"Greater is our terror of the unknown" - Titus Livius, Roman Historian

Information Technology (IT) - A "Double-Edged Sword"

Running an IT network and keeping it secure is tough and is only getting tougher. IT professionals face the daunting tasks of managing an array of complex information networks and systems that are "always on", 24x7, while they are struggling to deal with the so-called "double-edged sword" of network computing.

Open Networking and the Need for Information Security

No doubt, the creation of information networks, the Internet and the move from centralized, mainframe computing towards distributed computing has revolutionized the way business is conducted. In response to the demands from the business side, IT departments within these organizations have been developing broader networks to connect their intranets, extranets and the Internet with suppliers, customers, constituents and employees.

Significant investments and efforts have been made to make software applications and operating systems easier to use and more accessible. Greater use of these networks to transact business, distribute content, data, files and applications breeds more dependence on them. However, this fluid, dynamic environment with easier-to-use tools, more access points and greater "openness" has its consequences because it makes the organization more susceptible to a variety of cyber attacks. Such attacks occur internally and externally and are more automated, sophisticated and severe than ever before. In fact, both the frequency and severity of information security attacks is on the rise . For one example of attack severity, consider the "I Love You Virus" which alone caused an estimated cumulative loss of US$8.75 billion in the form of property damage, lost revenues and lost productivity .

Another High Stakes Game

Meanwhile, new regulations in healthcare (HIPAA) and financial services industries (GLBA) have placed an even greater burden on organizations that store preciously guarded database files from would be perpetrators, hackers, crackers and thieves. A single "hole" in your network or systems infrastructure is all a hacker needs to gain unauthorized access to critical systems and data. When a successful attack is carried out against an organization and reported to the press the impact on the organization's brand, reputation and trust can be devastating. As a result, the stakes are higher than ever before to protect sensitive database files, credit reports and similar sensitive records and respond quickly and properly to such an attack. At the national level, the US government recognizes that an attack on the Nation's networking infrastructure is no longer just another scenario to be considered but a real threat to national security. In response to the threat of cyber attacks on the US President Bush is proposing a 64% increase in spending for computer and network security from $2.7 billion in 2002 to $4.2 billion in 2003.

What is Information Security?

So, what is Information Security? Information Security (a.k.a. "InfoSec") can be defined as: measures adopted to reduce, eliminate, and mitigate security risks and to prevent the unauthorized use, misuse, modification, or denial of use of knowledge, facts, data or capabilities. Like a risk management program, information security is not a problem to be solved but an ongoing, 6 step process to be evaluated, improved and managed:

• Assessment - of the information security posture and establish a baseline.
• Improvement - minimize threats and address/eliminate any vulnerabilities.
• Policy - have a well defined information security policy and procedures to respond to an attack.
• Implementation - carrying out the plan, ensuring that it is integrated with the broader disaster recovery, business continuity and risk management programs.
• Training - ensuring that the IT staff is properly trained to keep pace with changing technologies, threats and vulnerabilities
• Audit - assess the posture of the network on a regular basis, conduct an audit by an objective 3rd party and be vigilant about enforcing rules and procedures.

Information security requires persistence, vigilance and funding - all tough work! Executives, IT professionals and Marketers alike recognize that information has value and thus have coined the phrase "information assets" which have become part of business lexicon and a component of an organization's business valuation equation. In the aftermath of the horrible events of 9/11, Security and Information Security in particular moved again to the forefront and have become persistent "Board Room Issues". This is particularly true with respect to those industries (Energy), companies (E*Trade) and functions (like database marketing) so highly dependent on technology. The constant, ongoing threats of cyber attacks and terrorism have increased the awareness of threats and vulnerabilities and have challenged the readiness of organizational response systems to such attacks at 3 levels: people, operations/facilities and information networks. The question over the longer term is whether complacency will set in again.

Improving Resilience from Cyber Attacks

As Titus Livius, a Roman historian once wrote: "Greater is our terror of the unknown." A comprehensive security assessment process will help companies establish a baseline by understanding their vulnerabilities and rapidly correct them to secure the network. Ongoing vulnerability assessment scans by knowledgeable, independent security specialists should be performed on a regular basis. Planning, policy formulation and vigilant enforcement must be part of an overall risk mitigation program. Training and a communication program are crucial and end users must clearly understand their roles and responsibilities in securing a company's information assets. Cooperation internally between departments and externally with suppliers and clients is of utmost importance. In the end, it is about ensuring both maximum benefit and minimal damage from deploying " the full swing of the IT sword".

If you have any suggestions, comments or questions, please contact The Competitive Intelligence Center.