The E-Business Software Weekly is a series profiling trends and developments in software and applications that support e-business, the Internet, and other electronic communication channels. Look for a new story each week in this space.
Ensuring Cybersecurity
The news is not good from the computer security front.
Last August, as part of its 14th Annual Critical Issues of Information Systems Study, Computer Science Corporation (CSC) concluded that a great many corporate information systems "remain open to cyberattack" and noted that "many IS managers don't consider security practices and policies to be a top priority in their organizations."
The survey, which questioned 1,000 IT executives from around the world, showed that 46% of respondents did not have a formal information-security policy in place, 59% did not have a formal compliance program to support their information-system efforts, and 68% did not conduct regular security-risk analysis or security-status tracking.
Such findings should be sobering to business executives whose companies rely heavily on the Internet for their day-to-day operations since "cybersecurity" is fast becoming the Achilles heel of e-business: like viral invasions of the body, cybersecurity breaches often take place invisibly, and they can cause a great deal of damage-both to an individual company's IT systems and to confidence in the Internet economy more generally-before they are noticed. Indeed, according to Reuters, U.S. corporations spent some $12.3 billion last year to repair damage caused by computer viruses, and are predicted to spend at least that much if not more in 2002. The volume of lost e-commerce sales due to consumer concerns about transaction security is not easy to calculate, but is likely to be at least as great.
Vulnerable to Cyberattack
In view of these costs, and with all that has transpired in recent months, one would expect cybersecurity to have vaulted to the top of corporate executives' agendas. Unfortunately, that does not appear to be the case. In a report released last week, the National Research Council's Computer Science and Telecommunications Board declared that U.S. computer systems were increasingly vulnerable to cyberattacks, in large part because companies were not implementing security measures already available. "Even without any new security technologies, much better security would be possible today if technology producers, operators of critical systems, and users took more appropriate steps," said the report's authors.
Because these steps haven't been taken, the authors argued, cybersecurity "from an operational standpoint... is far worse than what known best practices can provide." In fact, many of the recommendations made by the same panel a decade ago have not yet been implemented. "The fact that the recommendations we made ten years ago are still relevant points out that there is a really big problem, structurally and organizationally, in paying attention to security," noted Herbert Lin, the Board's senior scientist.
One validation: the CSC report from last August points out that, despite the growing number of complex computer security assaults, many corporate organizations still consider cybersecurity to be an IT issue rather than a general business concern, and do not adequately prepare for its potential impact on overall business operations.
And yet many of the most essential protective remedies require nothing more than a determined organizational commitment to put them into place. For instance, among the Computer Science Board's recommendations from a decade ago are such basic steps as conducting random tests of an organization's security systems, implementing better authentication, increasing network monitoring, and improving the training of security staff-actions that are possible without additional research or technology development.
Some Serious Misconceptions
Probably the most important reason for the lack of attention to cybersecurity is the fact that many business executives and IT directors alike have been lulled into a false sense of security by a number of misconceptions about the nature of the challenges they face. Jeff Crume, in his recent book "Inside Internet Security - What Hackers Don't Want You to Know," highlights some of the most important of these misconceptions:
"A good firewall is an adequate security system." In fact, firewalls, as vital as they are, are only the starting point for building an effective security architecture, and even the best firewalls are limited in the types of attacks that they can detect and repel.
"Keeping the 'bad guys' out is good enough." As it happens, external hackers are only the most visible part of the computer security problem; roughly half of all cyberattacks are engineered by insiders who potentially can do even more damage than outsiders because of their greater access to and knowledge about the corporate computing environment.
"Good technology is 90% of the battle." Not quite. Humans, in fact, are the weakest link in any security system, usually because they fail to follow prescribed procedures or else compromise security through such seemingly innocent shortcuts as writing down passwords or leaving computers logged on at night. Good technology can rarely compensate for such human error.
"Security technologies are better than ever before." True, but so are hackers. What's more, the tools for hacking are widely available, can be downloaded for free off the Internet, and often include graphical interfaces that make them quite easy to use.
"We have all of the necessary virus and anti-hacking software installed." Perhaps, but a large proportion of companies that have installed this necessary software do not update it frequently enough, often leaving their systems almost as vulnerable if no software were installed at all.
Building an Effective Cybersecurity Program
Once these misconceptions are dispelled and a firm commitment is made to harden a company's computer systems against cybersecurity threats, there remains the nontrivial task of implementing an effective security program-no small challenge in a corporate world of shrinking budgets and multiple competing priorities. In a recent white paper entitled "Linking Security Needs to E-Business Evolution," researchers at IBM outlined a series of steps likely to produce an effective - and cost-efficient - cybersecurity program, guidelines that are worth the attention of any company either currently operating or planning to operate on the Internet:
Step 1: Create a security and privacy blueprint. It is essential to develop policies, procedures, and penalties in advance, say the researchers, in order to reduce predictable threats and risks. It is just as important to reevaluate these provisions over time as companies' e-business operations expand and as their core business process rely increasingly on the transmission of sensitive data over public computer networks like the Internet.
Step 2: Actively check security and privacy controls. Security safeguards need to cover virtually all aspects of the enterprise, the researchers point out. This includes mechanisms used by hardware and software systems, networks, databases, and human resource systems. Their advice: test, audit, inspect, and investigate continuously and randomly, employing such procedures as intrusion detection, vulnerability scanning, incident management, and firewall management reviews.
Step 3: Use industry-standard security products rather than those developed in-house. Industry-standard products based on open standards have been tested and proven, and have customer references from which vital implementation knowledge can be gained. Industry-standard products also tend to be well-documented, and their development usually has followed accepted software development methodologies that can be evaluated and the tests thereof reviewed. In-house products tend to fall short in these key respects.
Step 4: Provide security training. Provide training on security and privacy issues, the researchers counsel, so that personnel will know what is required of them. "Keeping personnel properly informed and providing regular reminders," they say, "can increase their retention rates and improve their understanding of critical security issues."
Enabling E-Business to Flourish
Even organizations that are exceptionally well-versed in cybersecurity concerns can be vexed by unexpected security attacks. Last May, for instance, the Carnegie Mellon Computer Emergency Response Team (CERT), one of the nation's leading cybersecurity centers, itself suffered a denial-of-service attack that virtually disabled its Web operations. CERT later confirmed that its Web site had been under attack for more than a day, and that officials were working with various organizations, including local and national service providers, to investigate and stop the attacks.
If an organization as knowledgeable about cybersecurity as CERT can fall victim to computer security threats, then how much more vigilant must ordinary corporations be if they are to protect their most valuable asset: information. It's a demand that will only become greater as time goes on. E-business is already a fact of corporate life, a trend that is likely to accelerate in the years ahead. As the IBM researchers note, "if companies wish to compete effectively in today's business environment, it is a given that they must create electronic links with remote employees, customers, partners, and suppliers." In this situation, world-class cybersecurity becomes more than a "nice to have" feature of e-business operations; it becomes a first-among-equals requirement, the enabling feature upon which all of the other benefits of e-business depend.
Fortunately, such cybersecurity can be brought to bear with little technical difficulty. The technology exists, as does the expertise to implement it. All that is needed is the commitment and focus to ensure not just a successful implementation, but vigilant ongoing maintenance as well. Given the presence of this commitment and focus, the IBM researchers are quite optimistic. With proper attention given to planning and implementing IT security and privacy, they insist, any enterprise can build a trusted environment in which e-business operations will flourish-the current cybersecurity concerns notwithstanding.
ADVERTISING FEATURE
