[ISN] Acceptable Risks

From: mea culpa (jerichoat_private)
Date: Thu Sep 10 1998 - 02:49:14 PDT

  • Next message: mea culpa: "[ISN] Beware the keystroke cops"

    Forwarded From: phreak moi <hackereliteat_private>
    Acceptable Risks
    In the digital economy, security breaches are inevitable. The
    InformationWeek/PricewaterhouseCoopers global security survey reveals how
    E-commerce is raising the stakes, and how far companies will go to ward
    off intruders
    By Gregory Dalton
    rganizations rushing to build information systems for all forms of digital
    commerce are realizing there's no fail-safe way to secure the free flow of
    data or money. It's like trying to protect the telephone system from prank
    callers, or trying to block spammers from clogging your messaging system. 
    Except it's often far worse. Organizations engaged in Web commerce,
    electronic supply chains, and enterprise resource planning experience
    three times the incidents of information loss and theft of trade secrets
    than everybody else.  Revenue loss, though not prevalent, is seven times
    more likely to strike Web commerce sites compared with noncommerce sites. 
    These are two of the key findings of the 1998
    InformationWeek/PricewaterhouseCoopers Global Information Security Survey
    fielded this summer in 50 countries and completed by 1,600 IT and security
    A keen awareness of an organization's increased exposure to internal and
    external dangers isn't enough to plug the gaps.  The digital commerce
    sites experiencing the most attacks, including banks and financial
    services companies, are the same disciplined IT shops that also create
    information security policies, spend lots of money on security products
    such as firewalls and encryption, and institute policy training for IT
    staff and end users. 
    All of which points to an obvious business trade-off, especially for IT
    managers who want to open their enterprise to outside partners.  "An
    extranet is a risk," says Enno Becker, director of technology
    infrastructure at the Forum Corp., a training and consulting company in
    Boston whose extranet is linked to three corporate customers.  "You're
    creating a tunnel into another environment that you don't control. But the
    business benefits are too great to be ignored." 
    Defining what's an acceptable risk varies greatly from industry to
    industry. In retail, a 3% loss from online credit-card fraud might be
    tolerable, but in the chemical industry the same fraud loss might be
    considered a disaster. Such expectations not only drive security policies
    and spending, but they also influence experience. 
    Overall, 59% of sites selling products or services on the Web report at
    least one or more security breaches in the past year, compared with 52% of
    sites that may have a Web site but aren't using it for monetary
    Sites with supply-chain networks or ERP applications are struck about 10%
    more often than sites without such applications, possibly because they
    have competitive intelligence available to plunder. 
    Information loss has occurred at 22% of firms conducting Web sales, but
    only 13% of companies not selling products on the Web say they have had
    the same experience. 
    Significantly, 12% of E-commerce sites reported theft of data or trade
    secrets, three times the number of companies not selling products via the
    Acceptable Risks
    Continued...page 2 of 4
    Among those survey respondents able to identify losses due to security
    breaches in the past 12 months, 84% say they lost between $1,000 and
    $100,000 in U.S. dollars. The other 16% say they racked up more than
    $100,000 in losses. 
    "There are significant financial losses that people don't even know
    about," says Bruce Murphy, managing director at PricewaterhouseCoopers,
    which advises companies on information security issues. 
    "I think they are estimating low." In fact, 49% of those surveyed concede
    they don't know if they were pickpocketed in the past year. Only 28% say
    they're certain they haven't suffered any monetary loss. If companies
    improve their detection capabilities via emerging intrusion- detection
    tools and enhanced measurement criteria, Murphy says, they will become
    more aware of the losses they're incurring already. And while E-commerce
    is galloping ahead, he expects the incidence and amounts of financial
    damages to surge upward, too. 
    Yet there are effective strategies to consider. Some IT managers are going
    to considerable lengths to measure the success of their security policies.
    McKesson Corp., a pharmaceutical distributor, has beefed up its policy and
    installed double firewalls to provide a secure area where a drugstore
    chain can have access to information about its accounts. Intralinks, a
    financial services firm, asks banks on its extranet to adjust their
    security procedures so that each adopts the highest common denominator.
