securing the internet economy

Securing theInternet EconomyAn Executive Guide To Managing Online Risk

Prepared for InfoWorld, an IDG publication, and Internet Security Systems by Bill LaberisAssociates, Holliston, Mass. Published by InfoWorld. Copyright (c)2000, Internet SecuritySystems, Inc.All Rights Reserved.Any copyrighted material, trademarks and registeredtrademarks contained in this document are used in an editorial context, with no intent ofinfringement. Content is subject to change without notice.

ecurity has become an important part of our dailylives.We lock the house when we leave in themorning, and we lock our cars when we get to theoffice.We take care that our wallets orhandbags are reasonably protected, and

we make sure no one is looking over our shoulderswhen we use a phone card or an ATM.We keep sen-sitive documents locked in a drawer, and we keep eas-ily purloined items such as cell phones out of plainview.Without realizing it, we have adopted a securityroutine that dictates certain behaviors for certain situ-ations.

Why, then, haven’t we taken the same approach toinformation security? Sure, we may keep the passwordsto our office PCs secret—unless we’re like the thou-sands of workers who leave their passwords on stickynotes stuck to their PC monitors. But surprisingly feworganizations have developed a complete, overarchingsecurity policy and applied that policy such that itbecomes second nature to all members of the organization, and anintegral part of doing business.

The problem, in part, is that we expect technology to do the

S e c u r i n g t h e I n t e r n e t E c o n o m y 1

Security: The BusinessImperative

You manage risk in your physical

environment. Are you taking similar

steps to protect your online business?

S

I N T R O D U C T I O N

Inside

part 1 . . . . . . . .7

Security at Internet Speed

part 2 . . . . . . .21

The Trouble withTechnology

part 3 . . . . . . .33

Passing the Baton

conclusion . . .46

The Business ofSecurity

2 S e c u r i n g t h e I n t e r n e t E c o n o m y S e c u r i n g t h e I n t e r n e t E c o n o m y 3

work of protecting our com-puter resources.Whether it’santi-virus software or anInternet firewall, we assumetechnology tools monitor thenetwork and keep intruders atbay.

But studies tell a differentstory. Among large corpora-tions and government agencies,90 percent have detected abreach in computer security inthe past 12 months, accordingto a recent survey by the FBIand San Francisco-based Com-puter Security Institute.And 70percent of those breaches wereconsidered serious, involvingtheft of proprietary informa-

tion, sabotage of data, or finan-cial fraud. Computer security isa constant challenge, and effortsto address this problem arefalling short.

Herein lies one of the impor-tant messages of this booklet.Security is not a technologyproblem; it is a business prob-lem. Securing your business is akey ingredient of overall busi-ness success. Correspondingly,failing to secure your business isa recipe for business disaster.Good security allows you toachieve a primary goal of the e-business era: reaching a greaternumber of customers withenhanced products and services.

TH E BU S I N E S S TH R E AT

The security challenge is escalating with the rise ofInternet commerce. As moreand more organizations realizethat e-business is their business,they also realize that theircomputer and networkresources are among the criticalassets that enable them tobecome more competitive andsuccessful.They realize that theinformation stored in their systems is often inventory to be reduced to cash.And thenthey discover (at times onlyafter their systems have been compromised) that the securitymeasures they have in place—if any—still leave them vulner-able to a range of potentiallydebilitating attacks. B2B e-commerce alone will gener-ate $7.3 trillion in transactionsin 2004, says GartnerGroup ofStamford, Conn.All thosetransactions will take place oversystems and networks thatrequire comprehensive security.

“In the rush to build e-busi-ness strategies, organizations’security efforts have not keptpace,” says John Pescatore, ananalyst who covers computersecurity for GartnerGroup.

“Security groups are accus-tomed to a slow pace ofchange, because in general,change isn’t secure. E-businessgroups, on the other hand,need to move quickly torespond to the market.Thesetwo groups will have to get inalignment, because simply put,there is no e-business withoutsecurity.”

In fact, just as e-businessmakes computer resources moremission-critical, it also opensthem to greater threat.After all,

I N T R O D U C T I O N : S E C U R I T Y , T H E B U S I N E S S I M P E R A T I V E I N T R O D U C T I O N : S E C U R I T Y , T H E B U S I N E S S I M P E R A T I V E

0

10

20

30

40

50

60

70

80%

2000

1999

1998

Don't KnowNoYes

64 62

70

18 17 16 1821

12

Attacks on the RiseCompanies reporting unauthorized use of computer systems in last 12 months

Source: 2000 CSI/FBI Survey

“In the rush to

build e-business

strategies, organi-

zations’ security

efforts have not

kept pace.”—John Pescatore,

analyst covering

computer security

for GartnerGroup

4 S e c u r i n g t h e I n t e r n e t E c o n o m y S e c u r i n g t h e I n t e r n e t E c o n o m y 5

e-business is about giving cus-tomers and partners access toyour networks and databases—information assets that wereonce kept under lock and key.However, the more open yournetwork, the greater the chancethat someone with maliciousintent can break in and wreakhavoc on the systems that runyour business.

The challenges multiply:Customers want to know thatthey can count on your systemsto keep their personal informa-tion protected. Partners need tofeel confident that weaknessesin your security infrastructurewon’t compromise their ownsystems as supply chains

become integrated. Stakeholderslook for assurances that securitybreaches won’t impact yourability to grow profits.Thesedays, both the business and themainstream media are quick tojump all over stories of datasecurity breaches, as the mediadid with the big denial-of-serv-ice attacks in February, 2000.No doubt, a media feedingfrenzy over stories like this cancontribute to a decline, poten-tially a sharp one, in the stockprice of the company whosesecurity has been breached.Perhaps security isn’t a corecompetency for your business.It isn’t for most businesses. Butsecurity is certainly fundamentalto your ability to compete.

SE C U R I N G T H E FU T U R E

Organizations require a com-prehensive, holistic approach tosecurity that addresses the challenges and opportunities ofthe Internet Economy.Thisbooklet provides a completeview of cyber risks and securitymanagement. It is designed tohelp organizations recognizesecurity needs that relate totheir business objectives and toidentify the security solutions

that will help them achievetheir strategic goals.

Part 1, “Security at InternetSpeed,” assesses the changingsecurity requirements of theInternet Economy, providingan overview of the growingnumber of security threats andthe impact they can have onyour business.

Part 2, “The Trouble withTechnology,” analyzes the tra-ditional tools and techniquesfor providing Internet security,offering a look at both theirstrengths and their shortcom-

ings.This section also looks atpromising new methods of pro-tecting information assets,including insurance policies thatprotect against loss resultingfrom security breaches.As youwill learn, system security is arequirement for the smallest tothe very largest of companies,and security solutions do varywith the size of the client.Whatremains constant is the need forsystem security in all sizes oforganizations, from small busi-nesses and emerging technologycompanies, to the middle-tiercompanies, to the Global 2000largest companies in the world.

I N T R O D U C T I O N : S E C U R I T Y , T H E B U S I N E S S I M P E R A T I V E I N T R O D U C T I O N : S E C U R I T Y , T H E B U S I N E S S I M P E R A T I V E

0

10

20

30

40

50

60%

2000

1999

1998

InternetRemote Dial-inInternal Systems

44

51

38

2428

38

5457 59

The Threat from the NetSources of computer attacks


Security is not

a technology

problem; it is

a business

problem.

6 S e c u r i n g t h e I n t e r n e t E c o n o m y

I N T R O D U C T I O N : S E C U R I T Y , T H E B U S I N E S S I M P E R A T I V E

Organizations require a comprehensive,

holistic approach to security that

addresses the challenges and

opportunities of the Internet Economy.


Consider the currentstate of affairs:■ The number of computer

attacks more than doubledlast year, according toreports filed with theComputer EmergencyResponse Team at CarnegieMellon University.

■ The number of cybercrimes being investigated bythe FBI also doubled in thepast year.“Even though wehave markedly improved

our capabilities to fightcyber intrusions, the prob-lem is growing even faster,”FBI Director Louis Freehtold a Senate subcommitteein March.

■ Fortune 1000 companieslost $45 billion to theft ofproprietary information last year, according to astudy by the AmericanSociety for IndustrialSecurity (ASIS) andPricewaterhouseCoopers.

