How long will it be before data terrorists target your company’s electronic assets? Electronic – or IT – security is now a major problem for businesses around the globe. According to the 2001 annual Computer Security Institute study conducted by the US Federal Bureau of Investigation, computer viruses plagued 94% of over 500 companies surveyed Stateside. More than 60% of those corporate concerns reported a financial loss due to security breaches, a loss averaging out at a hefty $2 million.
The terrorist attacks of last September raised the profile of e-security issues among top managers on an exponential basis – and not before time. Simultaneously, the recent waves of redundancies driven by media rhetoric concerning a global recession have left employees concerned over their own job security. More importantly, perhaps, ex-employees are left with a perfect motive for malicious damage, theft and electronic fraud.
As a direct result, IT security system providers’ stocks have been talked up by the markets – but can these companies really deliver on end user expectations? The general feeling is that yes, they can – but only if significant changes take place in the industry’s structure, and in corporate attitudes to boot.
Learning about the four ‘A’s
Before proceeding any further, it’s essential that security managers get to grips with some terms of reference. For starters they need to understand that electronic security encompasses much more than Internet security. It concerns the protection of any electronic data, whether or not that data travels on the World Wide Web. It truly is a vast field for consideration, taking in consumer-focused virus protection, intrusion detection for corporate networks and digital rights management for content providers.
Thankfully, there’s a simple industry taxonomy. Most e-security products fall into one of four categories, collectively known as the four ‘A’s’: authenticate, authorise, administer and audit.
Authentication tools such as Public Key Infrastructures (PKIs) (‘Encryption decrypted’, SMT, May 2001, p69) validate or authenticate the identity of participants in an electronic conversation or transaction.
Firewalls authorise only certain visitors to access the computer or servers they protect.
PMI (or Privilege Management Infrastructure) tools help administer company policies that lay down who is authorised to see and/or modify certain data, while forensics tools audit or dissect an electronic crime scene – identifying who has broken in, and what they did while behind electronic company walls.
Explosive growth in both corporate and consumer use of the World Wide Web – a famously open and decentralised infrastructure – coupled with an increased focus on e-business within the boardroom continues to offer malicious hackers, criminals and corporate spies ever-expanding opportunities and incentives to practise their ‘art’. “Malicious activity is endlessly innovative,” said Frank Price, analyst at Massachussetts-based IT research concern Forrester. “The bad guys will lie awake at night trying to figure out how they can damage your data. It’s their job.”
In reality, the whole process might be likened to an arms race: e-security product vendors erect defences against one form of data attack, forcing hackers and would-be saboteurs to seek new points of entry to the network. This forces vendors to upgrade their armoury. And so the process continues.
Based on interviews with 50 Global 2,500 companies prior to 11 September, Forrester Research was predicting that US companies alone would be spending an average of $4.5 million on e-security in 2002 (a figure that totalled $2.9 million in 2000). Another analyst – JP Morgan – suggests that global security software revenues will grow to $16.2 billion by 2004. In the wake of the terrorist attacks on the US, these figures will almost certainly need to be revised upwards.
End users’ appreciation of the e-security risk is now far greater. According to a 3i survey – entitled ‘e-security: 2002 and beyond’ – of both US and European e-security vendors conducted between July and October last year, lack of client awareness was already diminishing as a problem. At last! Corporate concerns may not be throwing around acronyms like PKI with abandon these days, but they know full well that they must evaluate their exposure to IT security risks in all its forms.
The scale of the perceived threat is also changing. Thus far, e-security expenditure has clustered around obviously sensitive sectors (eg financial services and Government departments). And with good reason. Post-New York and Washington, however, it’s clear that ANY business relying on the storage and transmission of electronic data – and, these days, there aren’t too many that don’t – is under threat.
Rising electronic risk premiums
What’s the likely end result of all this for the security manager, and the industry in general? For one, electronic risk premiums will (continue to) rise in anticipation of higher claims. Premiums will begin to reflect the quality of the underlying IT infrastructure (potentially reflecting differences in vendor platforms) and the rigour with which organisations administer their networks (including the organisation of external audits of network security).
