Internet security in an insecure world

Global Finance, Dec 2001 by Rombel, Adam

It would be tough to find a corporate boardroom anywhere these days where security isn't being discussed and strategies developed to combat threats.

The September 11 terror attacks on the United States obviously heightened global companies' preparations for physical security-ID cards, locks, gates, guards, and guns. But the attacks, along with highprofile cyber break-ins of the past year, also have focused attention like a laser beam on the issue of Internet security. Increasingly, business and government leaders are coming to the conclusion that cybersecurity is a necessity, not just a contingency.

"This is no longer a worry that companies can afford to ignore. I think they're spending more money to address it, and it's long overdue," says Joe Duffy, security practice leader at PricewaterhouseCoopers.

Financial institutions and businesses that don't develop proper safeguards for online security risk public embarrassment, stiff regulatory penalties, and a whole lot more.They could also lose trade secrets, brand name integrity, market share, and millions of dollars in sales.

Cybercrime has been on the rise for several years. A joint Computer Security Institute and Federal Bureau of Investigation survey of security officials at large companies and government agencies released earlier this year found that 64% reported unauthorized use of their computer systems in the past 12 months, up from 42% in 1996

In the past year or so such well-known companies as AT&T, Charles Schwab, and Amazon.com suffered incidents where customer information was hacked into or made vulnerable on the Web. There have also been a number of high-profile computer worms or viruses, such as Code Red, Nimda, Code Red II, and "I LoveYou,"making the rounds of the Internet and costing companies a great deal of money for lost worker productivity and system maintenance and patching.

"Every virus or worm that takes the Net by storm, heightens interest in security solutions," says Bassam Khulusi, chief executive and co-founder of Eruces, a Lenexa, Kansas-based maker of security software that encrypts data.

As financial institutions and other global companies pursue e-business initiatives, they open their networks and operations to outsiders more than ever before.

"The more you try to open your network and provide more services, the more vulnerabilities you will have and the more attacks you will sustain," says Khulusi.

The CSI/FBI survey found that the Internet was the point of attack in 70% of hacking incidents, up from 38% since 1996. Despite conventional wisdom that insiders cause the bulk of computer security problems, the number of attacks perpetrated over the Internet is now double that from internal sources.

"That puts a premium on how I control access to who's on the other end," says John Pescatore, vice president and research director of network security at Stamford, Connecticut-based research firm Gartner.

To control that access and combat other virtual security threats, companies are opening their wallets.

SPENDING RISING

In interviews with scores of Internet security services and product providers, every single company reported increased inquiries and orders since September 11. Those in charge of security at financial companies also said that they would be spending more to protect their systems next year.

Firms are expected to hire more security experts, buy more hardware and software, sign up more consultants, and better coordinate physical and virtual security.

Security is one of the few technology areas expected to experience spending growth in the next year, according to Forrester Research.

Some expect the rise in spending on security to be long-lasting. In a report earlier this year, Gartner predicted that the amount US companies spend on information security would increase from the current 0.4% of revenue to 4% of revenue by 2011. IDC, a Framingham, Massachusetts-based IT research and consulting firm, sees the global market for information security technology and services tripling in size, to $21 billion, by the end of 2005. Security spending in the US market is forecast to grow from $3.4 billion last year to $9.9 billion in 2005.The consuiting portion of that will increase from $878 million in 2000 to $2.2 billion in 2005, IDC says.

The primary security threats to businesses include system break-ins or unauthorized access, viruses and worms, denial-of-service attacks, defacement of Web sites, intercepted transactions and e-mail, and data sabotage. When successful, these kinds of attacks have resulted in a lot of negative publicity and lost money for the firms affected. The CSI/FBI survey found that 78% of respondents admitted suffering financial losses from computer crime this year. Reported losses for theft of proprietary information and financial fraud averaged $4.4 million each.

The Code Red worm, which digs into Web servers

and replaces Web site content with the message "hacked by Chinese!!!," cost US organizations an estimated total of $1.2 billion, according to Carlsbad, California-based technology research firm Computer Economics.