P A R T 1 : S E C U R I T Y A T I N T E R N E T S P E E D

Security atInternet Speed

As cyber threats proliferate, so do the

ways security breaches can derail your

organization’s long-term success.

omputer security has been an issue since the days ofpunch cards and room-sized computers. So apart fromthe occasional new virus, you wouldn’t think therewas much new to talk about when it comes to pro-

tecting information assets. But the rise of Internet commerce isproving that nothing could be further from the truth.

CPart 3, “Passing the Baton,”examines emerging trends insecurity outsourcing, and showsyou how to determine whenand why outsourcing can beright for your organization.

This booklet is intended foranyone for whom computersecurity is important—and inthe Information Age, thatapplies to virtually everyone.From knowledge workers sharing information assets tofront-line salespeople accessingthe network from far-flunglocations … from the financedepartment focused on riskmanagement to the legal eaglesguarding against liability …from the IT management andstaff charged with protectingyour systems and networks to

the executive managementteam providing strategic vision… everyone has a stake incomputer security.And no oneis absolved from responsibilityfor it.

Internet security is thenumber-one concern amongIT executives, according to arecent study by the analystfirm International Data Corp.(IDC). But for organizations toimplement a workable securityplan that will protect theircomputer resources over thelong term, all stakeholdersmust recognize security’s sig-nificance and act accordingly.To do any less would be torisk your company’s future atthe very threshold of theInternet Era.


place over the Internet, there isan opportunity to exploit thoseinterconnections and thegreater complexity they intro-duce.”

In fact, in the CSI study, 59percent of respondents citedtheir Internet connection as a frequent point of attack—compared with 38 percent whocited their internal systems.And 19 percent suffered unau-thorized access to or misuse oftheir Web sites within the past12 months. Perhaps even moreworrisome, 32 percent saidthey didn’t know if there hadbeen unauthorized access ormisuse of their Web sites.

Why is the Internet, thefoundation of e-business, sovulnerable to attack? The rea-son is that the basic rules guid-ing it, the so-called Internetprotocols, were drafted 30 yearsago with the goal of creating aglobal information-sharing andmessaging infrastructure.Theprotocols were not designed tobe secure from attack, lest theyimpede the free flow of infor-mation they were designed tofacilitate. So while the Internetis indeed the informationsuperhighway it was intendedto be, it is not the secure envi-ronment that e-business archi-tects have come to demand.




0

5

10

15

20

25

30

35

40%

2000

1999

10+5-92-51

30

3638

35

3

10

26

19

Number of Incidents of Web Attacks


The same study found that90 percent of proprietarydata exists in digital form.

■ Fully 90 percent of largebusinesses and governmentagencies detected computersecurity breaches in the pastyear, according to the fifth-annual Computer Crimeand Security Survey con-ducted by the ComputerSecurity Institute (CSI).For the 273 respondentswho were able to calculatefinancial loss, the price tagfor those breaches totaled$266 million.

Of course, these numbersdon’t tell the whole story.Experts agree that most security breaches go unreport-ed. And although “estimates ofthe annual worldwide cost ofsecurity breaches range to thebillions of dollars, it is verydifficult to get an accurate picture [of the problem],” saysChris Christiansen, a securityanalyst for IDC.“Few compa-nies are willing to report security breaches, for fear oflegal reprisals and financial orreputation repercussions. But

it’s safe to say the numbers arehuge.”

F R I E N D O R F O E ?What’s driving the growingsecurity threat, experts say, isthe Internet.The Internet presents companies withtremendous opportunities toenter new markets, to integrate disparate operations and tostreamline processes.As a result,organizations are pursuing e-business with abandon. B2Ce-commerce jumped from$11.2 billion in 1998 to $31.2billion last year, according toDataquest/GartnerGroup ofSan Jose, Calif.And B2B e-commerce is expected tomushroom from $145 billionlast year to $7.3 trillion in2004, composing 7 percent ofworldwide sales transactions,says GartnerGroup.

But the same connectednessthat makes the Internet valu-able also makes it dangerous.“The Internet has had a significant impact on computersecurity,” says Frank Prince,senior e-business infrastructureanalyst with Forrester Researchof Cambridge, Mass.“As com-merce and collaboration take


though the network isn’t a corecompetency for most compa-nies the way it is for BellSouth,it’s still vital to many firms’operations.And like BellSouth,many traditional enterprises arepursuing e-business initiatives.Whether that means electroni-cally delivering services to cus-tomers or integrating supplychains with partners, more datais traveling the network andmore transactions are takingplace in cyber space. In short,more business is at risk.“Whenyou go online and exposeyourself to the world as you doin e-business, the downside of asecurity breach is huge,” says

Parsons.“In fact, you maynever recover.”

Exposures can occur in avariety of places, Parsons notes,from intranets, to onlineexchanges, to new communica-tions tools such as personaldigital assistants (PDAs).Forrester’s Prince agrees:“When you extend businessprocesses to the network anddepend on people to remotelycarry out important opera-tions,” he says,“it creates a situ-ation where your security isonly as strong as the weakestlink.”

As a result, organizationsneed to protect themselves




0

10

20

30

40

50%

2000

1999

Don't KnowBothOutsideInside

75

38

49

41

24

14

21

Sources of Web Attacks


And despite efforts to buildproducts and services to shoreup the Internet’s inherent secu-rity problems, new technologiesare being developed so rapidlythat all security issues may notbe addressed during applicationdevelopment and deployment.

Of course, e-business goesbeyond simple Internet con-nections, affecting how compa-nies go to market, the way theyare organized and even whatthey consider their mostimportant assets. Increasingly,an organization’s value lies notin physical assets such as realestate and equipment, but inelectronic assets such as cus-tomer databases and networkinfrastructures.This represents a fundamental shift from thebricks-and-mortar economy ofjust a few years ago and placesa new premium on avoidingthe potential downsides of asecurity breach.

“For e-businesses, the net-work is the business,” pointsout Christopher Klaus, founderand chief technology officer ofInternet Security Systems (ISS).“A simple denial-of-serviceattack, for example, can bringoperations to a standstill.And

it’s easy to calculate the finan-cial downside of that. If you’redoing a million dollars of business a day on your Website, then you know exactlyhow much a security breachcan cost you.”

However, these dollar lossesdo not include intangible butperhaps even more costly losses, the most critical ofwhich may be the loss of consumer confidence and a corresponding loss of brandequity.

NO T JU S T A PR O B L E M

F O R EM E R G I N G

BU S I N E S S E S

It’s no longer only dot-comsfor whom the network is thebusiness. Just ask Chris Parsons,senior vice president of strategyand business planning for the$25-billion telecommunicationsfirm BellSouth.“Our telecom-munications infrastructure iseverything to us,” says Parsons.“So a network compromise issimply unacceptable.Thatmeans we spend a lot of timeon security detection and ontaking other steps to protectour business.”

Parsons points out that even


e-marketplaces? “We believethe total number is close to800 or 900,” says ArthurSculley, co-author of B2BExchanges (ISI Publications).“New exchanges are beingadded at a rate of five per day,and we expect the [total] number to grow to 3,000within the next 18 months.”

But surprisingly, few of thesemarketplaces make security apriority, say experts.“We don’tsee the security processes ofthese exchanges being consid-ered an important sellingpoint,” says Prince.“That’s aproblem. Marketplaces should

be able to ensure best practiceswhen it comes to security.Andorganizations doing businessover these exchanges should beable to ensure an appropriatelevel of security as well.”

Online sales/procurement:For many organizations, onlinesales are where the e-businessrubber meets the road. But fewrealize that online transactionsare rife with potential securityproblems. Simple breaches canrange from defaced Web sitesto fraudulently lowered priceswhen orders are submitted.More serious attacks can crip-




Your Company Customers

Suppliers

Distributors

Partners

Sensitive Data Flow

Potential Points of Attack

E-Business Danger Zoneswherever and whenever theire-business activities open thedoors to their networks:

Intranets and extranets:Intranets grew as a naturalextension of the Internet,allowing organizations to applyWeb-based technology to theirinternal networks. But as muchas intranets promote streamlinedprocesses and knowledge sharing, they also expose theenterprise to greater risk. Anintruder who breaks throughyour primary line of defensesuddenly has the same conven-ient access to your rich stores of proprietary data as youremployees do.

Extranets extend the intranetto select partners and customers,allowing key stakeholders accessto corporate information andeven to critical internal infra-structure.This only increasesthe risk, because you’re pur-posefully allowing external parties access to your mission-critical business networks.

Supply-chain integration:After the early rush of B2C e-commerce, it’s becomingclear that the real promise of

Internet transactions lies inB2B initiatives. From relativelystraightforward activities such asonline procurement, to elec-tronic collaboration up anddown the supply chain, B2B e-commerce promises tostreamline processes, to reducecosts and to help organizationspursue new, collaborative business opportunities.