Changed corporate attitudes to general operational risk are also likely to affect the demand for e-security products. Mirroring the World Trade Centre disaster, rethinks are now under way about the value of a central office location for businesses. The on-going threat of terrorist attack – and it’s a very real one – is likely to boost demand for dispersed office locations and teleworking. In turn, this will lead to a rise in the need for secure remote access to networks.
Tough talk from the US Government and, indeed, Westminster about securing “back door” access to all encryption products as part of the war on hackers serves to make such products less effective. However, in a climate of heightened uncertainty, risk and increased Internet usage, the demand curve for e-security products from IT and security managers can only become steeper.
Question is, can the industry deliver? It probably can, but there’ll need to be a spirit of co-operation between vendors and end users.
Supply and demand: the vendors
Competition among e-security software vendors is nothing if not intense. At least 80 start-up companies have surfaced in the past year alone. In reality, that’s far more than the industry needs (a feeling backed up by the aforementioned 3i survey, in which two-thirds of the respondents suggested that 80% of the market will be owned by five brands or less within the next three years).
The successful vendors will most likely be those that share two traits – an ability to provide true IT security solutions and not just point technologies, and a willingness to understand the needs of their end users.
If a security manager is offered the choice of buying competing e-security products, nine times out of ten he or she will plump for the system that offers the best results at the most reasonable price. Sounds obvious, but it’s not if you take even a sideways glance at the structure of the industry at present.
The key market roadblock identified by the 3i survey is technological complexity combined with interoperability issues. Far too many firms have come to market offering just a single point technology. In other words, an answer to a particular problem or proposition for a given business process. All-too-few have thought about how their products relate to other IT security systems – both present and future – and how they channel their products to market.
In turn, this opens a doorway for those vendors who can integrate a range of products into a single solution. This will create economies of scale for the security manager (many of whom are operating to a tight budget in any case) by obviating the need for multiple sales processes, multiple installations and multiple internal skills sets on the part of the system provider.
“Those corporate concerns and their security professionals that truly understand e-security are outsourcing,” said Richard Barber, group technology advisor at security services outfit Articon-Integralis. “This year, managed network security services will really start to hit the big time.”
Proud of their creations, e-security whizzkids often tout the technical genius of their invention while neglecting to talk about the bottom line. They will often pitch their product as the “best way to secure your network, Mr Security Manager”, but to many of the latter such a bland statement means very little. “Securing your business” is a much more attractive proposition.
Putting up the proverbial ‘virtual barbed wire’ and making sure no-one accesses the corporate network may maximise security, but it’s no longer an acceptable e-business proposition. Keeping the bad guys out while letting customers and/or business partners in, on the other hand, is most acceptable.
Supply and demand: the end users
In essence, two factors must be borne in mind by the end user. First, managing IT security isn’t an event. It’s a process. In the aftermath of what happened Stateside, even more end user companies are likely to view security as a ‘product’ that can fend off criminals once and for all. They’d be wrong to do so.
“E-security wasn’t a Year 2000 event that was solved once and that was that,” commented Allan Carey, a senior information security analyst at the International Data Corporation. “It’s a continual process that must be constantly evaluated and updated.”
That is true whether or not in-house professionals outsource their e-security management. The services provided must still be monitored.
There are many misconceptions doing the rounds among end users. One suggests that overseas hackers are the biggest threat to their networks. For the most part, that’s simply not true. Insiders pose the biggest threat. It would also be unwise to rest on your laurels and simply say that: “I have a firewall. Therefore, the company’s web site is safe.” In truth, around 80% of firewalls are ineffectively installed and inadequately maintained.
Don’t fall into the trap of thinking that e-security is there merely to keep would-be illegal hackers at bay. Through features such as authentication and authorisation, e-security products – eg customer relationship management software – can help a host of corporates in getting to know their customers better and working more efficiently. Ultimately, security impacts on business trends far beyond hacking and the violation of trust.
Importantly, end users need to learn that realising the true benefits of e-security is about more than just installing technology. It’s not enough for a finance director to approve the hottest new product on the market and then push responsibility for integration and implementation back down into the bowels of the IT or security department.
If a given company’s e-security systems should be breached, it’s up to the security manager to ensure that disaster recovery systems and data storage processes are in place. In the wake of last September’s distressing events, any firms without such back-up plans have been served appalling notice of their value.
