Management Takes Notice

IT security has been the realm of pager-toting technical specialists like Jason Painter, the corporate Webmaster for Coherent Inc. On his day off a few weeks ago, Painter remotely accessed the company's servers to check their status when the Code Red virus posed its greatest threat. Status: No problem.

Increasingly, as the threat of viruses, worms, Web-site attacks, and electronic fraud grows across the business world, Painter and security experts in other companies are finding new allies in their fight against network break-ins: senior business executives. The defense shield against E-intruders is broadening as VPs, CFOs, and even CEOs play a more direct role in setting security policy--and in determining where and how to invest in protection.

InformationWeek Research's fourth annual Global Information Security Survey, fielded by PricewaterhouseCoopers, documents a jump in management-level attention to IT security issues. The survey, completed by 4,500 security professionals in 42 countries, found that 41% of CEOs, company presidents, and managing directors are now involved in setting security policy, and 52% of those top execs have a say in security spending. Both figures are more than 10 percentage points higher than a year ago. "For a company like ours, there are two most valuable assets: our people and our proprietary information. That's what drives senior management and security here--protecting our information," says John Ambroseo, Coherent's chief operating officer.

Coherent, a $568 million manufacturer of lasers in Santa Clara, Calif., is among a growing number of companies in which business and technology managers at all levels work together on security. The need for system security was driven home a few years ago when, as a test, an IT staffer broke into the company's Web site and changed the prices listed there. "We decided to take application security seriously," Painter says. "We were leery about application hacking, of some hacker coming in and stealing sensitive information." Coherent now uses Sanctum Inc.'s AppShield to "lock down" its Web servers. Painter credits the software with stopping Code Red from infecting its servers.

At other companies, high-profile Web attacks and viruses, as well as a realization that unintended privacy breaches can seriously damage a company's reputation, also have gotten through to the upper echelon of management. "And that's translated to senior executives' making sure they have the right security in place," says Kerry Williams, acting president and CEO of ERisk Holdings LLC, a risk-management software and services company. "At the very basic level, you can lose sales, and a breach can impact revenue generation. The worst case is that if your system does become compromised, all of your customers lose confidence in your security and systems."

John Brennan, president, CEO, and chairman of financial-services firm Vanguard Group Inc., pays close attention to the security practices at his Malvern, Pa., company. "Your clients and stockholders have to presume that you view the integrity of your systems as paramount because this has become a front-burner issue in popular America," Brennan says. "I don't think you can overstate how important the issue is from a CEO perspective."

Mark Lobel, senior manager of technology risk services for PricewaterhouseCoopers, calls the increasing involvement of top management a "positive and promising" development. "For something that's not a bottom-line driver in most companies, the fact that it's moving up the corporate chain means they're scared or they just believe in it," Lobel says.

There's plenty to worry about. The CERT Coordination Center, which tracks security violations, had 15,476 incidents reported in the first six months of this year. That number is on track to easily surpass last year's total of 21,756. CERT identified 1,151 vulnerabilities, or known ways that hackers can break software or enter systems, in the first half of this year, more than all known vulnerabilities last year.

The latest big scare came from Code Red, a malicious worm that infected Windows-based servers over the Internet in July, bogging down performance for legitimate traffic. At the height of the problem, CNN and other news outlets carried hour-by-hour updates as the virus slowed some Web sites to a crawl. FBI managers in white shirts and dark suits held press conferences that were broadcast on national TV, warning business owners of the risks.

Even so, many businesses got hit by the bug. "We were hard-pressed to find a large company that wasn't impacted internally," says Peter Tippett, vice chairman and chief technologist for TruSecure Corp., another risk-management company. More than half of 300 companies TruSecure surveyed experienced "internal disasters," which Tippett defines as 25 or more simultaneous system infections or a large segment of a network or a division brought down for repairs, as a result of Code Red. A typical outage for a large company lasted 36 hours, Tippet says.

Only 5% of survey respondents say security breaches had a major impact in the past 12 months. But the mere threat of being seriously compromised hangs like a cloud over companies. Among those that have been caught off-guard this year: A hacker accessed JDS Uniphase's earnings information before it disclosed a $50 million loss; VeriSign mistakenly gave digital certificates to someone posing as a Microsoft employee; and Flooz.com, an E-payment company, was reportedly the victim of credit-card fraud on the Internet.

The costs associated with security breaches can add up quickly. Research firm Computer Economics estimates Code Red alone will wind up costing businesses more than $2 billion in downtime and repairs. Based on the data from the 2001 Global Information Security Survey, InformationWeek Research estimates the cost of security-related downtime to U.S. businesses in the past 12 months at $273 billion. Worldwide, the tally was a whopping $1.39 trillion.