But if there were ever a situation in which security iscompromised by a weak link,it’s in supply-chain integration.As sensitive data moves fromsupplier to manufacturer to distributor to retailer, thatinformation is at risk at everystop along the way. Even morecrucial, if suppliers are integrat-ed with your back-end systems,you need to be certain thattheir networks aren’t a hacker’sback door into your enterprise.

E-marketplaces: More busi-ness is taking place over e-mar-ketplaces, also called onlineexchanges. From ChemDex toMetalSite to PlasticsNet, thesesites allow firms to buy and sellgoods and services, to integrateoperations and to reach newmarkets. Just how prevalent are

When data flows freely among business partners and customers, sensitive data issusceptible at more points of attack and intrusion than ever before.


proprietary data frequentlyleaks out of the organization.“It’s too easy for employees toleak sensitive information tothe outside world, eitherknowingly or inadvertently,”says IDC’s Christiansen.“Manypeople don’t realize it’s a viola-tion of most security policies[if they even have one]—andalso potentially illegal—to postcompany financial informationin a chat room, for example.”

And what about new technology tools, so-called digital appliances such as PDAsand other cellular devices?These are a security manager’s

worst nightmare, allowing sensitive corporate data toescape the network with littleor no control. Likewise,Internet-enabled cell phonesare a growing risk. In earlyJune, the first virus targeted atcell phones hit customers ofSpain’s Telefonica.As morefront-line employees takeadvantage of these tools, thesecurity risks will only increase.

WH AT DO YO U

HAV E T O LO S E?The broad spectrum of poten-tial attacks, combined with newvulnerabilities introduced by




0

20

40

60

80

100%

2000

1999

Theft of Transaction Information

Denial of Service

Financial Fraud

Vandalism

98

64

27

3

98

60

25

8

Types of Web Attacks


ple an e-business Web server—and the more revenue you’repulling in on the site, the moreyou stand to lose if your e-tailstore is temporarily out of business.

Far more insidious is theft ofcustomer information such ascredit-card data.“Our researchshows that rates of credit-cardfraud are 11 times higher for e-tailers than for their bricks-and-mortar counterparts,” saysGartnerGroup’s Pescatore.Statistics like that will do littleto build consumer confidencein online sales.

“Web servers tend to offer an abysmal level of security,”Pescatore explains.“Plus,Webmasters tend to operate at a much faster speed thansecurity people, so often thesecurity doesn’t keep up withchanges on the site.”As a result,he says,“two out of three Webservers are hackable.”

Globalization: One aspect of e-business security that maybe overlooked is the globalnature of the Net.As theInternet enables organizationsto push into remote corners ofthe world, the security threats

multiply.“Globalization isincreasingly an issue for everyorganization,” says BellSouth’sParsons.“And it introduces anumber of new factors in termsof threats.”

For starters, a more broadlydistributed network meansmore potential points of attack.And the better integrated yourorganization, the more troublethat can spell.“It doesn’t matterwhere someone breaks into thenetwork,” Parsons points out.“Once they do, they have accessto the entire organization.”

Likewise, security capabilitiesmay not be at the same levelsin all regions.“Global organi-zations do better with securityin geographies where theyhave a strong concentration ofsecurity professionals,” notesParsons.“In certain parts of theworld, you might not be asprepared as you would hope to be, even though the threatsare just as significant.”

New threats: Another often-overlooked threat is ubiquitoustechnologies such as e-mail.Not only is e-mail a commonway to spread computer viruses, but it’s also a place




Proprietary data: In theInformation Age, intellectualcapital is among a company’schief assets. Losing proprietaryinformation—anything fromCAD drawings to sales data todetails on future strategies—canbe devastating. Once this infor-mation is in the hands of com-petitors, it becomes their com-petitive advantage, and even legalremedies won’t necessarily shiftthe balance back in your favor.In fact, according to the CSIstudy,“the most serious financiallosses [occur] through theft ofproprietary information.”

Interestingly, it’s not com-petitors themselves who mostcommonly pilfer proprietarydata, say experts.“Most theft ofproprietary information is frominsiders,” says GartnerGroup’sPescatore.

Legal liabilities: Securitybreaches open a Pandora’s boxof legal repercussions, exposingorganizations to legal action bypartners concerned with con-tractual obligations, sharehold-ers concerned with changes instock valuations and consumersconcerned with privacy issues.

“Security is an increasingly

important legal issue, particu-larly as it relates to privacy,”says Lisa Norton, an associatewith King & Spalding ofWashington, D.C., which isamong the top 50 law firms inthe world.“Consumers areconcerned about privacy, andwe may see class-action andshareholder lawsuits over privacy in the near future.”

In particular, others may tryto hold organizations liable ifthe organizations’ securitymeasures don’t conform to bestpractices, suggests Norton.Forrester’s Prince sees the sametrend, adding that even if firmsare only indirectly involved in asecurity breach, they could stillbe held legally responsible.“Ifyour server is hijacked and usedin a denial-of-service attackagainst someone else, you maybe liable,” he says.

Shareholder equity: Securitybreaches can have a directimpact on a company’s stockvaluation, particularly forvolatile dot-coms—as wit-nessed by price fluctuations for several firms followingFebruary’s denial-of-serviceattacks. Increasingly, sharehold-


e-business, means that securityis a bigger problem now thanever. But what is the net resultwhen security is violated? Whatare the short- and long-termbusiness impacts?

The primary concern isfinancial loss. Compromises toyour computer infrastructurecan mean lost revenue whentransactional systems crash, lostproductivity when operationalsystems or networks go down,high costs to locate and resolvesecurity problems, costs forunbudgeted security enhance-ments—in general, major interruptions of your businessprocesses.

“Security breaches carry withthem a broad range of financialimpacts,” says Richard Macchia,chief financial officer of ISS.“CFOs can no longer say thatthis is the responsibility of theCIO. Security is a businessissue, and financial people haveto consider themselves account-able and be aware of the risks.”

In fact, in the ASIS study,the average company reported2.45 incidents in 1999, withestimated losses per incident of$500,000.That’s not pocketchange. But security breachescan have many other unexpect-ed financial and less-tangiblebusiness impacts:

0

5

10

15

20

25

30

35

40%

System Penetration

DoSUnauthorized Insider Access

VirusesExtended Fraud

Theft of Proprietary Information

35.1

29.5

15.3

11.9

4.3 3.7

Loss by Type of Incident

Source: Derived from 2000 CSI/FBI Survey

Percent of Total Losses Reported by Type of Attack


Internet security into the duediligence process.”

Customer confidence:Partners and shareholders aren’tthe only ones concerned withsecurity; customers will increas-ingly evaluate firms on thebasis of how confident con-sumers feel doing business withthem.As privacy becomes alarger issue and rates of onlinefraud rise, consumers willrefuse to buy from firms thatcan’t guarantee security.Andremember, in the online world,your competitors are just aclick away.“One of the resultsof disintermediation is that thecost and difficulty of switchingdrops dramatically,” saysPescatore.“So if a customerloses confidence in you becauseof a security breach, it’s quiteeasy for them to switch tosomeone else.”

How bad has it gotten? Theworld awoke the morning ofFebruary 7, 2000, to hearbreaking news of what wouldbe the first of a week’s worthof denial-of-service attacks onsome of the most venerablenames in the e-business world.First it was Yahoo’s site that

was hit with massive, hacker-induced outages.That was followed by assaults on the sites of Buy.com and eBay,then Amazon.com and evenCNN.com.Then on the lastday of that month, the FBI’sWeb site was the victim of adenial-of-service attack thatlasted several hours.

Such high-profile attacks goteveryone thinking that if suchmajor sites could be struck,then virtually any size e-busi-ness could be successfully tar-geted, given that the mega-sitestypically invest most heavily inInternet security. For dot-comsstruggling to grab market sharequickly, the repercussions of asecurity breach can be severeindeed.The combination ofcrashed systems, lost revenue,lower stock prices, angry stake-holders, loss of access to tradingpartners, lost customers andnegative publicity can damage afragile e-business brand beyondredemption.

S T R I K I N G A B A L A N C E

In the final analysis, e-businesssecurity is about balancing theneed to open the network tocustomers and partners with




ers will react strongly to threatsagainst information assets.Andno wonder: 50 to 70 percent ofa company’s value is derivedfrom its proprietary data andtrade secrets, according to theASIS study.

