll repeat our warnings here: The ready-for-anything attitude prevalent among IT pros is dangerous. Despite the many defenses that have been put in place--antivirus software, firewalls, intrusion detection and prevention systems--business computing isn't invincible. Given all the data breaches and exposures we keep learning about, a degree more wariness is in order.
Notably, IT professionals in other countries are somewhat more cautious in their assessments: 13% of respondents in Europe, 16% in China, and 24% in India say their organizations are more vulnerable to the many dangers confronting them than they were a year ago.
Why do things keep getting more complicated? Each new product that comes in the door--from mobile devices to portable storage to Web-based collaborative applications to voice over IP--adds a new security twist. The threats are more sophisticated, and the attacks more numerous. Security professionals and business technologists cite a long list of challenges, including raising user awareness (41%), enforcing security policies (36%), controlling system access (26%), and getting more resources (23%).
The hot-button issue over the past 12 months has been data loss to theft or negligence. When a Veterans Affairs Department laptop and removable hard drive containing 26.5 million personnel records was stolen in May, it underscored the risk to other organizations. "Events drive business decisions," says Alastair MacWillson, global managing partner of Accenture's security group. A year ago, the driver was malware attacks; this year, it's data loss and theft.
Customer data breaches are on the rise. Data is the central commodity for attackers who want to commit fraud or profit from identity theft, and increasingly security pros find their systems in the crosshairs of profit-seeking criminals, not just thrill-seeking troublemakers. In last year's survey, only 6% of U.S. companies reported that customer records had been compromised in some way, and only 5% encountered identity theft. This year, those percentages almost doubled, to 11% and 9%. The problem is worse in China, where 23% of companies said customer data has been compromised and 27% have been involved in some way with identity theft.
Highly publicized breaches have led to at least 33 state laws created to force businesses to report customer data losses. Congress is mulling several bills aimed at stanching the flow of lost consumer and financial data.
Leo Dittemore, director of IS security administration at HealthCare Partners, took the VA data theft as a wake-up call to push security initiatives at the insurance and health care company. Employees download patient data onto laptops, and Dittemore is sure some staffers take that information home. "I'm all for people doing work on their own time," he says. "But the data has to be protected." It would be difficult for HealthCare Partners to prohibit employees from working with data after office hours, since the company makes money based on the amount of work it does with those files. "It's a pay-for-performance model," Dittemore says.
HealthCare Partners lacks internal rules about when employees can download patient information; Dittemore is writing a policy to govern data use and movement.
"The VA got everyone's attention," agrees Joel Garmon, director of information security for Florida Power & Light, which is reassessing how it stores customer data and who has access to that information. "We're restricting some access and tightening controls."
Technology and training are important to preventing customer data breaches, which also have struck American International Group and Fidelity Investments, among others, this year. Most businesses have policies that outline system and data access for employees, but those rules vary significantly in what they govern, according to our survey. Among U.S. companies, nearly two-thirds of security policies lay out who has access to data and how it can be used. Slightly more than half of policies explain where customer data can and can't be stored. European companies are more likely to formalize rules on who has access to customer data and where it can be stored.
Only 28% of U.S. security policies state that customer data must be encrypted, a shortcoming that has cost organizations that lost data. Enterprise security policies in China and India are much more likely to state that all customer data must be encrypted.
In an attempt to protect customer data, U.S. companies are informing employees about privacy standards (64%), securing Web transactions (52%), and encrypting communications (42%) more than companies in other countries. Nearly half of U.S. companies monitor employees' inbound e-mail and Web site usage, while more than a quarter monitor use of instant messaging and the content of outbound e-mail messages.
The most frequently cited consequences of security breaches are network and application downtime. Companies have a harder time pinning a monetary value on them. Among those experiencing a breach, a quarter of U.S. and European companies and nearly half of Chinese companies couldn't quantify financial losses. But it's obvious the losses can be serious. A former UBS PaineWebber systems administrator is on trial for allegedly planting a logic bomb that took down about 2,000 servers and interrupted the work of 8,000 brokers throughout the United States. The cost of getting systems back up and running was estimated to be $3.1 million, including overtime, assistance from IBM, and other emergency measures. The company has been unable to quantify the attack's impact on revenue.
Mutual insurance firm Amerisure protects its systems using two-factor authentication from RSA Security. The company also has begun rolling out Citrix thin-client access to 450 Wyse terminals, eliminating the need for remote workers to connect via dial-up. The terminals don't contain a hard drive or a floppy drive, making it more difficult for users to tote around data. "There's nothing to steal when you steal a thin client," Amerisure enterprise architect Jack Wilson says. Amerisure has about 80 laptops in the field, most used by managers, and Wilson plans to turn those into Citrix-based thin clients early next year.
Employee-facing technologies such as identity management systems play a growing role in protecting data. Sometimes it comes down to basics. HealthCare Partners recently lengthened employee passwords to eight characters from six, and it's considering using single-user sign-on to multiple systems. More advanced security measures include proximity badges and biometrics tools to control access to workstations used by multiple health care professionals. An unusual sticking point with biometrics in a health care environment like HealthCare Partners' is that users sometimes resist the idea of touching sensors that may collect germs. Employees don't want to take off their rubber gloves to give a fingerprint, Dittemore says. Only 9% of U.S. survey respondents use biometrics as part of their access-control systems.
