Be Prepared: Gartner Outlines Top Security Risks

The research firm says companies must cut through the hype to develop a coherent security plan
With the war in Iraq now in its second week and with security a global worry, what better time to delve into the defensive and protection issues enterprises will face through the end of the year?

Market research firm Gartner obviously thinks so. It released a report that leverages the news to put corporate security front and center. At the just-concluded Gartner Symposium/ITxpo in San Diego, where Gartner brought together thousands of IT professionals from companies both in the United States and overseas, analyst Victor Wheatman outlined a top-10-plus-one list of security issues businesses will confront during 2003.

The challenge that companies face, he said, is in cutting through the hype--from grandiose promises by security providers to worrisome news running on cable channels around the clock--to develop a coherent security plan for the year, and prioritize the most important issues.

"The economic downturn and buyers' remorse over previous grand-plan security initiatives are in balance with a defensive stance driven by modern political realities," Wheatman said. "The result is that enterprises tend to implement products and services that are 'good enough', while navigating through minefields of overpromoted products, or products so advanced, the need is not readily apparent."

To help companies put things in perspective, Wheatman assembled a list of the year's top IT security concerns that businesses and government organizations should consider.

- Web services security: With security standards still in a state of flux, Wheatman recommended caution in deploying Web services across enterprise perimeters in 2003.

- Wireless LAN security: Although progress is being made to secure wireless networks, rushing to deploy wireless poses a major threat of information theft, Wheatman said. In addition, he noted the ongoing underground movement to tap into hot spots, including those maintained by businesses, opening up the potential for service and bandwidth shoplifting.

- Identity management: Identity theft is rampant, and is mostly accomplished by mundane means such as "dumpster diving." It's crucial that companies have identity management and provisioning plans in place to prevent workplace identity theft, and educate workers on the dangers of the crime, Wheatman said. And although some vulnerabilities exposed by poor identity management are rarely hyped, they've simply been around too long and remain potent threats.

- Role of security platforms and intrusion-detection systems: Security systems are evolving from after-the-fact detection software into platforms that focus on prevention of intrusions before they occur. That's a good thing.

- Correlation of events for reporting, monitoring, and managing consoles: Companies should consider deploying console software that correlates data across all parts of the network so that they can determine if an attack against one part of the infrastructure is related to a problem on another.

- The next Code Red/Nimda: These two attacks cost businesses $3 billion in lost data and time, Wheatman said. Even more damaging assaults are likely, so companies must do everything possible to minimize vulnerability, including putting patch-management policies in place--one of the key lessons learned from the recent Slammer incident.

- Instant messaging security: Instant messaging and other peer-to-peer programs create holes in the network's defenses, particularly since many users are deploying IM on their own, without the knowledge of the IT staff. Securing IM, or at least setting usage policies, will continue to be an important issue in 2003.

- Homeland security: Still getting underway, the Department of Homeland Security will need to be addressed by some industries and, of course, by local, state, and federal government agencies.

- Tactical to infrastructure security: As part of the nation's move to wider security concerns, Wheatman recommends that companies shift their strategies from strictly tactical security solutions to put attention on the security of the overall infrastructure.

- Protecting intellectual property: Protecting information assets, whether proprietary data or patents, should be a security priority for all enterprises, Wheatman said, to prevent corporate espionage. Annual losses to U.S. businesses from pilfered trade secrets may be as high as $1 trillion.

-Transaction trustworthiness and auditing: Recent business scandals such as those that hit Enron and several accounting firms show that every company should improve the trustworthiness of its transactions and provide audit trails.