As a result, hackers aremounting attacks for the specificpurpose of manipulating stockprices, says Pescatore. Early thisyear, for example, a hackerbroke into the Web site ofAastrom Biosciences of AnnArbor, Mich., and posted abogus press release announcingthe company’s merger withbiopharmaceutical firm GeronCorp. of Menlo Park, Calif.Before the firms discovered theprank and notified the Nasdaqindex where they are traded,Aastrom shares had climbed 10percent, while Geron shareshad risen 8 percent.

Will shareholders respond tosuch breaches with lawsuits?“We haven’t seen much of thathappening yet,” says Norton.“But if the courts start award-ing for something like this,there could be a lot of suits.”

Partner relationships: AsInternet technologies enable

partners to integrate supplychains and to conduct businesselectronically, security willbecome a key part of the busi-ness relationship. If a securitylapse on your part allows ahacker access to your partners’systems, you could be heldaccountable.And even if yourpartners aren’t affected, vulner-abilities in your systems maymake them hesitate to do business with you. Manyorganizations partner in onearea but compete in another.Thus, relationships may not beas stable as they once were.

Minimum security levels willincreasingly be a price of entryinto partner relationships, sayexperts, particularly in electronicenvironments such as onlineexchanges.That also applies tomerger-and-acquisition activity,which continues at a briskpace.“M&A activity around theworld is continuing to increaseat a rapid pace,” notes PatrickSchul, director of sales for NewYork-based Marsh Inc., aprovider of risk solutions andservices.“And it’s becomingincreasingly common for companies to incorporate thepotential risks associated with


P A R T 2 : T H E T R O U B L E W I T H T E C H N O L O G Y



the need to protect the information assets that are thelifeblood of the organization.“The marketing people seecomplete access as a require-ment, while the security peoplesee it as the worst possible scenario,” says BellSouth’sParsons.“There has to be ameeting of these two minds. Soit’s a people issue as much as atechnology issue.” Fortunately,minds are beginning to change.“E-business is transforming theway organizations view securi-ty,” says Klaus of ISS.“Theyunderstand now that securityisn’t a technology, but a process.It’s an entire methodology thathas a full life cycle.”

In the e-business realm, whatdoes that life cycle entail? “Thethree things e-business requiresare availability, data integrityand privacy,” says Pescatore.“Web sites must be available,data must be available, and sys-tems must be available.Youmust have data integrity andthe ability to ensure that trans-action information has not

been altered. Most important,you need to be able to guaran-tee privacy, to keep customerdata away from intruders.”

Security strategies themselveswill be different for differentsized companies. Specifically,each size segment will require a different mix of security services, with some developed,deployed and maintained by in-house staff and others provided by outside vendors oroutsourcers of managed servic-es.The common theme acrossall companies is the absolute,mission-critical imperative of securing the e-business,regardless of how big or smallthe company may be.

Availability, integrity and privacy are what solid securityprotects.The vulnerabilities aremany, the threats abound andthe stakes are high. But aware-ness of the issues, the righttechnology tools or services,and a comprehensive securitystrategy can enable organiza-tions of any size to conductbusiness at Internet speed.

eb Rich knows how important technology tools are inprotecting an organization’s computer infrastructure.As a senior network engineer who manages securityfor the University of Colorado Hospital, she uses arange of security solutions to protect highly sensitive

patient data as it traverses a large, complex network.But Rich also knows technology’s limitations.That’s why the hos-

pital has developed a security policy that not only dictates whathardware and software components will keep intruders at bay, butalso describes how security supports the organization’s core business.

The Trouble with Technology

Most companies deal with security by throwing

technology at it.While technology tools are absolutely

necessary for keeping information assets safe, they’re

only part of a complete security solution.

D“Security is very important

to us from a patient-privacyperspective,” says Rich,“evenmore important than for otherorganizations.We also haveincreasing pressure in the formof government regulations.So we are constantly evaluatingour security situation to antici-pate potential problems and to prepare for new demands.That requires more than just

technology; it requires a security strategy.”

“Security needs to be governed by an overall policy,and that policy needs to beholistically aligned with business strategy,” agrees ISS’Christopher Klaus.“You can’tpractice security for security’ssake. Instead, you need to iden-tify the business objectives youwant to accomplish, and then





wrap your security policyaround that.”

The trouble is, few organiza-tions heed that sound advice.Arecent InformationWeek survey of4,900 executives, security pro-fessionals and technology man-agers reveals that 71 percent oforganizations rank security as a high priority, up from 60 percent last year. But only 38percent say security policies are well aligned with businessgoals, and 17 percent say secu-rity and business goals don’tmesh at all. Small and mid-sized organizations, in particu-lar, often feel that they don’thave the resources to invest indeveloping and enforcing a

comprehensive security policy.“Just throwing technology at

a security problem isn’t thesolution,” says Frank Prince, ofForrester Research.“You needto determine what you want toprotect and how important it isto protect it. Only then canyou decide which securitysolutions are most appropriateto achieving your goals.”

A D D R E S S I N G

B U S I N E S S N E E D S

The fact is, security isn’t atechnology problem, but abusiness problem.Approachedthis way, security takes on anentirely different aspect. It’s nolonger a method of mitigating

0

10

20

30

40

50

60

70

80%

2000

1999

1998

HighModerateLow

~8 ~6 ~5

~36~32

~22

~55~60

~71

Priority of Information Security

Source: InformationWeek Global Information Security Survey of 4,900 security professionals

disaster but a means of achieving business success.“Organizations must movebeyond looking at security as away to deal with fear and lookat it as a business enabler and a growth mechanism,” saysIDC’s Chris Christiansen.Anappropriate security policy canenable you to “reach a largernumber of customers and business partners with a higherlevel of trust.That’s a lot moremeaningful than talking abouthow many hours of downtimeyou can avoid.”

Approaching security as abusiness issue means creating a policy that specifies howsecurity will support your business, establishing the valueof your information resources,identifying their level of vulnerability and determininghow you will respond if thoseresources are compromised:

Creating a security policy:Effective security starts withthe development of an overar-ching policy.A good policyunifies all aspects of your security measures into a singlestrategy. It deals with broadissues such as the value of

information assets, and itaddresses specific questionssuch as who has access to what.It embodies the work you doto analyze risk and to develop aresponse plan, and it specifieswhich technology tools areapplied to which resources.

However, few organizationstake the time or have the inter-nal human technical resourcesto develop such a policy. Infact, only about 30 percent of companies that considersecurity a high priority have awritten security policy thatoutlines objectives, accordingto the InformationWeek study.It’s safe to assume the numberis lower for organizations thatdon’t consider security a highpriority.

That could spell disaster.“Security tends to deal withwhat we know,” points outBellSouth’s Chris Parsons.“We address known threats tomake sure they don’t happenagain. But when threats appearfor the first time, they can goundetected.That’s why it’s necessary to have a policy inplace, to have your infrastruc-ture ready, to have your peopleready and to have partners who





can help you respond quickly.”Small and mid-sized organi-

zations may believe they don’trequire a security policy, orthey may feel that they lack thewherewithal to design one—after all, many firms don’t evenhave dedicated security person-nel. But experts emphasize thata policy is still essential, even if it’s rudimentary. Even a verybig-picture approach todescribing your informationassets, the threats they face, thetools and techniques you willuse to protect them, and howthose mechanisms will beenforced will go a long waytoward keeping your securityon track.

As important as developing apolicy is how you develop it.“Most policies approach securi-ty with a mandate of ‘Keep ussafe,’” says Forrester’s Prince.“But security threats can’t bejudged in the light of a broadmandate.You need to firstidentify your needs and thenfigure out how to meet them.So instead of saying, ‘We needto apply this patch to theaccounting system,’ you shouldstart with your need, such as‘We need to close the books at

the end of the month.’”Ideally, a security policy

should also deal with specifics.How do employees authenti-cate themselves? How oftenmust they change passwords?How do you authorize access?How do you determineauthorization levels, and howdo you change them oncethey’re established? What areyour rules for e-mail usage,Web access, instant messaging,MP3, online gaming andstreaming video? The Internetintroduces a host of such issues,and all have an impact on yoursecurity policy.

Finally, your security policymust address people issues.Allemployees must view securityas their responsibility, and safepractices must become secondnature.That involves education,from regular reminders thathelp employees avoid viruses toworkshops that help key per-sonnel align security measureswith business requirements. Butultimately it involves a culturethat recognizes the value of itsinformation assets and is com-mitted to protecting them.