While a company's employees, both current and former, pose a security threat, more than half of business technology professionals agree that security technology, policy, and training can do little to stop employee security breaches. Inside threats are a bigger issue for U.S. companies than in other parts of the world. Nearly a quarter of U.S. companies cite authorized users or employees as the cause of an attack in the last year, compared with 22% of businesses in India, 15% in China, and 11% in Europe.
Many IT security managers say the proliferation of external threats occupies too much of their time for them to focus on attacks from within. "Those people are driven and are hard to stop," says Joe Dial, information security administrator with Siemens VDO Automo- tive, who adds that overreacting to internal security threats could block employees from information they need to do their jobs. "I can't have security be an impediment to productivity. That's the conundrum."
The biggest insider threat is an administrator or records clerk who abuses his or her ability to access data without permission, Dittemore says, but he concedes that preventing such a scenario isn't a top priority. The bigger job, he says, is controlling data and managing external threats.
Wireless security has become a higher priority as workers increasingly demand mobile access to applications and data. Wireless network security is a "tactical" security priority over the next 12 months at 25% of companies in the United States, 23% in Europe, 19% in India, and 16% in China. Likewise, as more businesses deploy voice-over-IP systems, VoIP security is growing in importance, too.
Nevada's Clark County used to focus its security efforts at the network perimeter, but that model doesn't work as well in an environment where users connect to their networks wirelessly from a variety of devices. The county has implemented a network access-control system from Cisco that blocks devices that aren't up to snuff with antivirus signatures and software patches. Clark County plans this month to begin evaluating VoIP as part of a broader effort to integrate its networks. However, VoIP introduces a new security threat to county employees and residents. "You can't compromise your voice communication infrastructure because of a network problem, such as a denial-of-service attack," Clark County CIO Rod Massey says. Initially at least, the county won't include emergency 911 phone service as part of its planned integrated network.
Security products must become more effective and easier to use and manage, Massey says, adding that reactive approaches to antivirus protection and software patching aren't enough. On the network security side, General Motors chief information security officer Eric Litt favors technology that uses heuristics to monitor network behavior and flag anomalous traffic before it becomes a problem. "There isn't time for us to react any more," he says. "Our systems have to react for us."
At Amerisure, only a quarter of enterprise architect Wilson's time is devoted to security issues. Still, that's up about 10 percentage points from last year because the company is making its systems more accessible over the Web to its highly mobile workforce. Nearly 20% of Amerisure's 800 workers are logged on remotely at any given time. In addition to making workers more productive, mobile Web access lets Amerisure expand without having to invest in larger facilities.
How To Sell It
Security spending is growing at many companies, but not everywhere. Spending on information security is budgeted to increase this year at 57% of Indian companies, nearly half of U.S. companies, 42% of Chinese businesses, and a quarter of European companies. On average, more than 10% of IT budgets is spent on information security.
The wrong way to go about getting more money for security is to treat it as an overhead expense or cost of doing business, Accenture's MacWillson cautions. Instead, "the key is to demonstrate how a secure IT environment allows businesses to grow," he says. "Online banking is a great example of where security has been an enabler because, without security, no one would trust their account information to a Web site." The same goes for supply chain integration as businesses seek secure connections to their partners.
Town North Bank in Dallas is spending more on IT, but CIO Gary Farrar says it's hard to specify how much is earmarked specifically for security. "I'm not sure how I would isolate dollars spent on security," he says. "Every time we implement a new project, security is one of the areas we take into consideration."
At HealthCare Partners, the security budget is less than 1% of total IT spending. Dittemore finds himself competing with every other IT initiative--and the rest of the company--for money. Florida Power & Light spends about 4% of its IT budget on security, but that may grow this year as the company implements a user provisioning system for identity and access management.
Regulations are forcing companies to re-evaluate their security initiatives. In the United States, Sarbanes-Oxley (41%), the U.S. Homeland Security Act (25%), and the USA Patriot Act (23%) have forced companies to change their security practices. In Europe, 30% of companies have made adjustments as a result of the EU's Data Protection Directive. In China, 27% of firms report changing security policies to comply with the Bank Secrecy Act.
Given all the challenges and requirements, it's surprising that more companies don't have dedicated professionals managing their top-to-bottom IT security. Only a third of companies surveyed have a chief information security officer overseeing IT security policy and technology.
Array Of Perils
Companies haven't lost sight of the little things. Viruses, worms, spyware, and spam are more than nuisances--they're top priorities for anywhere from a quarter to two-thirds of companies around the world. And the threat of destructive e-mail attachments hasn't disappeared. Thirty percent of U.S. companies say they were a method of attack in the past year.
Significantly, fewer companies (28%) experienced attacks in the past year because of operating system vulnerabilities than they did in 2005 (43%), and reports of viruses and worms declined, too. Unfortunately, as these threats lessen, others grow in severity.
In China, a quarter of respondents report that their organizations had to deal with identity theft in the last 12 months, nearly three times the rate in the United States and Europe. Viruses and worms are the most-often-cited security breaches in India.
"There's lots of stuff coming out," says Florida Power & Light's Garmon, though nothing as scary as some of the destructive worms of the past. "Everyone's got antivirus, practically everyone's got firewalls, and lots of companies have intrusion prevention."
But those baseline security systems are only a first line of defense, and determined cybercrooks have shown, repeatedly, that they're able to break through. Security managers would do well to remember that their jobs don't reward success as much as they punish failure.
Illustration by Ryan Etter