|
|
|
Online Security, a global provider of computer forensics and information technology risk mitigation since 1997
|
|
Go back
| |
 |
Business Risk from Cyber - Criminals
|
|
| |
 |
|
| |
Eight Things You Need to Do NOW...
|
|
| |
"We live in a risk-oriented world. Those who succeed are the ones who learn to manage risk, not those who avoid it." - Meryl Rukeyser
Posted: Sep 04 2002
Stan Stahl, Ph.D.
The prudent business manager has long been used to mitigating business risk, whether from the whims of the gods or the nefarious schemes of those who live outside the law. With the ubiquitous appearance of the Internet, the challenge of risk management has undergone its most profound change in 100 years.
In the last 10 years, businesses have become connected through the Internet, which provides a communication path between any two computers anywhere in the world. This path exists regardless of the extent to which the business makes use of it.
While this connectivity has dramatically increased business efficiency, it has also dramatically changed the nature of business risk. It’s always been easy for the ‘bad guys’ to break into information systems, provided they had physical access to the computers. Now these outlaws can break in from anywhere in the world—Alabama, Australia, or even Afghanistan. All that’s needed is an Internet connection. Unless the business takes proper security precautions, cyber-crime - financial fraud, theft of proprietary information, destruction of information, etc. - can occur anytime from anywhere.
According to the 2001 Computer Crime and Security Survey, a survey of large and small companies done by the FBI and the Computer Security Institute, the problem is extremely serious. The average business spends very little on protecting its information assets, and, among those few that do, the average known loss is more than $50,000 per $10 million annual revenues. No one has a clue how much less-protected businesses lose to cyber-crime; a conservative estimate might be 2 – 3 times more secure companies.
Every business is at risk. The risk is greatest among middle market companies. Cyber-criminals love smaller, middle market companies with lots of information assets and not a lot of security. Lacking the security resources of larger companies, they are easy to break into and detection is unlikely. The FBI estimates that 50% of these companies will be penetrated by 2003.
The problem is getting worse, not better. New system vulnerabilities are continually being discovered and disseminated throughout the outlaw community. Automated penetration tools are making it even easier for outlaws to do their work. Technology providers directly contribute to the problem, both by sloppy software development procedures and by their general lack of adequate concern for security issues. Unprotected wireless networks only exacerbate the problem.
The problem is so serious that the insurance industry has begun excluding online assets from standard commercial insurance policies. This means that standard commercial policies will no longer cover the theft or destruction of data and information stored on computers. If one wants coverage for these information assets, one must purchase more costly supplemental policies. I suspect that in the near future, a business wanting to buy a cyber-loss policy may have to demonstrate it is taking sound information security precautions, just as it now must demonstrate that it meets fire codes.
With the above in mind, the following eight strategic imperatives can help the prudent manager implement “sound information security precautions.”
1. Protecting critical information assets requires senior management’s direct involvement. Senior management has the fiduciary responsibility to safeguard the assets of the company, including the company’s information assets. Furthermore, if senior management doesn’t take information security seriously, neither will the troops in the trenches.
2. Protecting critical information assets requires the involvement of all personnel. The surest way to break into a computer is to phone an employee and ask for his password. Most viruses spread because poorly trained employees indiscriminately open email attachments. And most computer crimes are still the result of malfeasance by a company’s own employees.
3. Protecting critical information assets can’t be delegated to computer personnel. Computer personnel have neither the ‘political clout’ nor the authority to manage the challenge. Their span of control is limited to securing the technology infrastructure, not to securing the critical information assets they contain.
4. Protecting critical information assets requires a total solution. Solutions need to be linked to the overall business strategy, implemented throughout a company’s operations, and supported by technology. Solutions will be ineffective if implemented in a piecemeal manner. A chain is only as strong as its weakest link.
5. Prevention alone is inadequate. No matter how thorough one’s security countermeasures are, management must prepare for the eventuality that critical information assets will be lost or compromised. Businesses must be able to detect when critical information assets have been lost or compromised. Businesses’ continuity plans need to include the ability to recover from the loss or compromise of critical information assets. Businesses must proactively ensure compliance with privacy regulations, canons of conduct, laws, and internal policies.
6. A senior-level manager must be responsible for the security of critical information assets. If no one is responsible for security, then security won’t be effectively managed. The information security manager needs to have sufficient “clout’ to manage the challenge, have the authority and budget to manage the job, be knowledgeable about the challenges of securing information assets, and accept accountability for effectively managing the challenge.
7. Consider an annual independent security check-up. Cyber-outlaws succeed by ‘thinking outside the box.’ They are adept at discovering totally unexpected vulnerabilities, the cyber-equivalent of using an airplane as a missile. Most people use tools for the purposes they were designed for, and are not used to thinking about how they might be misused to cause damage. The result is often an unrealistic perception of their own security. As Will Rogers said: It’s not what people don’t know that hurts them. It’s what they do know that just ain’t so. An external security review can bring reality to this situation.
8. The time to act is now. When disaster strikes, it’s often too late to do anything about it; just ask the businesses caught unprepared by 9-11.
Citadel Information Group protects the critical information assets of middle market businesses, mid-sized government agencies, and the non-profit community. Contact us at info@citadel-information.com to schedule a free information security briefing.
Click here for a bio on Stan Stahl, PhD
Go Top
|
|
|
|