Our survey took two measures of the cost of viruses, network break-ins, and other encroachments: downtime and dollar value. In the first, 12% of respondents--down from 17% last year--indicate their companies suffered a total of more than 24 hours of system downtime in the past year. And only 4% of respondents say their companies' losses exceeded $100,000 in the past 12 months.

That's the good news. The other side of the story is that many security experts have a hard time translating network breaches into hard-dollar estimates. What's the tangible cost when a hacker defaces a Web site or views sensitive internal data? How many customers or potential customers walk away when service reps can't access their records because a mainframe required emergency service? What's the price when dozens of employees call the help desk because their PCs have been infected?

A third of respondents to the InformationWeek Research survey threw up their hands, answering that losses were unknown. "Companies typically don't estimate their cost attributed to breaches very well," says Charles Neal, a former cybercrime investigator for the FBI and VP of cyberterrorism and incident response with Exodus Communications Inc. "My experience shows only a very few large companies even try to estimate cost in a structured way."

Roughly speaking, another third of respondents say they didn't suffer any financial losses because of security breaches in the past 12 months, and one-third put the cost at $100,000 or less. But TruSecure's Tippett doesn't buy those results; he says security managers are notorious for lowballing business losses. "They almost always underestimate," he says.

When the Melissa virus struck a couple of years ago, TruSecure conducted a study to gauge the damage. The average loss was an almost insignificant $1,700 per company. But when it probed further, TruSecure found that Melissa knocked PCs and servers out of commission, sometimes for days, at the companies it surveyed. "They weren't taking into account lost productivity," Tippett says. Indeed, senior managers tended to be much more inclusive when calculating the costs of security breaches, Tippett says, with estimates that were seven and a half times higher than those from IT staff.

Vanguard CEO Brennan scoffs at the notion that hack-attack triage can be limited to a few thousand dollars per company. "I can assure you we never had a virus that only cost us $1,000," he says. "We measure all downtime here in seat minutes--how many minutes was somebody's system down, times the number of people who weren't available. The numbers are big."

He's right. The largest companies that Information-Week Research surveyed, those that have annual revenue exceeding $500 million, tend to report higher losses. Three percent of those big businesses peg the cost of security breaches during the past 12 months at more than $1 million.

So, just what kinds of deviance are at work? And who's to blame? By far, computer viruses and worms are the biggest nuisances, affecting two-thirds of respondents. From there, the numbers drop considerably, with 15% reporting denial-of-service attacks and 12% unauthorized network access. Among the most worrisome kinds of breaches: 8% report identify theft and 7% cite fraud.

The culprits in order of frequency are hackers, employees, former employees, customers, competitors, service providers, and suppliers. Did we say customers? You read that right. Customers are the fastest-growing group of electronic intruders, cited by 14% of survey respondents. A year ago, customers were blamed by only 5% of respondents.

Simply keeping track of the incessant growth of threats has become a challenge in itself, says Chris Joy, VP of global IT security for London investment brokerage Dresdner Kleinwort Wasserstein Ltd. "At the end of last year, our staff was monitoring about 30 security-related mailing lists," Joy recalls. "It was a big resource drain, having our people go through these lists trying to find vulnerabilities that might pertain to our systems."

Joy turned to security firm Vigilinx Inc., which now delivers security-warning bulletins to Dresdner. "We're getting clear information for the platforms we're running," he says. The service saves the company's security team hours each week. "You have to have this kind of information at your fingertips to at least keep up with the hackers," Joy says.

Despite the growth of threats, a fifth of companies report they didn't detect any form of breach or espionage within the past 12 months. That may be because it's happening behind their backs. "There's truth to the old hackers' joke," says Frank Prince, a security analyst with Forrester Research. "Good hackers are famous; great hackers are anonymous."

Too often, companies aren't aware their networks have been compromised, Exodus' Neal says. When Exodus' incident-response team is called by a client that suspects it's been hacked, "over half of the time they're under the impression that this is the first incident," Neal says. "But our investigation shows that they've actually been hacked for months."

To get in, intruders are exploiting operating-system vulnerabilities about a third of the time. Other common techniques include access through undetermined applications, cited by 27% of respondents, and guessing passwords, by 22%.

