The Going Gets Hot

Is that a bead of sweat on your forehead? The list of companies suffering customer-data losses keeps growing. Here's what you can do to avoid being next.
Companies need a better view of what attacks they're facing. Many have intrusion-detection systems, firewalls, and other security mechanisms, but each wave of attacks churns out more information to be monitored. For one major oil company, Accenture built a dashboardlike display that correlates data from the mix of network-security systems in order to develop a deterrence policy. "Companies have to get more sophisticated at analyzing and using data generated by systems at the edge of their networks," says Alastair MacWillson, global managing partner of security practices at Accenture.

In addition, the oil company set minimal levels of security for all Windows and Unix servers, then implemented a system to spot if any of the servers has been modified. "Everything, from servers to workstations to switches, needs to be configured with security in mind," MacWillson says. Application-level security also must be at least as strong as network security. "You can have a highly secure SAP system but overlook that it sits on a Unix server that's vulnerable to an attack from a virus," MacWillson warns.

Another weak link is the easy accessibility to data within companies. Businesses focus so much of their security efforts on the network perimeter that they tend to overlook what's going on inside the firewalls, says Doug Jacobson, director of the Information Assurance Center at Iowa State University, which operates a lab where companies can test their security processes.

Protecting hundreds or thousands of laptops used by on-the-go workers is another action item. Security is pretty tight when a laptop is docked on the corporate network, but security goes out the door-literally-when employees do. "Most databases have security mechanisms--such as encryption, IDs and passwords, logging--but the moment the data is outside the network, you've lost control," says E-Trade's Levine. "We as an industry haven't done our homework on maintaining the lock on data."

>> GET A SECURITY POLICY Obvious? Three in 10 companies don't have one, Deloitte says.
>> INVENTORY DATA What do you have, what's most at risk, and do you really need it all?
>> CONSIDER ENCRYPTION From Citigroup to Acxiom, many companies are encrypting more, both data in transit and at rest.
>> ENCRYPTING ISN'T ENOUGH Verify the source of data and its destination.
>> AVOID THE "BAGEL DEFENSE" Hard on the outside, soft on the inside. Use firewalls, but also protect key data inside and monitor it for suspect access.
>> SET A HIGH STANDARD Check your security against standards such as ISO, the British Standards Institution, or the credit industry's PCI. More security than you need? Make sure the CEO--no less--agrees.
>> WATCH YOUR FIREWALLS Use automated tools for monitoring firewall traffic that can reveal suspicious activity.
>> THINK BEYOND THE NETWORK Know all ways data can leave the network--laptops, backup transport--and consider what to do if it's lost or stolen.
>> INVEST WISELY Don't be content with the one security project that gives the biggest bang for the buck. Consider going farther.
What can companies do about all those mobile devices? For one thing, make sure their software patches are up to date. Microsoft, for example, touts the improved security in Windows XP, but that works only if transient machines have the latest upgrades. Other best practices include hard-to-crack passwords and VPN connections. Another obvious but sometimes overlooked measure: Don't leave untethered computers where thieves can grab them.

Business technologists should also consider implementing stronger online authentication and automating the process of analyzing logs and audit trails used to determine who has access to critical systems. BMO Financial Group is going that route, security manager Khindria says. A related tactic is to conduct regular network scans and penetration tests. E-Trade uses security software from Skybox Security Inc. to analyze known and potential vulnerabilities to network attacks, not just from the outside but from inside as well.

Businesses need to be brutally honest about how they're doing. MonsterCommerce Inc., which provides shopping-cart software for 5,000 online merchants, conducts quarterly code reviews to make sure there are no holes in its software, CTO Jen Heil says. It conducts semiannual audits and penetration tests, performed by third-party companies, a critical element of any security program.

There's no shortage of benchmarks to help evaluate your security. One is the International Standards Organization's 17799. It's a clunker of a name, but it lays out a list of best practices, including business-continuity planning, system-access controls, physical and environmental security, and protection and confidentiality of information. An even more comprehensive certification standard, ISO 27001, which lays out requirements for an information-security-management system, is due later this year.

Another benchmark is the British Standards Institution's BS7799. And as of June 30, most companies that work with a credit-card company-like CardSystems, the one that exposed as many as 40 million cards--must meet a set of requirements called the Payment Card Industry Data Security standard.

Back at AAA Reading-Berks, the organization has engaged business-software vendor Campana Systems Inc. to redesign its programs for compliance with Payment Card Industry and other standards, Wallace says. The club plans on encrypting data for the first time, segregating its network for members, and providing certain information only on a need-to-know basis.

Some security-oriented changes may involve reworking entire business practices. ChoicePoint Inc., which got into trouble by revealing consumer information to identity thieves, responded by restricting the type of data it sells and to whom.

The lesson for other companies is to clean up their act or pay the price. Gartner analyst Avivah Litan says a Specter-Leahy bill would put "CEOs on the hot seat." Is anyone else feeling a little warm?

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing