Forwarded From: phreak moi <hackereliteat_private> http://www.informationweek.com/698/98iursk.htm http://www.informationweek.com/698/98iursk2.htm http://www.informationweek.com/698/98iursk3.htm http://www.informationweek.com/698/98iursk4.htm Acceptable Risks In the digital economy, security breaches are inevitable. The InformationWeek/PricewaterhouseCoopers global security survey reveals how E-commerce is raising the stakes, and how far companies will go to ward off intruders By Gregory Dalton rganizations rushing to build information systems for all forms of digital commerce are realizing there's no fail-safe way to secure the free flow of data or money. It's like trying to protect the telephone system from prank callers, or trying to block spammers from clogging your messaging system. Except it's often far worse. Organizations engaged in Web commerce, electronic supply chains, and enterprise resource planning experience three times the incidents of information loss and theft of trade secrets than everybody else. Revenue loss, though not prevalent, is seven times more likely to strike Web commerce sites compared with noncommerce sites. These are two of the key findings of the 1998 InformationWeek/PricewaterhouseCoopers Global Information Security Survey fielded this summer in 50 countries and completed by 1,600 IT and security professionals. A keen awareness of an organization's increased exposure to internal and external dangers isn't enough to plug the gaps. The digital commerce sites experiencing the most attacks, including banks and financial services companies, are the same disciplined IT shops that also create information security policies, spend lots of money on security products such as firewalls and encryption, and institute policy training for IT staff and end users. All of which points to an obvious business trade-off, especially for IT managers who want to open their enterprise to outside partners. "An extranet is a risk," says Enno Becker, director of technology infrastructure at the Forum Corp., a training and consulting company in Boston whose extranet is linked to three corporate customers. "You're creating a tunnel into another environment that you don't control. But the business benefits are too great to be ignored." Defining what's an acceptable risk varies greatly from industry to industry. In retail, a 3% loss from online credit-card fraud might be tolerable, but in the chemical industry the same fraud loss might be considered a disaster. Such expectations not only drive security policies and spending, but they also influence experience. Overall, 59% of sites selling products or services on the Web report at least one or more security breaches in the past year, compared with 52% of sites that may have a Web site but aren't using it for monetary transactions. Sites with supply-chain networks or ERP applications are struck about 10% more often than sites without such applications, possibly because they have competitive intelligence available to plunder. Information loss has occurred at 22% of firms conducting Web sales, but only 13% of companies not selling products on the Web say they have had the same experience. Significantly, 12% of E-commerce sites reported theft of data or trade secrets, three times the number of companies not selling products via the Web. Acceptable Risks Continued...page 2 of 4 Among those survey respondents able to identify losses due to security breaches in the past 12 months, 84% say they lost between $1,000 and $100,000 in U.S. dollars. The other 16% say they racked up more than $100,000 in losses. "There are significant financial losses that people don't even know about," says Bruce Murphy, managing director at PricewaterhouseCoopers, which advises companies on information security issues. "I think they are estimating low." In fact, 49% of those surveyed concede they don't know if they were pickpocketed in the past year. Only 28% say they're certain they haven't suffered any monetary loss. If companies improve their detection capabilities via emerging intrusion- detection tools and enhanced measurement criteria, Murphy says, they will become more aware of the losses they're incurring already. And while E-commerce is galloping ahead, he expects the incidence and amounts of financial damages to surge upward, too. Yet there are effective strategies to consider. Some IT managers are going to considerable lengths to measure the success of their security policies. McKesson Corp., a pharmaceutical distributor, has beefed up its policy and installed double firewalls to provide a secure area where a drugstore chain can have access to information about its accounts. Intralinks, a financial services firm, asks banks on its extranet to adjust their security procedures so that each adopts the highest common denominator. And at VHA Inc., a group of health-care providers and suppliers, IT executives are rethinking their approach to security after building an extranet. Other companies are doing more encryption and rolling out awareness campaigns to educate employees about information security. Above all, they're making security a priority at the earliest possible stages of new projects. Early And Often In the world of information security, proactive measures are generally considered the most cost-effective, too. McKesson makes an extranet available to a few corporate