Businesses try to ward off these attacks in a variety of ways. Nearly half of survey respondents were tipped off to intruders by analyzing server and firewall logs; 41% were alerted by colleagues; 37% used intrusion-detection systems; 24% noticed damaged data; and 19% got a heads-up by suppliers or partners. "To stay safe, you have to review your applications and conduct code reviews and risk assessments," says Van Nguyen, director of information security for shipping company American Presidential Lines. "It's the Wild, Wild West out there."

One potentially troubling finding in the survey was that 39% of companies don't classify the sensitivity of their data. "If you don't know how much something is worth, it's kind of hard to determine how much you should spend to protect it," says Pete Lindstrom, a security analyst with Hurwitz Group.

Who determines how IT security budgets are spent is also changing, reflecting a broader trend in which senior business executives micromanage technology investments in today's tough economy. In addition to CEOs paying greater attention, CFOs and financial directors are involved at 44% of companies, a jump from 28% in the 2000 survey.

The best hope businesses may have for fending off growing security threats may be well-defined policies and practices. But in this regard, many companies are poorly prepared. Half of the security managers responding to our survey say their companies have some kind of written policies--but that means the other half don't. Indeed, 7% say their companies have no security policies at all. PricewaterhouseCoopers' Lobel recalls a recent conversation with a client about security policies: "They said they didn't want to create another level of bureaucracy and reams of paper that no one will read." Lobel couldn't believe his ears. For businesses to ward off security threats, he says, "you have to at least establish a policy."

John Hartmann, VP of security at Cardinal Health Inc., a $48 billion pharmaceutical and medical supply wholesaler in Dublin, Ohio, agrees. "I don't know how you would accomplish even a minimum level of security without a policy that's aligned with your business objectives," he says. In matching security policies to business goals, businesses seem to be doing better. Only a quarter of respondents say their companies' security policies are either unaligned or poorly aligned with business goals. As more senior executives get involved in security policy making and spending, that should narrow the gap even further. "The more senior-level management gets directly involved in security, the more changes for the better and investment," Hartmann says.

InformationWeek Research asked IT security professionals about their strategic and tactical priorities for the months ahead. Enhancing network security ranks at the top of the strategic list, just as it has for the past 12 months. The only other strategic area to get increased attention: expanding security budgets. Eleven percent of survey respondents say their companies will spend more than $1 million on security software, hardware, and other expenses this year. Another 22% will spend $100,000 to $1 million. Forrester Research estimates the overall security market will grow from $5.7 billion last year to $19.7 billion in 2004.

Among their tactical concerns, respondents say they will de-emphasize containing virus threats and installing firewalls while putting more energy into establishing security reviews. That approach doesn't sit well with PricewaterhouseCoopers' Lobel. "The numbers suggest companies don't get that security is a process," Lobel says. "It looks like they're saying, 'OK, last year we solved antivirus, this year we're going to solve intrusion detection.' It doesn't work that way."

Obstacles to effective security include lack of time, capital expense, and the need for training. The complexity of security technology is also near the top of that list, and it's something that security vendors hope to address with new tools that are expected to be available in coming months. The demand for third-party tools to manage security hasn't been high, says Gartner analyst John Pescatore--but that may change as companies continue to grapple with the complexities of available technology and limited internal resources.

Wayne Browning, VP of risk management with FleetBoston Financial Corp., recently turned to security management vendor e-Security Inc. and its Open e-Security Platform to help manage FleetBoston's security products and track security problems. Browning says it's been a costly struggle to have many staffers monitoring intrusion-detection systems, firewalls, and routers--and still not have the benefit of real-time monitoring.

It took a fair amount of work to integrate e-Security's product with the SNMP traps and event logs already being generated, but the payoff has been worth it, Browning says. Aside from having a clearer picture of system security at any time, FleetBoston has become more proactive in monitoring its systems. "Let's just say people were doing things they probably shouldn't have been doing," he says.

That's one sign of progress at one company. Yet, if current trends hold, with three new security vulnerabilities being discovered every day, there will be more than enough to keep security managers busy for the foreseeable future. American Presidential Lines' Nguyen says that means security managers need to stay focused on the tasks at hand. "Most of the hackers out there are opportunists," he says. "They're taking advantage of the fact that companies are deploying, and have deployed, E-commerce applications without building the foundation first for security."

A year or two ago, that message might have rung true for other security managers but never made its way up the corporate ladder. More CIOs, CFOs, and CEOs are involved in security policy making, but their effectiveness will be measured by how much better businesses get at dealing with the problem. "This is the real deal now," Vanguard's Brennan says. "It's no longer a curiosity issue. It's a business-to-business issue, an employee-relations issue, and a consumer issue."

Illustration by Richard Borge