“If you do it right, creating asecurity policy is difficult

and painful,” says IDC’sChristiansen.“At its heart is achange in behavior.And beforeyou can achieve that, you haveto gain consensus.You have tomeet with lots of people andconvince them to agree to anew set of behaviors. If peopledon’t buy into the policy,they’ll use all kinds of ingenu-ity to get around it.”

Classifying your resources:If you’re applying the samelevel of security to all systems,then you certainly aren’t spend-

ing your security dollars wisely,and you’re probably leaving keysystems open to attack.Classification involves lookingat your computer resources anddetermining how importantsecurity issues such as availabili-ty, integrity and privacy are foreach of them. If a particular system is critical to your success, then you must investaccordingly in the securitymeasures that will protect it.

That seems reasonableenough, but a relatively smallpercentage of organizations

0

20

40

60

80

100%

Were able to Quantify Loss

Acknowledged Financial

Loss

Reported Serious

Breaches*

Detected Breaches

90

7074

42

Security Breaches in the Past12 Months

Survey of 643 large organizations

Losses for 273 respondents totaled $266 million

Source: 2000 CSI/FBI Survey* Serious breaches include theft of proprietary information, financial fraud, system penetration, etc.





What are the predominant security risks in the Internet Economy?“The threats are largely the same ones that have always beenthere,” says Frank Prince, of Forrester Research. “It’s just that

e-business has lowered the [access] threshold.” Here are some of the most commonsecurity risks:

Denial-of-Service (DoS) attacks: In a DoS attack, a hacker gainsaccess to several computers connected to the Internet and installs code on those systems. At the hacker’s signal, the systems start sending data to targeted Websites. The sudden burst of network traffic overloads the Web servers and the net-works they’re connected to, slowing performance and eventually crashing the site. InFebruary, DoS attacks knocked out service for five of the 10 most popular Web sites,including Amazon, Yahoo and eBay. Financial repercussions rang in at $1.2 billion inlost revenue and subsequent losses in market capitalization, according to YankeeGroup of Boston.

Hackers: A hacker is anyone who gains unauthorized access to computerresources for the purpose of stealing information or sabotaging systems. The Internetonly makes a hacker’s task easier, which means that the number of hackers will grow.Hackers may be employees stealing proprietary information to sell to competitors,pranksters defacing your Web site, or criminals capturing credit-card data or illegallytransferring funds. “There will be an increase in online criminal activity,” says IDC’sChris Christiansen. “Money is no longer in banks, but in bits. And it’s easy to stealbits and quickly move them around the world.”

Insiders: Between 70 and 90 percent of attacks come from inside the organiza-

tion, reports Hurwitz Group of Framingham, Mass. And although an annual study bySan Francisco-based Computer Security Institute indicates that the rate of insiderattacks is falling—only 38 percent of respondents cited internal systems as a “fre-quent” point of attack last year—experts point out that internal breaches can be themost pernicious. “The majority of high-value breaches—those costing $250,000 ormore—are perpetrated from the inside,” says Forrester’s Prince. “That’s becauseinsiders often know how to access the most valuable data.”

Physical break-ins: One often-overlooked threat is physical securitybreaches—when intruders actually gain access to a data center or steal equipment.Data-center security goes beyond a simple lock and key, informing the overall waythe facility is designed and operated. Are personnel monitored as they come and gofrom the data center? Are power switches that turn on and off mission-critical serverswithin easy reach? Can a simple tug on a power cord or cable knock out your net-work? Likewise, stolen laptops and PDAs are a common and costly problem, not onlybecause they’re expensive to replace but also because of the proprietary informationthat may be stored on them.

Viruses: The most common form of security breach, a virus is a program or piece of code that is loaded onto an organization’s computers without the organization’s knowledge and runs against its wishes. Viruses attach themselves toprograms or files on your system; when a program runs, so does the virus. Most canself-replicate, quickly using all available computer memory, and many can transmitthemselves across networks. Just how destructive are viruses? The May, 2000, “I Love You” virus cost businesses an astonishing $6.7 billion in lost productivity andrepairs, says research firm Computer Economics of Carlsbad, Calif.

actually evaluate their systemsthis way. In fact, only 33 per-cent of companies have classi-fied what information is mostvaluable, according to theInformationWeek study. Likewise,“consistent mechanisms and

processes for determining thevalue of proprietary informa-tion are not in place at mostFortune 1000 companies,” con-firms a recent report by theAmerican Society for IndustrialSecurity (ASIS) and Price-

waterhouseCoopers.The samesituation is likely to be foundin smaller companies as well.

Analyzing your risk:Another prerequisite for effec-tive security is having a sense

of your vulnerabilities.That’swhere risk analysis comes in. By using an establishedmethodology for assessing yoursystems, data and networks, youcan determine which computerresources are most at risk and

Know Thine Enemy





which technology tools andpractices will best protect them.

Many organizations turn tooutside firms for risk analysis.Experts agree that organizationshire security consultants forsecurity audits for the samereason they use outsideaccounting firms for financialaudits: they need an independ-ent, impartial third party.Common issues such consult-ants and specialists look forinclude misconfigured systems,poorly designed e-businessinfrastructures, and back doorsinto networks through partnerconnections. Internal IT staff

might lack the expertise tolocate such trouble spots, andthey may also lack the objectiv-ity to find flaws in systems theydesigned.

Developing a response plan:What happens if a breach takesplace? The wee hours of themorning following an attackare no time to be deciding howto respond. Incident prepared-ness starts with identifying whoshould respond to an incidentand what their roles should be.It often makes sense to desig-nate a single person as theresponse coordinator.Then

develop a team of representa-tives from all appropriatedepartments, including IT,legal, human resources andpublic relations. Educate teammembers thoroughly and conduct regular fire drills.

Also establish procedures fordetermining the seriousness ofthe breach and what actionsteam members should takegiven the severity of the break-in.The IT department willlikely take steps to contain thebreach, while the legal depart-ment might initiate actions toidentify the perpetrator. If thebreach affects employees, HRmight inform them of whatactions they should take. If customers are affected, the PRdepartment might take steps tomanage public perception.

FR O M SE C U R I T Y T O

RI S K MA N A G E M E N T

You’ve created a security poli-cy, classified systems, assessedrisk and developed a responseplan. Have you achieved 100percent security? In short, no.Experts agree that despite thebest efforts, organizations willalways be vulnerable to the latest virus, the cleverest hacker

or the most insidious insiderbreak-in. In fact, even thelargest organizations with thedeepest IT pockets eventuallyreach a point of diminishingreturns on their security investments.

At this point, security entersthe realm of risk management.Traditionally, risk managementwas concerned with protectingphysical assets such as equip-ment, inventory and physicalplant. But in the InternetEconomy, the assets andprocesses that are critical tobusiness success reside in data-bases and traverse the network.So increasingly, say experts,organizations will considerinsurance policies to managethe gap between the real andthe ideal in computer security.

“Even with the best controlsand mitigation strategies, thereis still risk.And this is a busi-ness risk,” says Emily Q.Freeman, senior vice presidentand national practice leader,e-business risk solutions atMarsh Inc. of New York, aprovider of risk solutions andservices.“Without the ability tocontractually transfer that riskto someone else, those losses

0

20

40

60

80

100%

2000

1999

1998

Foreign Governments

Foreign Corporations

U.S. Competitors

Independent Hackers

Disgruntled Employees

89 8681

72 74 77

4853

44

29 3026

21 21 21

Likely Sources of Attack






come out of your balancesheet. Insurance is a way foryou to manage that risk. Ittransfers the risk to an insur-ance company in exchange fora premium.”

As recent history has shown,there is no computer systemthat is 100 percent secure.Andto some extent, the more complex distributed, networkedsystems become, the more vulnerable they are.Thus,experts see insurance as a logical component of a complete security program.

“Security is one area inwhich organizations cannot

afford to operate in the dark,”says former U.S. Senator Sam Nunn, who has beeninstrumental in raising aware-ness of security issues withinthe federal government.“How vulnerable are your informationnetworks? Could a computer-based attack cripple them anderode consumer confidence inyour company? Organizationsneed a uniform policy for protecting their networks,responding to incidents andassessing the risk of such computer attacks.”

In fact, new offerings fromseveral leading insurers are

specifically targeted at protect-ing information and reputationassets against security breaches.This is an important develop-ment, because “traditionalinsurance protects physicalassets against things like earth-quakes and hurricanes,” saysMarsh’s Freeman.“It doesn’tdeal well with information.”

