You can't ignore them or avoid them, so you might as well face the security to your company's crown jewelsReaders ROI Understand the nature of security risks to your organisation Realise the level of security appropriate for your digital assets Develop an awareness of security issues facing your companyWhen it comes to digital information security, CIOs seem to heed the advice of the World War II propaganda posters that read: "Loose Lips Sink Ships". Although security is on every CIO's mind these days, it's certainly not on their lips. We contacted more than two dozen CIOs to speak with them about security. While many declined our requests for an interview, several spoke with us only on the condition of anonymity. As the CIO of a financial services company explains, "Neither I nor any of my peers would want to go on record as saying we're concerned about it and know we have flaws.""Nor would we want to say we're not concerned about security, that we have everything in place and we are bullet-proof. Either way, it would immediately set us up as a target and a challenge for hackers or attacks."
Security is the one critical IT issue the corporate world isn't talking about for fear that anything that is said could be construed as an invitation to attack. Experts say this conspiracy of silence only aids those responsible for digital security breaches.
What's the best course of action?
Acknowledge the problem, pay attention to security threats (both known and unknown), and if your company experiences a security breach, don't treat it like a dirty little secret. Talking about it internally and sharing information externally with other IT executives and law enforcement authorities will help everyone better understand security threats and improve prevention efforts.
The fear of attack is real and valid. Every day there are new reports of security breaches. The list of companies that publicly suffered attacks last year is a literal A to Z of networked Who's Who organisations - Amazon.com, America Online, AT&T, BellSouth, Bloomberg, the CIA, De Beers, E-Trade Securities, the FBI, Lucent Technologies, Microsoft, Qualcomm, The Republican National Committee, Slashdot, Sony Corporation of America, the University of Washington Medical Centre, Verizon, Western Union and Yahoo.
These are just some of the publicly acknowledged attacks, say computer security professionals. In a recent survey by the Computer Security Institute, 90 per cent of information security managers have detected breaches at their organisations. Despite this alarm, upper management - fearing bad publicity, shareholder wrath and consumer mistrust - has erected a firewall of silence around the double-headed beast of security and privacy. "Nobody wants to admit they've had some level of intrusion or break-in, but I can't imagine that there's anybody out there who hasn't had an unauthorised access or attempt," says the executive vice president of IT at a financial services corporation. Only a handful of the US companies that have had breached security or compromised data ever report it to law enforcement officials, say the FBI and security consultants.
That is one possible explanation why only 26 per cent of CIOs and IT executives said their company had ever been hacked, according to a survey at the US CIO-100 conference last August. Sixty-two per cent said their company has never been victimised by external computer crime, and 11 per cent were unsure. Unsure is the key word. "These people are being hacked; they just don't know it," says the CIO of a research and engineering company.
Open and Shut Case
As corporate networks keep expanding, CIOs face a catch-22 situation. Opening their infrastructures to customers, suppliers, business partners and employees is a must. Yet doing so makes their companies more vulnerable to security breaches or attack. "On the one hand, we're getting pulled to make it easier and easier [for everyone] to access key data from anywhere in the world," says the CIO of a Fortune 1000 manufacturing company. "On the other hand, we're worried about security. We're building a paradox here. How do you do all that?"
CIOs' jobs have been made even more difficult as most corporations trampled past security issues in the mad rush to mine e-commerce gold. In the CIO-100 survey, a mere 9 per cent of the respondents reported security as the number-one technology-related issue on which their company was currently focused. More than half of businesses worldwide spend 5 per cent or less of their IT budget securing their networks, according to a recent study by Datamonitor. More than 30 per cent have yet to even implement adequate security.
Most of the CIOs we spoke to believe the security breaches they've experienced thus far - "fortunately", they say with relief - are nuisances rather than dire threats to their companies. However, even mere security nuisances can do real damage to the bottom line.
Take the "I Love You" virus. This and similar viruses brought down systems worldwide and caused $US6.7 billion in damages in the first five days, according to Computer Economics. Denial-of-service attacks that temporarily took down high-profile Web sites like Amazon.com, eBay and Yahoo in February 2000 cost $US1.2 billion, according to The Yankee Group. More than 74 per cent of companies have experienced financial losses because of cybercrime, according to the Computer Security Institute report. The price tag on e-security breaches alone? More than $US17 billion worth of damage worldwide in 2000.
Software giant Microsoft was reportedly hacked for months before it discovered the breach. The costs to a company's credibility and losses in consumer confidence are difficult to calculate but can be enormous.
What's worse, experts and government officials warn that these incidents are "canary in a coal mine" signs that portend a huge security disaster. At the Microsoft "SafeNet 2000: Policy and Practice in the Internet Age" summit in Redmond, experts tossed around talk of "the big one" - a digital Pearl Harbour, a World Trade Centre e-mail bomb or an Exxon Valdez data spill. The CIO of a Fortune 500 manufacturing company believes these apocalyptic predictions may come to pass. "I hate to say it, but I think they're right," he says. "Somebody's going to break in somewhere and do something dramatic, and then people will wake up."
Security Through Obscurity
Many CIOs espouse a similar, it-always-happens-to-the-other-guy kind of thinking when it comes to security disasters. "We're off the radar screen," says the Fortune 500 manufacturing company CIO. "Who cares what we do - except maybe for a competitor or someone who has a grudge against us?"
In today's networked economy, security experts warn, CIOs can no longer afford to think that way. "The concept of 'security through obscurity', that 'There are so many companies out there, why would I be a target?' was once almost plausible," says John Tritak, director of the US government's Critical Infrastructure Assurance Office in Washington, DC. "If your company depends on a brand, any customer interaction, back-office business functions or networking dependencies, a minimal level of security is a must in today's economy."
Security experts urge CIOs to tear down the firewall of silence that surrounds security. Companies worldwide need to go public about their security secrets, experts say, and share information to learn from others' mistakes and create consistent protocols.
"We need to publicise attacks," writes Bruce Schneier in Secrets & Lies: Digital Security in a Networked World (Wiley, John & Sons, 2000). "We need to publicly understand why systems fail. We need to share information about security breaches: causes, vulnerabilities, effects, methodologies. Secrecy only aids the attackers."
Whatever you do, don't ignore the issue, says the CIO of a Fortune 500 financial services company who has survived at least one nasty security incident. He says: "It's here, and if you ignore it, you'll get burned."