|
|
"Greater is our terror of the
unknown" - Titus Livius, Roman Historian
Information Technology (IT) - A
"Double-Edged Sword"
Running
an IT network and keeping it secure is tough and is only getting tougher.
IT professionals face the daunting tasks of managing an array of complex
information networks and systems that are "always on", 24x7,
while they are struggling to deal with the so-called "double-edged
sword" of network computing.
Open Networking and the Need for
Information Security
No
doubt, the creation of information networks, the Internet and the move from
centralized, mainframe computing towards distributed computing has
revolutionized the way business is conducted. In response to the demands
from the business side, IT departments within these organizations have been
developing broader networks to connect their intranets, extranets and the
Internet with suppliers, customers, constituents and employees.
Significant
investments and efforts have been made to make software applications and
operating systems easier to use and more accessible. Greater use of these
networks to transact business, distribute content, data, files and
applications breeds more dependence on them. However, this fluid, dynamic
environment with easier-to-use tools, more access points and greater
"openness" has its consequences because it makes the organization
more susceptible to a variety of cyber attacks. Such attacks occur
internally and externally and are more automated, sophisticated and severe
than ever before. In fact, both the frequency and severity of information
security attacks is on the rise . For one example of attack severity,
consider the "I Love You Virus" which alone caused an estimated
cumulative loss of US$8.75 billion in the form of property damage, lost
revenues and lost productivity .
Another High Stakes Game
Meanwhile,
new regulations in healthcare (HIPAA) and financial services industries
(GLBA) have placed an even greater burden on organizations that store
preciously guarded database files from would be perpetrators, hackers,
crackers and thieves. A single "hole" in your network or systems
infrastructure is all a hacker needs to gain unauthorized access to
critical systems and data. When a successful attack is carried out against
an organization and reported to the press the impact on the organization's
brand, reputation and trust can be devastating. As a result, the stakes are
higher than ever before to protect sensitive database files, credit reports
and similar sensitive records and respond quickly and properly to such an
attack. At the national level, the US government recognizes that an attack
on the Nation's networking infrastructure is no longer just another
scenario to be considered but a real threat to national security. In
response to the threat of cyber attacks on the US President Bush is
proposing a 64% increase in spending for computer and network security from
$2.7 billion in 2002 to $4.2 billion in 2003.
What is Information Security?
So,
what is Information Security? Information Security (a.k.a.
"InfoSec") can be defined as: measures adopted to reduce,
eliminate, and mitigate security risks and to prevent the unauthorized use,
misuse, modification, or denial of use of knowledge, facts, data or
capabilities. Like a risk management program, information security is not a
problem to be solved but an ongoing, 6 step process to be evaluated,
improved and managed:
- Assessment - of the information
security posture and establish a baseline.
- Improvement - minimize threats and
address/eliminate any vulnerabilities.
- Policy - have a well defined
information security policy and procedures to respond to an attack.
- Implementation - carrying out the
plan, ensuring that it is integrated with the broader disaster
recovery, business continuity and risk management programs.
- Training - ensuring that the IT staff
is properly trained to keep pace with changing technologies, threats
and vulnerabilities
- Audit - assess the posture of the
network on a regular basis, conduct an audit by an objective 3rd party
and be vigilant about enforcing rules and procedures.
Information
security requires persistence, vigilance and funding - all tough work! Executives,
IT professionals and Marketers alike recognize that information has value
and thus have coined the phrase "information assets" which have
become part of business lexicon and a component of an organization's
business valuation equation. In the aftermath of the horrible events of
9/11, Security and Information Security in particular moved again to the
forefront and have become persistent "Board Room Issues". This is
particularly true with respect to those industries (Energy), companies
(E*Trade) and functions (like database marketing) so highly dependent on
technology. The constant, ongoing threats of cyber attacks and terrorism
have increased the awareness of threats and vulnerabilities and have
challenged the readiness of organizational response systems to such attacks
at 3 levels: people, operations/facilities and information networks. The
question over the longer term is whether complacency will set in again.
Improving Resilience from Cyber Attacks
As
Titus Livius, a Roman historian once wrote: "Greater is our terror of
the unknown." A comprehensive security assessment process will help
companies establish a baseline by understanding their vulnerabilities and
rapidly correct them to secure the network. Ongoing vulnerability assessment
scans by knowledgeable, independent security specialists should be
performed on a regular basis. Planning, policy formulation and vigilant
enforcement must be part of an overall risk mitigation program. Training
and a communication program are crucial and end users must clearly
understand their roles and responsibilities in securing a company's
information assets. Cooperation internally between departments and
externally with suppliers and clients is of utmost importance. In the end,
it is about ensuring both maximum benefit and minimal damage from deploying
" the full swing of the IT sword".
If you have any
suggestions, comments or questions, please contact The Competitive Intelligence Center.
|
|