managers at Rite Aid Corp., the pharmacy chain based in Camp Hill, Pa. These managers will be able to go behind the first of McKesson's two firewalls to view orders and track information about inventories and past purchases by Rite Aid. McKesson's internal systems are guarded behind the second firewall. Before launching the extranet, McKesson began using Internet technologies to sell medications to the Department of Defense in Asia, an arrangement that compelled the distributor to implement a double firewall scheme. "At the very first stage, security was considered," says McKesson CIO Carmine Villani. "We think about security more as a core value or function rather than a bolt-on." In the past few years, Villani says, McKesson has spent more than $500,000 on various security measures, including secure identification cards with constantly changing digital codes for all employees, and double firewalls to separate the secure servers where the company keeps customer information and its own internal systems. Much of that investment initially was made for the Defense Department extranet and represented a 15% to 20% "security premium" for that project. But now that those costs have been amortized over the Rite Aid project, too, Villani says the additional security costs for both extranets have dropped to less than 5% of overall expenditures. Business-side executives have never vetoed such information security spending because they realize it comes with the virtual terrain. "The reason people have problems is they are not making the investments that can prevent them," Villani says. Proactive thinking about information security doesn't just apply to the Internet. "It's much cheaper to do security up front as you are designing and implementing an ERP system than it is to go back and retrofit something," says Mark Lobel, a security consultant at PricewaterhouseCoopers. Adding security in the design phase of an ERP deployment might add 5% to 10% to the overall project cost. Though many organizations balk at paying a premium for information security, those that have had to revise systems later on probably wouldn't make the same mistake twice. A major financial company, for example, was about to deploy a business-to-business E-commerce application for settling big securities trades. Late in the development process, the firm hired Cambridge Technology Partners to advise them on security. On Cambridge's advice, the firm moved from the Windows NT platform to Unix because of its perceived security advantages, but the move caused enormous cost overruns. "The CIO had to go back to the board of directors with hat in hand," Cambridge VP Paul Kelly says. "That's not a good situation to be in." Acceptable Risks Continued...page 3 of 4 Plan Ahead For Security Although security is often fundamental to success, it often remains an afterthought. Companies looking to increase their business opportunities via the Web typically look first at applications and then consider infrastructure issues. "We see many cases where ERP or sales-force automation implementations fail when infrastructure and security come into the picture after the fact," Kelly says. Another believer in proactive measures is Intralinks, a financial services company that coordinates loan syndications. Intralinks helps its 15 bank clients parcel out pieces of loans and other financial instruments to 2,700 institutional investors by providing a central Web site where they can exchange offering memoranda and interact with one another regarding the deals. Investors access Intralinks' servers to retrieve copies of documents describing the terms of the deal and submit forms indicating their willingness to participate. Intralinks doesn't do it alone. The company's security is based on Lotus Domino and is hosted by IBM Global Services. The company's practices are so stringent it has refused to work with at least one institution whose security procedures didn't pass muster. "There has been an example of that," says Lenny Goldstein, Intralink's chief technology officer. "It was a business decision rather than an IT decision." For those who do make the security cut, Intralinks drives them when feasible to adopt the highest common denominator. "If J.P. Morgan does something a little differently than Chase Manhattan but if Chase is more stringent, we will do it their way," Goldstein says. One example: companies that change their passwords every 90 days were asked to change them every 60 days because that was the most rigorous requirement among the group. One of Intralinks' trusted customers is PNC Bank Corp., which has raised $2 billion in 10 different deals. The Pittsburgh-based bank is confident it can handle security issues and plans to venture into other areas of electronic commerce. The most important elements are deploying powerful 128-bit encryption and incorporating security during project formation. "Our experience was positive enough that we are working toward an Internet-based solution for treasury management," says James Mikula, CIO for corporate banking at PNC. Security products that used to be viewed as risk-management tools are now being considered an "enabling mechanism" that is necessary for new business ventures. The Boston Globe, for example, takes security more seriously now that its advertisers can place advertisements online and pay for them with a credit