|
|
 THE STAT 26Percentage of wireless customers who use their cell phones to take picturesMore Vitals
| |
APRIL 13, 2004
Info Security "from the Ground Up" With more threats and stricter laws, being "reactive" isn't enough. Now companies are building safety directly into their systems As the CEO of information-security outfit Entrust (ENTU ) in Dallas, Bill Conner regularly preaches the virtues of protecting critical pieces of corporate infrastructure by using digital certificates and digital signatures. So about a year ago, he decided to do a security checkup on his own company. After all, it would be a little embarrassing for a leader of the cybersecurity business to have his pocket picked. And, Conner figured, he might learn some lessons that could help his customers. Sure enough, he turned up a problem or two in Entrust's largely secure infrastructure: Employees were using e-mail to converse with clients and themselves on topics that were best left off mail servers. And the audit trail the business created in case of litigation wasn't robust enough. Nothing major, but "there was room for improvement," says Conner. BEYOND BAND AIDS. That describes the situation at most large U.S. companies when it comes to information security. Spurred by the chaos following the September 11, 2001, terrorist attacks on New York and Washington, CEOs have made significant investments in security. Now, with terrorism as big a threat as ever, they're reviewing where they stand -- and finding that they still have work to do. A firewall, antivirus software, and virtual private networks that encrypt data traffic, while all indispensable, are now viewed essentially as Band Aids. The new emphasis is on cybersecurity that's both more organic and comprehensive. "Everyone is moving from a reactive stance to building security and reliability into systems from the ground up," says Gary McGraw, chief technology officer of digital security and code analysis concern Cigital and co-author of the book Exploiting Software (Pearson, 2004). Jim O'Leary, director of education for the nonprofit Computer Security Institute, which holds classes and conventions on cybersecurity, adds that eliminating vulnerabilities now means doing a more thorough check and coming up with a much more detailed plan. "If you don't, it's very hard to build something that takes into account all the things you need to think about," says O'Leary. If firewalls, antivirus software, and other security systems don't allow a network security operator to easily understand all the information they provide, these systems mainly provide a false sense of security, says O'Leary. "HARD TO SELL." Security outfits are starting to press hard on this point. Symantec (SYMC ), Computer Associates (CA ), Check Point (CHKP ), and others now sell software that organizes every key piece of security data into a format a CEO can absorb at a glance. Still, these products are far from perfect when it comes to synthesizing information from many different security systems. And in any case, it's sometimes hard to justify their cost, which can run into the tens of thousands of dollars. "If you can't make a business case for it, then it's really hard to sell security," says Eugene Schultz, a software and organizational security expert at Lawrence Berkeley National Laboratories. The one exception may be password management, also called identity management. Plenty of software makers sell products that synchronize passwords so that individual employees have just one to use for all their accounts. The security community remains split on whether that's a good or bad idea: Flattening the password structure cuts help-desk costs. But it also creates a single point of failure that can lead to a security breach. One way to avoid that is to use so-called application security -- a piece of software or hardware that sets parameters on what various employees can do on corporate networks. For example, one person might be authorized to look at the human resources department's records, but not customer records or invoices. These systems can also analyze behavior and alert network administrators if it appears someone is using software or other network components in a way that's anomalous and probably not desirable. ENTER THE OUTSOURCERS. In the same vein, businesses are putting tighter security around Wi-Fi-enabled PCs and putting individual firewalls on company laptops to ensure that wherever someone logs in, they'll be protected from the hacker universe. Some of these firewalls even cut off a laptop from the Net unless it's connected to the home office via a virtual private network that encrypts data. At the same time, though, one of the fastest-growing trends in cybersecurity is outsourcing -- turning over the job to a third-party specialist. It's a controversial move. Does it make sense to give such an important job to someone outside the wall? The consensus seems to be yes -- with a big caveat. O'Leary and others say it's critical to keep someone on-staff to monitor the work that has been sent outside. Otherwise, "you can end up not knowing what's going on at all and being totally at the mercy of the outsourcer," says McGraw. DOUBLE JEOPARDY. Finally, it's now necessary to build better auditing into network security. Recent laws such as the Sarbanes-Oxley Act and the Health Insurance Portability & Accountability Act create unforgiving rules penalizing the failure to track what happens on networks -- and have thus made the price of lax information management far steeper. And a new California law leaves companies that fail to disclose data breaches open to civil litigation. So in a sense, outfits that fail to take cybersecurity seriously face a dose of double jeopardy. They could lose control of their vital information and then suffer a further hit for failing -- or being unable -- to report the theft.  By Alex Salkever, Technology editor for BusinessWeek Online
BW MALL
SPONSORED LINKS
Buy a link now!Get BusinessWeek directly on your desktop with our RSS feeds.  Add BusinessWeek news to your Web site with our headline feed. Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video. To subscribe online to BusinessWeek magazine, please click here. Learn more, go to the BusinessWeekOnline home page  | | |
 Copyright 2004, by The McGraw-Hill Companies Inc. All rights reserved.Terms of Use | Privacy Notice |
Printer-Friendly Version