    And at VHA Inc., a group of health-care providers and suppliers, IT
    executives are rethinking their approach to security after building an
    Other companies are doing more encryption and rolling out awareness
    campaigns to educate employees about information security. Above all,
    they're making security a priority at the earliest possible stages of new
    Early And Often 
    In the world of information security, proactive measures are generally
    considered the most cost-effective, too. McKesson makes an extranet
    available to a few corporate managers at Rite Aid Corp., the pharmacy
    chain based in Camp Hill, Pa. These managers will be able to go behind the
    first of McKesson's two firewalls to view orders and track information
    about inventories and past purchases by Rite Aid. McKesson's internal
    systems are guarded behind the second firewall. Before launching the
    extranet, McKesson began using Internet technologies to sell medications
    to the Department of Defense in Asia, an arrangement that compelled the
    distributor to implement a double firewall scheme.
    "At the very first stage, security was considered," says McKesson CIO
    Carmine Villani. "We think about security more as a core value or function
    rather than a bolt-on." In the past few years, Villani says,
    McKesson has spent more than $500,000 on various security measures,
    including secure identification cards with constantly changing digital
    codes for all employees, and double firewalls to separate the secure
    servers where the company keeps customer information and its own internal
    Much of that investment initially was made for the Defense Department
    extranet and represented a 15% to 20% "security premium" for that project.
    But now that those costs have been amortized over the Rite Aid project,
    too, Villani says the additional security costs for both extranets have
    dropped to less than 5% of overall expenditures. Business-side executives
    have never vetoed such information security spending because they realize
    it comes with the virtual terrain. "The reason people have problems is
    they are not making the investments that can prevent them," Villani says. 
    Proactive thinking about information security doesn't just apply to the
    Internet. "It's much cheaper to do security up front as you are designing
    and implementing an ERP system than it is to go back and retrofit
    something," says Mark Lobel, a security consultant at
    PricewaterhouseCoopers. Adding security in the design phase of an ERP
    deployment might add 5% to 10% to the overall project cost. 
    Though many organizations balk at paying a premium for information
    security, those that have had to revise systems later on probably wouldn't
    make the same mistake twice. A major financial company, for example, was
    about to deploy a business-to-business E-commerce application for settling
    big securities trades. Late in the development process, the firm hired
    Cambridge Technology Partners to advise them on security. On Cambridge's
    advice, the firm moved from the Windows NT platform to Unix because of its
    perceived security advantages, but the move caused enormous cost overruns.
    "The CIO had to go back to the board of directors with hat in hand,"
    Cambridge VP Paul Kelly says. "That's not a good situation to be in." 
    Acceptable Risks
    Continued...page 3 of 4
    Plan Ahead For Security 
    Although security is often fundamental to success, it often remains an
    afterthought. Companies looking to increase their business opportunities
    via the Web typically look first at applications and then consider
    infrastructure issues. "We see many cases where ERP or sales-force
    automation implementations fail when infrastructure and security come into
    the picture after the fact," Kelly says.
    Another believer in proactive measures is Intralinks, a financial services
    company that coordinates loan syndications.  Intralinks helps its 15 bank
    clients parcel out pieces of loans and other financial instruments to
    2,700 institutional investors by providing a central Web site where they
    can exchange offering memoranda and interact with one another regarding
    the deals. Investors access Intralinks' servers to retrieve copies of
    documents describing the terms of the deal and submit forms indicating
    their willingness to participate. 
    Intralinks doesn't do it alone. The company's security is based on Lotus
    Domino and is hosted by IBM Global Services. The company's practices are
    so stringent it has refused to work with at least one institution whose
    security procedures didn't pass muster.  "There has been an example of
    that," says Lenny Goldstein, Intralink's chief technology officer. "It was
    a business decision rather than an IT decision." 
    For those who do make the security cut, Intralinks drives them when
    feasible to adopt the highest common denominator. "If J.P. Morgan does
    something a little differently than Chase Manhattan but if Chase is more
    stringent, we will do it their way," Goldstein says.  One example:
    companies that change their passwords every 90 days were asked to change
    them every 60 days because that was the most rigorous requirement among
    the group. 
    One of Intralinks' trusted customers is PNC Bank Corp., which has raised
    $2 billion in 10 different deals. The Pittsburgh-based bank is confident
    it can handle security issues and plans to venture into other areas of
    electronic commerce. The most important elements are deploying powerful
    128-bit encryption and incorporating security during project formation.
    "Our experience was positive enough that we are working toward an
    Internet-based solution for treasury management," says James Mikula, CIO
    for corporate banking at PNC. 
    Security products that used to be viewed as risk-management tools are now
    being considered an "enabling mechanism" that is necessary for new
    business ventures. 
