Advertisers' Web Sites SurfControl www.surfcontrol.com/ EMC2 www.emc.com

Where to Focus Your eSecurity Action Plan

Information security is a high priority for business today. Cyber-terrorism increased dramatically in 2001, according to a study recently released by Riptech of Alexandria, Virginia. The study of 300 companies in 15 industries found that in the last six months of 2001, 138,000 attacks were registered, not counting the Nimbda and Code Red worm viruses. The average attack experienced per company increased 79 percent in the period, according to Tim Belcher, CTO of Riptech, which specializes in security services.

The attackers were found to be directing their efforts toward selected company and industry targets as well, a surprising finding. Before the results were in, "We didn't think the attackers cared who the targets were," Belcher said.

In this new era of heightened awareness, experts advise taking the following actions to improve your company's e-security:

• Insure filtering technology is installed at your company's Internet connection points so that incoming messages can be screened, and outgoing messages can be cleaned or encrypted.

• Install software to prevent malicious code from executing on your computer systems. These include virus protection, firewalls intrusion detection systems.

• Consider authentication methods stronger than a password system, especially if your company is involved in commerce over the Web.

• Protect your company from legal liability with secure content management methods such as screening e-mail that could be considered sexually harassing, and filtering unwanted spam e-mail.

• Ensure your company's ability to recover by replicating mission-critical data in multiple sites.

• Tap professional services organizations that provide the experience and knowledge to assist you with the technology and the set up of secure sites. A qualified staff is hard to hire, but it can be rented.

Securing Content

Companies can reduce the amount of harmful content coming into their companies by using Web filtering and blocking products," said Chris Christiansen, analyst with IDC market researchers of Framingham, Massachusetts. "This can also prevent the creation of a potentially harassing environment with potential legal liabilities," he said.

A recent IDC report on secure content management found that the market is strong for products that screen workplace prohibited materials such as hateful e-mails and sexually graphic files. While antivirus software products currently are the best selling, with $1.8 billion in revenue projected from the segment in 2002, access control and e-mail scanning software products are projected to grow at a higher rate through 2005.

"We are seeing the convergence of e-mail and Web filtering," said Kevin Blakeman, president of the American arm of SurfControl (www.surfcontrol.com), based in Scotts Valley, California. "We see it as moving more and more towards filtering and content management, where we help produce policies for managing the flow of content through browsers and e-mail systems." The SurfControl products allow users to scan the text of incoming and outgoing e-mail and determine actions based on rules that fit the business.

Securing Data

Commerzbank in New York City completed implementation of its business continuity solution on September 7, 2001. The company had no way of knowing what was to happen four days later, but as a result of its planning, the world's 16th largest bank resumed operations quickly despite being 300 feet from the World Trade Center Towers. The company had worked to build a disaster recovery site 30 miles away in Rye, New York. Using replication software from EMC Corporation (www.emc.com), Commerzbank was backing up its critical data to the recovery site, thus enabling a quick recovery.

"The relationship of storage to security relates to how quickly a company can recover to a known good state after a security breach or corruption of data," said Ken Steinhardt, EMC's director of technology analysis. EMC supports business continuity for its customers with products and services addressing recovery, automation, software and hardware. By exploiting these offerings, "Commerzbank is now running 50 percent of its production data in each of two data centers," Steinhardt said.

Hot Topics

The following issues are top of mind in the e-security arena today, as the industry prepares for its biggest trade show, the RSA Security Conference scheduled for February 18-22 in San Jose.

• Confederated User ID: Refers to an individual profile that can be recognized on multiple Web sites. Microsoft unveiled Passport, then an industry consortium proposed the Liberty Alliance and now the two are working together. True federated identity management is probably two to four years away.

• Web Access Management: Rights and privileges a user has once entered into a system.

• Tokens, Tokens, Everywhere: The use of a token system for confirming the identity of a person or a company on the Internet -- one step better than passwords -- is gaining. RSA Security has delivered over 100 million tokens worldwide from its products.

• Biometrics: Gaining steam as a method of authentication, including fingerprinting and eye scanning.

• Managed Services: Trend of businesses hiring outside security experts to perform audits, draft security policies, monitor security systems, and respond to incidents.

Pitfalls to Avoid

In the quest to improve e-security, experts advised avoiding the following pitfalls:

• Not changing default settings, especially passwords, on security products that you buy and install. Many firewall products, for example, have a default administrative password. Hackers can "listen" for those and break in when they find one. "If you don't manage your security system, you create a weak link," said Scott Schnell, senior vice president with RSA, Bedford, Massachusetts.

• Not being honest about the worst-case scenario so you can plan for the right responses. Many companies plan for disaster recovery but underestimate the real world in their simulations.

• Not identifying the truly mission-critical data in your company. The time to discover that the data is critical is not when it's unavailable.

Better protection is at hand. E-security can be vastly improved for a reasonable cost by following a pragmatic step-by-step approach. It will allow harried business managers to sleep better at night.