Security insurance coversthings such as security breach-es, computer theft, errors oromissions that cause financialdamage to others, and “contentinjury”—things like infringe-ment of copyrights and privacyviolations.A good policy willprotect against cyber attacks,viruses and programmer errors,and against lost income andextra expenses associated withthe disruption of electronicactivities.

Insurance can also help justify the cost of security inbusiness terms.“It can be hardto justify a budget for securitywithout being able to quantifythe risk,” says Matthew Kovar,an analyst with Boston-basedYankee Group.“An insurancepolicy creates balance betweenwhat you are protecting andwhat you’re spending to

protect it.”In any case, there’s no ques-

tion that computer security andoverall risk management arebecoming intertwined.“Information security is centralto risk management in theInternet Economy,” concludesFreeman.“You can’t do riskmanagement in the InternetEconomy without doing information security. It’s notthe entire risk managementprogram, but it’s an essentialcomponent.”

EN A B L I N G E-BU S I N E S S

At the University of ColoradoHospital, Deb Rich haswatched computer securitybecome crucial to the organiza-tion’s business.“Fifteen yearsago there was no security,”she says.“But you can’t operatelike that anymore.”As morepatient information is captured,stored and communicated electronically, as more hospitaloperations rely on electronicprocesses, security becomeseither an obstacle or an enabler.“If you’re going to have dataflying around the network,” saysRich,“then you have to protectit. It’s that simple.”

0

20

40

60

80

100%

Don't know of unauthorized

access or misuse

Had unauthorized access or misuse in past 12 months

Conduct E-Business

Have Web Site

90

43

19

32

Web Site Attacks



P A R T 3 : P A S S I N G T H E B A T O N



Still the risks multiply—andwith them, the challenges ofsecuring the business. Manyof these challenges are a prod-uct of the Internet Economy.The open nature of e-businessnetworks means that morepeople have access to yoursystems, and that protectingthem is far more difficult thanit was in the past.Theunprecedented pace of e-

business opportunities meansorganizations often have littletime to take security concernsinto consideration.And rapiddevelopment of e-businesstechnology means the ITinfrastructure is growing evermore complex.

Then there’s the continuingshortage of tech talent.Thereare nearly 60,000 more ITjobs in the United States than

Passing the Baton

For most organizations, security isn’t a core

competency. But it is mission-critical.That means

a growing number of firms will turn to outsourcing

to meet some or most of their security needs.

s the upsurge in e-business activity makes protectingnetworks crucial, as the growing concern over

consumer privacy makes guarding databases essential, as theincreasing reliance on information assets makes securing the IT infrastructure an imperative, organizations large and small are struggling to develop and to deploy optimal security solutions.They assess their security needs.They invest in securitymeasures.They develop broad-based security policies.They buyan extra measure of protection through security insurance.

Protecting data goes beyondhardware and software, beyondtools and techniques, beyondeven policies and procedures.Security is a business impera-tive. It allows you to collectthe information that buildscustomer relationships, to sharethe information that enablescollaborative partnerships, andto take advantage of the information that makes youmore competitive. It meansthat customers can trust youwith their personal data, that partners can trust you won’texpose their trade secrets tocompetitors, and that share-

holders can trust you are taking the steps necessary toensure your long-term success.

In short, security enables e-business.“Any time you canavoid turning bits into atomsand back into bits again, yourealize enormous advantages,”says Tom Noonan, CEO ofInternet Security Systems.“Any time you can reducelatency or eliminate interme-diary steps, you decrease costs,you improve customer satisfaction, and you have the opportunity to increase revenue.That’s the promise of secure systems.”

A





there are qualified candidates,and turnover rates are soaringpast 20 percent, reportsPhiladelphia-based Hay Group,an HR consultancy. In fact, theDepartment of Commerce saysthe country will require 1.3million new highly skilled ITworkers in the years leading upto 2006. It’s no wonder morethan 60 percent of CIOs list ITstaffing among their top threeday-to-day issues, according toForrester Research.

In Computerworld’s 14thAnnual Salary Survey, releasedin September 2000, securitymanagers and administrators

netted the largest salary increas-es, a trend likely to continue.The same survey found thatentry-level salaries for securityspecialists are among the highest in IT, with entry-levelsecurity staff being hired at anaverage annual salary of$44,439, higher even than thesalary of entry-level networkadministrators.

Meanwhile, earlier in 2000,the UK firm Xephon PLCfound that 43 out of 90 com-panies it surveyed decided tooutsource security needsbecause they either didn’t havethe right skills in-house or they

Very well44%

Somewhat44%

Not well-aligned 12%

Are Security Policies Alignedwith Business Goals?

Source: InformationWeek

2000

Very well38%

Somewhat45%

Not well-aligned 17%

1999

wanted internal staff to workon more strategic projects.

The shortage of informationsecurity professionals is acute.“The sheer volume of potentialvulnerabilities and threats, com-bined with the complexity ofsecurity technology, means thatit is virtually impossible for anorganization to find staff withthe knowledge and capabilitiesto respond effectively,” saysYankee Group’s MatthewKovar.

T H E E X T E R N A L

A N S W E R

Organizations are looking for asolution.They need a cost-effi-cient, effective way to maintainhigh levels of security whilefocusing on their e-businessinitiatives and on their corecompetencies. Increasingly, sayexperts, that solution will besecurity outsourcing.

“Outsourcing will become anecessity,” predicts IDC’s ChrisChristiansen.“The complexityof environments, the increasingdemands on the network, andthe scarcity of trained securityprofessionals will mean thatorganizations will have to lookto outsourcing.The fact is that

security is not a core compe-tency for most organizations.”

Even organizations for whomsecurity is a key part of thebusiness are partnering withexternal providers.At the $25-billion telecommunicationsfirm BellSouth, for example,the network is, literally, thebusiness. And that meansBellSouth requires the highestlevels of network security.“Weconsider security a core com-petency,” says BellSouth’s ChrisParsons.“But we still partnerwith security providers to besure we have the best skills andsolutions.”

BellSouth is in good compa-ny. Investment in networksecurity services in general willgrow from $512 million in1998 to $2.24 billion in 2003,IDC anticipates, a compoundannual rate of about 34 per-cent.And the move to securityoutsourcing in particular is partof an overall trend towardoffloading crucial but non-coreIT functions. In fact, companiesworldwide will invest in IToutsourcing to the tune of$123 billion by 2002, predictsDataquest/GartnerGroup ofSan Jose, Calif.


“Security outsourcing holdsa lot of promise,” agreesForrester’s Frank Prince.“Itallows organizations to retainthe responsibility of managingsecurity without actually doingit themselves. A lot of day-to-day security activities are difficult and expensive becauseof the technical knowledgerequired, the rapid pace ofchanging threats and the diffi-culty in hiring knowledgeablestaff.These things can beoffloaded to a company thatcan handle them. For the vast majority of companies,[security] doesn’t need to bedone in-house.”

P R I M E O P P O R T U N I T Y

That’s exactly what RobertEnslein discovered.As CEO ofNew York-based Prime OfficeCenters, Enslein knows realestate, not security. But he alsoknows that a secure network iscrucial to his business.

Prime Office Centers oper-ates 250 office suites at threelocations in lower and mid-town Manhattan.The officescome fully furnished and offera complete complement ofbusiness services, including a

preinstalled telephone and network infrastructure. Clientscan literally sign a lease todayand move in tomorrow.“Companies know that theinnermost circle of hell is tonegotiate a lease with a NewYork landlord,” jokes Enslein.“So if they want to move intotheir space tomorrow and havea phone on the desk and acomplete infrastructure alreadyin place, they turn to us.”

The organizations that leasespace from Prime OfficeCenters range from consultantsand insurance brokers to majorfirms such as Gateway andIntel.These companies come toPrime Office Centers for theprestigious address and for therange of services—including asecure T1 Internet connection.“That is a competitive advan-tage, something I believeattracts people to do businesswith us,” says Enslein.“Anyonecan offer raw bandwidth.Whatwe’re offering is a truly securenetwork.”

But Prime Office Centersdoesn’t rely on internalresources to protect that net-work. Instead, it outsourcesadministration of its security




needs to an external provider.“We can manage most of ourIT needs in-house,” Ensleinexplains.“But we don’t havethe expertise to handle security.It requires a high level ofknowledge and skill that probably isn’t in our best interest to invest in.”