    The Boston Globe, for example, takes security more seriously now that its
    advertisers can place advertisements online and pay for them with a credit
    card. "It has expanded our view of security," says Dave Pearson, director
    of IT infrastructure. "I view it more as enabling than risk management,
    though it has to do both." 
    For example, the Globe is centralizing its security management using
    Netegrity Inc.'s SiteMinder, which is based on the Lightweight Directory
    Access Protocol.  SiteMinder separates security access from application
    development and frees developers to create programs that are better suited
    to the business, such as allowing advertisers access to their account
    Creating Complexity
    Some companies that build extranets realize they have to secure much more
    than the extranet itself, and often end up reworking their company's
    entire security regime. "Our extranet brought us into a whole new realm of
    things we never did before in terms of security,"  says Scott Decker, VP
    of information services at VHA, an alliance of 1,200 independent
    health-care providers and suppliers that uses an extranet to exchange
    health-care news and textbooks. 
    The extranet will become far more complex as applications come online for
    exchanging patient records and lab reports. The Irving, Texas-based
    alliance is planning to elevate its security by using encryption and
    digital certificates for sensitive data. That review process and the
    resulting heightened awareness about security has affected the way VHA
    views all types of information. In the past, for example, VHA delivered
    CD-ROMs that contained a catalog of supplies and their prices. "We never
    thought about security with those things," Decker says. "But now we think
    Surprisingly, however, 43% of companies surveyed don't take the basic step
    of classifying their data into security categories. This is a
    critical step in identifying data worth protecting. Although 19% do this
    process daily, another 14% classify their data annually. 
    Acceptable Risks
    Continued...page 4 of 4
    Another key element of an enlightened approach to security is a
    companywide campaign to promote user awareness. But that campaign "can't
    just be an annual brochure," says Jim Patterson, VP of security and
    telecommunications at OppenheimerFunds Inc., a mutual fund company in New
    York. For example, Oppenheimer occasionally has a life-sized cardboard
    figure named "Mr. Security" around its Denver campus. The character is
    dressed as a baseball umpire and holds a stack of index cards with
    information security tips for Oppenheimer's 1,800 employees. 
    PNC Bank has a booth dedicated to security at its annual company
    technology fair. "It's another way of getting employees to understand
    these issues," CIO Mikula says. And as a light-hearted reinforcement, the
    bank hands out fortune cookies with security tips tucked inside. 
    Such internal campaigns are critical because, while the mainstream media
    dwell on security threats posed by diabolical hackers or info-terrorists,
    survey respondents say their biggest threats are still internal: 58% of
    companies surveyed believe one or more authorized users have abused their
    systems in the past year.  Unauthorized users broke into 24% of the sites;
    suppliers or customers together accounted for only 12%. "It used to be an
    80/20 rule for inside/outside threats," says PricewaterhouseCoopers'
    Lobel. "It's a 60/40 rule now." 
    Another change is the people directly involved in making security-related
    decisions. While security remains an IT function, some of that
    responsibility is gravitating toward the business side as the Internet
    burrows into various parts of the company, such as the purchasing and
    marketing departments. 
    "We are doing more transfer of ownership of applications and security from
    IT to business owners," McKesson's Villani says. For example, Villani
    handles security policy; but the the company's VP of customer operations
    is responsible for applying it to the extranet. 
    Elsewhere, the spreading responsibility for security is causing tense
    relationships and ill-informed decisions.  "Techies want to protect the
    firewall at all costs,"  says Roger Walters, CIO at consulting firm Booz,
    Allen & Hamilton. "But sales and marketing people want to underprotect.
    The result is general management executives have to make a decision about
    something they don't know anything about." 
    Global Risk
    Security has never been the business world's most important business goal.
    And yet, most IT managers would consider "trust" to be a fundamental
    requirement of doing business on the Web-especially internationally. 
    On average, survey respondents rate information security a 7.4 on a
    1-to-10 scale, with 10 being the highest priority. Respondents say the
    most important security techniques are blocking unauthorized access,
    establishing network security, securing top management commitment, and
    gaining end-user awareness. On average, most companies rate themselves a
    6.9 on a 1-to-10 scale, with 10 being extremely successful, an evaluation
    that suggests most respondents see room for improvement. 
    The survey strongly suggests, however, that even if companies do well
    establishing these best practices, they must seek ways to do even more
    with their existing resources. Managing risk is now a top priority. 
    McKesson CIO Villani remains optimistic. "If you don't pay attention,
    security is going to be a problem,"  he says. "But if you do pay
    attention, you can eliminate most of the risks."  
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:45 PDT