Quashing Cyber Mayhem - security issues - Brief Article - Statistical Data Included

Chief Executive, The, April, 2001 by Bob Woods

Once upon a time there were three little pigs ... and, well, you know the rest. The first pig built a house of straw, the second a house of sticks and the third a house of bricks. As you incorporate the Internet and other communication technologies into your business operations, you are living, at best, in a house of sticks, maybe even straw.

There are wolves out there, and they're in your neighborhood. You may believe you live in a strong house. You don't. However, CEOs can address security problems and protect themselves -- and protect e-commerce.

There are three important considerations regarding e- security. First, inadequate e-security leaves us vulnerable to financial loss. Second, theft of our intellectual capital can lead to a loss of competitive advantage. Third, our business reputation and brand name can be damaged.

A recent survey revealed that of the 650 companies and government organizations polled, 90 percent detected security breaches within the last year. Data Monitor, a market analysis firm, estimates the cost of Internet security breaches -- theft of proprietary information, financial fraud, system compromise from unauthorized users, denial-of-service attacks and sabotage -- at more than $15 billion a year.

In a case exemplifying the loss of intellectual capital and competitive advantage, a well-known chip maker prosecuted a former employee for stealing information about its next-generation chip that had been in development for six years. Copyright violations of fully developed software and other intellectual capital are difficult enough to enforce, yet products under development must be protected, too.

Losses can be factored into the cost of doing business, but what about the loss of integrity, the damage to a company's brand and its reputation? Indeed, any of these can lead to a complete loss of the business. That's why information security and integrity are increasingly on the agenda of CEOs.

As Internet use and data increase, so does the number of intrusion tools, viruses and tools of denial and destruction. And as the sophistication of such tools increases, that of the user can decrease. All he needs to do is point and click.

Virtually all computers today are networked, either internally or with external organizations. And then consider the dawning mobile, wireless era ahead of us. The potential for serious damage is real and getting greater.

As we look to deal with this problem, let me debunk several myths about information security. First is the notion that security is a one-time fix. Wrong. Installing a firewall is like leaving your wallet on the front seat of your car, closing the door and locking it. You need to roll up the windows, lock the back doors, activate the alarm system and constantly monitor the situation.

A second myth is that security is an Internet issue dealing with external threats. Wrong twice. Half of all attacks are by disgruntled employees, ex-employees or human error from well-intentioned employees. And it's not just the Internet, as access to data is gained through many channels.

A third myth is that it's a government problem. Wrong again. It is your network. You cannot assume it will be protected for you.

Beyond recognizing security problems, CEOs must commit to address them by establishing company-wide policies and practices. If you feel you can't handle it all in-house, consider outsourcing the security of your network with a vendor that has the capabilities and reputation for integrity.

There is a fourth consequence of inadequate e-security: trust and public confidence. The public generally trusts that financial records, medical records and e-commerce transactions are secure and confidential, but can react to violations by pressuring elected officials to push for well meaning, if conflicting legislation that could make the Internet more difficult for businesses to use.

It's not enough to worry only about your company's e-security. We have to protect against our systems being used against those of other companies, organizations or even governments. Thus, there are roles and responsibilities for both governments and businesses.

Finally, we need to establish e-commerce "rules of the road" regarding privacy. Antitrust laws should not prohibit the sharing of cyber-security information.

The security issue is here to stay, so CEOs must maintain the availability, confidentiality and integrity of their networks and data. To do less is gambling that some one else's company will be victimized. Russian roulette is bad business strategy. So is living in straw houses.

Veridian is a knowledge applications company providing integrated solutions to customers in national defense, critical infrastructure and essential business systems. Veritect, a separate Veridian company, provides information and security expertise to the commercial market.