Outsourcing enables PrimeOffice Centers to focus on itscore business. It also givesEnslein a level of confidencethat a key competitive advan-tage—the secure network it

offers its clients—is being properly managed.“If someonewere to hack into our networkand disrupt the activities of ourclients, that would be extremelydetrimental to our business,”says Enslein.“So we wouldn’toutsource our security unlesswe felt 100 percent confident it was the right business decision.”

A year into the contract,Enslein is convinced now morethan ever that he made theright choice.“Outsourcing

0

10

20

30

40

50

60

70

80%

More automation

Trusted operating

system

Trusted Web server

Technology/product

integration

More accurate

monitoring

Authentication of users

What Would You Change AboutYour Security Infrastructure to

Make it Adequate?

Source: NetworkWorld


offers a lot of benefits, there’sno question about that,” hesays.“We wouldn’t have beenable to achieve this level ofsecurity if we had tried to do it ourselves.”

B U S I N E S S B E N E F I T S

What are the primary advan-tages of security outsourcing?“The benefits are largely thesame as for any outsourcing sit-uation,” says Forrester’s Prince.“You outsource to gain betterquality of service and morepredictable costs. Over time,organizations that use best-of-breed service providers fortheir non-core operations willoutperform those that do itthemselves.”

That quality of service isprobably the key advantage toorganizations using outsourcers.Security outsourcers haveimplemented best practices anddeveloped proven methodolo-gies that they can apply to yourorganization.They have accessto state-of-the-art solutions andthe expertise to deploy themmost effectively.They can offersophisticated strategies, com-prehensive disaster recoveryplans, and arcane but important

advantages such as forensicsservices to help you trackdown cyber criminals.

Outsourcing can also yieldless-tangible benefits such asavoiding political conflicts.“Security can be a constantsource of battles, and securitydecisions are often unpopularamong users,” says Prince.“Theoutsourcer can be the one torecommend an unpopularcourse of action, or to giveobjective support to the deci-sions of internal technical orsecurity staff.” Because thedirectives are coming from anoutside expert, employees andother stakeholders may bemore likely to conform tothem.

Another important benefit ofoutsourcing is that securityservices providers can attractand retain the best tech talent,and can invest in the trainingand development that the vastmajority of firms simply can’tcost-justify. In today’s tight jobmarket, security professionalscan easily command six-figuresalaries. Few organizations canafford to keep a staff of suchexperts monitoring the net-work around the clock.As the




table on page 41 shows, thecosts of in-house security provisioning are indeed steep.

With outsourcing, costs willcertainly become more pre-dictable: You get a specific levelof service for a pre-establishedfee. You can also shift securitycosts from your capital budgetto your operational budget.Finally, there’s no need for youto invest directly in securityenhancements—that becomesyour outsourcer’s problem.

“If you look at outsourcingpurely in terms of cost, it willprobably seem expensive,” saysEnslein of Prime OfficeCenters.“But if you look at itin terms of time saved or theability to focus on your corebusiness, the value more thanmakes up for the cost.”

K N O W I N G W H E N T O

L O O K O U T S I D E

You can outsource a broadrange of security measures.Candidates include virus pro-tection (think “inoculation”),intrusion detection (think “bur-glar alarm”) and vulnerabilityassessment (think “internalaudit”). Outsourcing can takethe form of onsite security

management, remote networkmonitoring or “proxy-basedsolutions” such as routing e-mail traffic through the outsourcer’s systems for real-time evaluation.

Prince suggests that organiza-tions consider some or all ofthe following security cate-gories for outsourcing:

1.Authentication andauthorization: While func-tions like password adminis-tration are often handled byhuman resources or by individual departments, theunderlying infrastructure canbe successfully outsourced.

2.Security operations:Day-to-day management oftools such as firewalls andintrusion detection systemsare ideal for either onsite orremote outsourcing.

3.Incident management:Outsourcers are often betterprepared than internal secu-rity staff to respond to emer-gencies and to get your net-work back up and running.

IDC’s Christiansen recom-mends that companies out-source functions that require


constant vigilance, such as virusprotection and intrusion detec-tion.“Your security is only asgood as its last update,” henotes, since new viruses arealways being developed.And new technology alwaysintroduces potential new vulnerabilities.“By payingsomeone else to manage that,you have some degree of assurance that updates are current.You also have legalrecourse should a breach occur,and you may find it easier toobtain security insurance.”

What should you look for in a security outsourcer? Mostimportant are reputation andexperience.“Look for an outsourcer with a strong trackrecord,” says Prince. “Get references, and look into them.There’s no substitute for references.” Beyond that, besure the outsourcer candemonstrate that it understandsyour security and businessrequirements, can provide thelevel of protection you require,and has the resources in placeto scale as your needs grow.

Outsourcing also places apremium on ensuring that youhave a solid security policy that

specifies who is responsible forwhat.As in any outsourcingrelationship, make sure bothyou and your provider agree onservice levels and responsetimes—before an incidentoccurs.And even if you’re out-sourcing large portions of yoursecurity, it’s wise to retain orassign internal staff to overseethe relationship and to ensurethat the outsourcer delivers theappropriate level of service.

Most important, perhaps, isto approach outsourcing know-ing what you hope to achieveby offloading management ofyour security. Organizationsthat perform due diligence aremore likely to succeed in theiroutsourcing initiatives, accord-ing to a recent study by IDCand Technology & BusinessIntegrators of Woodcliff Lake,N.J. In fact, only 13 percent ofoutsourcing arrangements weresuccessful without due dili-gence. It helps the providerunderstand how outsourcingcontributes to your businessobjectives, and lets both partiesset realistic expectations forsuccess.

Overall, experts believe thatsecurity outsourcing holds




The Economies of Outsourcing

Year 1 costs

Component In-house Costs Outsourcedsolution

Hardware/software $ 60,000 $ 50,000 1-time setup/install N/A $ 18,000 Monthly management N/A $ 75,000 Employee salaries $ 180,000 N/A Employee training $ 24,000 N/A Total $ 264,000 $ 143,000

Estimated Year 1 savings $ 121,000

Year 2+ costs (annual)

Component In-house Costs Outsourcedsolution

HW/SW maintenance $ 8,000 $ 7,000 Monthly management N/A $ 75,000 Employee salaries $ 180,000 N/A Employee training $ 24,000 N/A Total $ 212,000 $ 82,000

Estimated Year 2+ annual savings $ 130,000

AssumptionsBased on a 250-user network using a single T1 Internet gateway. Securityelements include single Check Point Firewall-1™ 250-user license runningona Nokia IP330 device, and two Sun Netra T1 servers running InternetSecurity Systems RealSecure™ intrusion protection software.

Employee salaries are based on three salaried employees, each working an 8-hour shift daily and earning $60K per year while devoting 100% of their on-duty time to managing/monitoring security devices.

Employee training includes 2 courses per year for each employee mentionedabove, as well as travel expenses.

Source: Internet Security Systems


T H E T O O L S T H A T P R O T E C T



n important part of anoverall security strat-

egy is the securityhardware and sofware that pro-tect your information assets. Infact, the market for security soft-ware alone will grow from $3.2billion in 1998 to $8.3 billion in2003, predicts International DataCorp. of Framingham, Mass. Hereare some common security toolsand techniques:

Anti-virus software:

Because viruses are the mostprevalent security threat, anti-virus software is a key weapon inthe security arsenal. There areseveral types of anti-virus soft-ware—from solutions that protectindividual PCs to those that pro-tect file and messaging servers—and all are necessary in thefight against viruses. An effectiveanti-virus strategy also includesregular software updates to pro-tect against the latest threats, aswell as ongoing education toensure that users are aware of

the dangers and how to avoidthem. Perhaps most important, ananti-virus strategy must specifystandards for desktop configura-tions and usage. By restrictingwhat software employees arepermitted to load on their PCs,you can help prevent viruses frombeing introduced and can solvebreaches more quickly if theyoccur.

Authentication:

Authentication provides a meansfor identifying an “object”—auser, a system, an application andso on. After being authenticated,the object can be granted accessto the services it requires, and itsactivities can be monitored.Authentication mechanisms varyfrom the familiar username andpassword to sophisticated bio-metrics systems, which authenti-cate users through physical char-acteristics such as fingerprints.Authentication is a foundation ofany security plan, and is often akey part of other security solu-

The Tools ThatProtect

great promise.“We know ofvery few companies that haveoutsourced their entire ITsecurity function.Yet, we canname very few others whosesecurity organization can operate effectively today giventhe breadth and depth ofknowledge and skills requiredwithout augmenting internalresources with external help,”says a recent report by Giga

Information Group.While security outsourcing is

a relatively new concept, agrowing number of organiza-tions will use it to align theirsecurity efforts with their busi-ness goals.“It was a big jump forus to do this kind of thing,” con-cedes Enslein of Prime OfficeCenters.“But we’ve had noregrets. In my view, security out-sourcing is the perfect solution.”

