ASK SECURITY professionals how to protect your computer systems from attack, and you will get a variety of answers that will keep your enterprise safe and your business running. But most of those answers also implicitly ask, "How much is at stake if a breach of security occurs?"
To answer that, you need to determine how destructive each security violation could be and decide how much money is a reasonable investment to prevent an attack to Web servers, business applications, databases, or even desktops. For instance, a DoS (denial of service) attack to an online store can be very damaging; as long as the offender floods your Web server with packets, customers and partners won't be able to place orders, support requests, or even browse your catalogue. So, to assess the risk, you need to estimate the financial loss caused by missed orders as well as the cost of the additional workload on internal support and customer service.
It may be impossible to stop every threat to your systems, but making a thorough assessment of vulnerabilities and estimating possible damage, both in terms of dollar amounts and harm to your company's image, will allow you to choose the most appropriate, cost-effective security measures. Failing to complete a risk assessment can result in spending more than common sense and prudent business practices would suggest, perhaps activating shields that will never be challenged or, worse, failing to protect a likely, expensive target.
Poor security costs a bundle. In the 2002 InfoWorld IT Security Survey, 52 per cent of respondents reported that security breaches have cost them less than $100,000. The rest were not so fortunate: 9 per cent of respondents' losses ranged from $100,000 to $1 million. A few very unlucky souls (less than 2 per cent) lost $1 million to $20 million or more. Even more alarming is that 35 per cent of respondents did not know or would not disclose the extent of the damage wreaked at their companies.
A business risk assessment starts with an inventory of assets in need of protection from corruption or disclosure, such as intellectual properties, applications and systems that support critical business operations, or confidential information in databases of customers or partners. These are worrisome areas: 62 per cent of survey respondents expressed concern about the theft of confidential information.
The second, and most complex, step is identifying vulnerabilities and quantifying the possible damage that a security breach could cause. For instance, do you have policies to restrict users to only the information needed for their work? Are those policies enforced? Is your LAN protected by firewalls? How do you manage user passwords? Do you have a centralised virus-detection system? Do you install new security patches on your PCs and servers?
Some of the more dangerous risks to your business are hidden inside the building, even lodged among your IT staff. Are your employees familiar enough with security best practices or do they need additional security training? Educating your IT staff in security can be one of the better investments you make, particularly if you separate computer operations from security duties. Twenty-one per cent of survey respondents agreed, calling skilled staff a major requirement for creating a secure environment.
Master passwords, which give an administrator unrestricted access to a system, are another remarkably overlooked insider risk. Some CTOs may find this practice acceptable, but others prefer a bank-vault approach, which requires at least two separate passwords to gain access to a system's critical resources. Identifying who has access to what and how master passwords are handled should be a key component of your risk assessment. This can pinpoint possible sources of data disclosure or theft from inside; after all, 21 per cent of respondents reported security breaches at the hands of current or former employees.
The number and variety of possible attacks and the intrinsic fragility of computer systems can be overwhelming. Each computer with Internet access is a sieve with thousands of TCP/IP ports, through which offenders can penetrate your systems with malicious code. Some of those holes can be locked with firewalls to prevent access; others must be left open for legitimate applications, such as e-mail, Web browsing, and remote connections. Obviously, they are a likely entryway to your systems, and the damage intruders could cause should also be considered in your risk assessment. As a result, 55 per cent of survey respondents plan to or have already implemented the more secure VPN pipes to reduce the risk taken when these doors are left open.
Depending on the size and complexity of your enterprise infrastructure, your company could spend thousands to millions of dollars on security measures. Consider it a security tax, the price that every company must pay to ensure business continuity. Conducting a proper, thorough assessment of the security risks helps ensure that all those dollars will be spent where they can be most effective -- protecting not only your company's enterprise but its reputation.
EXECUTIVE SUMMARY Determining the risk a security breach poses to your company is a prerequisite to creating a secure computing environment. A risk assessment helps IT managers identify critical vulnerabilities and deploy proper protections for business applications.
TEST CENTER PERSPECTIVE Security managers should systematically reassess their company's business risk to adjust to emerging threats and changes to applications and systems infrastructure, quantifying the damage possible from weaknesses in applications, network systems, and IT structure.