card. "It has expanded our view of security," says Dave Pearson, director of IT infrastructure. "I view it more as enabling than risk management, though it has to do both." For example, the Globe is centralizing its security management using Netegrity Inc.'s SiteMinder, which is based on the Lightweight Directory Access Protocol. SiteMinder separates security access from application development and frees developers to create programs that are better suited to the business, such as allowing advertisers access to their account balances. Creating Complexity Some companies that build extranets realize they have to secure much more than the extranet itself, and often end up reworking their company's entire security regime. "Our extranet brought us into a whole new realm of things we never did before in terms of security," says Scott Decker, VP of information services at VHA, an alliance of 1,200 independent health-care providers and suppliers that uses an extranet to exchange health-care news and textbooks. The extranet will become far more complex as applications come online for exchanging patient records and lab reports. The Irving, Texas-based alliance is planning to elevate its security by using encryption and digital certificates for sensitive data. That review process and the resulting heightened awareness about security has affected the way VHA views all types of information. In the past, for example, VHA delivered CD-ROMs that contained a catalog of supplies and their prices. "We never thought about security with those things," Decker says. "But now we think differently." Surprisingly, however, 43% of companies surveyed don't take the basic step of classifying their data into security categories. This is a critical step in identifying data worth protecting. Although 19% do this process daily, another 14% classify their data annually. Acceptable Risks Continued...page 4 of 4 Another key element of an enlightened approach to security is a companywide campaign to promote user awareness. But that campaign "can't just be an annual brochure," says Jim Patterson, VP of security and telecommunications at OppenheimerFunds Inc., a mutual fund company in New York. For example, Oppenheimer occasionally has a life-sized cardboard figure named "Mr. Security" around its Denver campus. The character is dressed as a baseball umpire and holds a stack of index cards with information security tips for Oppenheimer's 1,800 employees. PNC Bank has a booth dedicated to security at its annual company technology fair. "It's another way of getting employees to understand these issues," CIO Mikula says. And as a light-hearted reinforcement, the bank hands out fortune cookies with security tips tucked inside. Such internal campaigns are critical because, while the mainstream media dwell on security threats posed by diabolical hackers or info-terrorists, survey respondents say their biggest threats are still internal: 58% of companies surveyed believe one or more authorized users have abused their systems in the past year. Unauthorized users broke into 24% of the sites; suppliers or customers together accounted for only 12%. "It used to be an 80/20 rule for inside/outside threats," says PricewaterhouseCoopers' Lobel. "It's a 60/40 rule now." Another change is the people directly involved in making security-related decisions. While security remains an IT function, some of that responsibility is gravitating toward the business side as the Internet burrows into various parts of the company, such as the purchasing and marketing departments. "We are doing more transfer of ownership of applications and security from IT to business owners," McKesson's Villani says. For example, Villani handles security policy; but the the company's VP of customer operations is responsible for applying it to the extranet. Elsewhere, the spreading responsibility for security is causing tense relationships and ill-informed decisions. "Techies want to protect the firewall at all costs," says Roger Walters, CIO at consulting firm Booz, Allen & Hamilton. "But sales and marketing people want to underprotect. The result is general management executives have to make a decision about something they don't know anything about." Global Risk Security has never been the business world's most important business goal. And yet, most IT managers would consider "trust" to be a fundamental requirement of doing business on the Web-especially internationally. On average, survey respondents rate information security a 7.4 on a 1-to-10 scale, with 10 being the highest priority. Respondents say the most important security techniques are blocking unauthorized access, establishing network security, securing top management commitment, and gaining end-user awareness. On average, most companies rate themselves a 6.9 on a 1-to-10 scale, with 10 being extremely successful, an evaluation that suggests most respondents see room for improvement. The survey strongly suggests, however, that even if companies do well establishing these best practices, they must seek ways to do even more with their existing resources. Managing risk is now a top priority. McKesson CIO Villani remains optimistic. "If you don't pay attention, security is going to be a problem," he says. "But if you do pay attention, you can eliminate most of the risks." -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:45 PDT