A





tions. The authentication tech-nology you use to protect a par-ticular computer resource shouldbe determined by the resource’simportance to your business.

Firewalls: The job of a fire-wall is to examine data as itenters the network and to blocktraffic that doesn’t meet speci-fied criteria. There are severaltypes of firewalls, and all can beused in combination. A proxyserver intercepts all messagesentering and leaving the networkand hides the true networkaddress. A packet filter exam-ines data packets entering orleaving the network and acceptsor rejects them on the basis ofspecified criteria. An applicationgateway secures specific appli-cations. A circuit-level gatewayapplies security mechanismswhen a connection is estab-lished; after that, network trafficflows without further checking.

Intrusion detection

systems (IDS): Applicationsthat actively monitor operatingsystems and network traffic forattacks and breaches are consid-ered an IDS. Its goal is to pro-vide a near-real-time view ofwhat’s happening on the net-work. There are two approachesto intrusion detection: network-based and host-based. Network-based systems “sniff” the wire,comparing live traffic patterns toa list of known attacks. Host-based systems use software“agents” that are installed on allservers and report activity to acentral console. A completesolution involves both types.Both require a regularly updatedlist of known attacks, just likeanti-virus software. But they canalso detect an electronic attack-er trying different passwordcombinations and alert the oper-ations center or even automati-cally shut down that part of thenetwork.

Public key infra-

structure (PKI): PKI isa mechanism for both authen-tication and encryption, com-bining software, encryptiontechnologies and services toprotect network communica-tions and e-business transac-tions. PKI involves a system ofdigital certificates—an attach-ment to an electronic messagethat can encrypt data and veri-fy that the sender is who he orshe claims to be—as well ascertificate authorities, a thirdparty that issues the digitalcertificate. PKI protects infor-mation assets by authenticat-ing identity using a digital cer-tificate, verifying integrity byensuring that messages havenot been altered or data cor-rupted, and ensuring privacyby protecting information frominterception during transit. Itseffectiveness has been ham-pered, however, by the factthat several PKIs are in use,and no standard yet exists.

Virtual private net-

works (VPNs): VPNsallow remote employees toaccess the corporate networkby using the Internet as thetransmission medium.Encryption technology andsecure protocols make thenetwork “private,” eventhough communication takesplace over public phone lines.In effect, the VPN makes pos-sible the secure exchange ofinformation across the Net.And it achieves that at abouthalf the cost of a truly privatenetwork such as a leased line.Worldwide expenditures onVPN products will jump from$6.3 billion this year to morethan $39.8 billion by 2004,predicts Infonetics Research ofSan Jose, Calif.

The Tools That Protect continued from page 43


that approach security as abusiness issue have a firmfoundation from which to pur-sue new opportunities. In theInternet Economy, a securenetwork means that a greaternumber of customers, partnersand investors will do businesswith you and become stake-holders with you. I know wecertainly feel that way here atCottrell & Maguire regardingour clients around the globeand the protection of theirvital business informationassets.”

The costs of not managingsecurity risks can be highindeed. Compromises to yourcomputer infrastructure canresult in losses on every front—lost revenue, lost data, lost productivity, lost customer confidence and lost shareholderequity. It’s not an exaggerationto say that organizations simplycan’t afford not to invest insecurity.

Of course, there will alwaysbe a gap between the real andthe ideal.There is a point atwhich further investment insecurity will not yield adequatereturns.When they reach that

point, organizations are begin-ning to turn to cyber insuranceas a way to manage the risk—the same way they managerisks to physical assets.

Finally, a growing number ofcompanies are concluding thatwhile security is mission-criti-cal, it’s not a core competency.That means security becomes acandidate for outsourcing, justlike other non-core IT func-tions. Outsourcing gives organ-izations access to best securitypractices, state-of-the-art security technology, and highlytrained, knowledgeable securityexperts, all while renderingsecurity costs predictable andmanageable.

Ultimately, computer securi-ty is a business enabler. It’s lessabout keeping the networkfrom going down and moreabout ensuring the availability,integrity and privacy that letscustomers trust you to protecttheir personal information,that lets partners trust you toprotect their systems, and that lets stakeholders trust you to protect their investments.That’s security in the InternetEconomy.

C O N C L U S I O N : T H E B U S I N E S S O F S E C U R I T Y


The Business of Security

Security no longer exists in a vacuum. Organizations

are recognizing that they must apply the same

principles of risk management to their information

resources as they do to their physical assets.

C O N C L U S I O N : T H E B U S I N E S S O F S E C U R I T Y

And the threats are onlyescalating as more transactionstake place over the networkand as a greater proportion of corporate assets reside incyber space. From emergingtechnology startups to established bricks-and-mortarenterprises, organizationsunderstand that increasingly,the network is the business.They recognize that theymust apply the same princi-ples of risk management to

their information resourcesthat they bring to their physical assets.

That starts with approach-ing security not as a technol-ogy concern but as a businessissue.“Organizations thatthink of security as a neces-sary evil aren’t effectivelymanaging risk,” says PeterCottrell of Cottrell &Maguire, an underwritingsyndicate at Lloyds ofLondon.“But organizations

he threats against your information assets continueunabated. Studies such as the annual ComputerSecurity Institute survey show that the vast majorityof organizations—90 percent in the past 12 months—

are experiencing attacks on their computer resources. Existingefforts to protect data and networks are barely keeping pace.

T


A C T I O N P L A N F O R S E C U R I T Y M A N A G E M E N T

3. Assess your security.You will need to balance your expen-ditures on security against the busi-ness value of the assets at risk, andagainst the consequences of failures.Assess your risks to determine thecontrols you need and the prioritiesfor implementing them.

5. Develop business continuity plans.Set a clear business plan to develop andto maintain appropriate recovery plans toprotect your critical business processesfrom major failures or disasters.* There should be a managed process in

place for business continuity planning across the organization.

6. Educate your staff.Devise a suitable security education program for your employ-ees, and make sure that all computer users are trained in thecorrect safe use of IT facilities. They will need to be told how torespond to security incidents.* Users should be given adequate security education and

technical training.* Security incidents should be reported through appropriate

channels as quickly as possible.

7. Check for compliance.Make sure your IT systemsand facilities are regularlyreviewed against organiza-tional security policy and standards.* Copyrighted material

(e.g. software) should not be copied without the owner’s consent.

* Systems should be regularly reviewed to ensure compliance with organizational security policy and standards.

The Action Plan for ImplementingInformation Security Management

1. Publish a policy.Set a clear direction and demonstrate your support by issuing an information security policy.* A written policy document should be available to all staff.

2. Establish your framework.Establish a management framework to implement security.Depending on the size of your organization, you may needforums to approve policy, assign roles and coordinate theimplementation of security. You may also need to establisha source of specialist advice within the organization.* Responsibilities for protecting assets and implementing

security measures should be explicitly defined.

Now that you’ve got your house in order, what about your business partners?

4. Implement security standards.When implementing a set of standards, consider theneeds of your employees for specific guidance. Eachgroup may have different requirements, problems andpriorities, depending on their role and their IT environ-ment. You may wish to build up a portfolio of individualguidelines.* Precautions should be taken to prevent the spread of

computer viruses.* Important organization records should be safeguarded

against loss, destruction and falsification.* Applications handling personal data (on individuals) should

comply with data protection legislation and principles.

Source: The British Department of Trade and Industry

Project Manager—Bill Laberis AssociatesBill Laberis was editor in chief of Computerworld for ten years (1986-1996).

He currently is president of Bill Laberis Associates (www.laberis.com),an IT content and consulting company in Holliston, MA.

Lead Writer—Eric SchoenigerEric Schoeniger is an award-winning writer and communications consultant,

based in Lower Gwynedd, Pa. Previously he was founding editor of ENT Magazineand editor in chief of Digital Age, Exec, and other publications.

Contact him at [email protected].

Design—Suzanne Peterman, TopDog DesignSuzanne Peterman has been president of TopDog Design

(www.topdogdesign.com) since 1987, and is based in Acton, MA.

An IDG Publication

securing the internet economy

Documents