Be secure in your knowledge


Like there isn’t enough bad news to go around already – U.S.-based Internet Security Systems Inc. recently released a report in which it reached some disturbing conclusions.

ISS found that the number of computer security incidents and attacks detected at businesses worldwide soared by 84 per cent between the fourth quarter of 2002 and the first quarter of this year. The rise in attacks was fuelled in part by a surge in the number of mass-mailing worms.

The numbers are ominous: between January and March of last year, 101 such worms were detected. This year, over the same period, that number rose to 752.

If that makes you nervous, consider that of all the events reported by businesses in the same quarter, three-quarters were deemed simply as “suspicious activities,” a catch-all term used by ISS to describe a number of hard-to-define threats, including network scanning.

“Do we have a lot more hackers? That’s a real hard thing to quantify,” said Peter Allor, manager of ISS’ X-Force threat analysis services division. “There are 3 million doing some kind of malicious behaviour. That’s our estimate.” Granted, many of them are unsophisticated hobbyists, but they’re still trying.

Perhaps most interesting is ISS’ attempt to figure out who and how often malicious hackers attack. Allor said the frequency of an attack on a particular industry reflects several factors, including how many dollars are set aside by the industry, or how much luck hackers have had in that space in the past.

We write a lot about security in the pages of ComputerWorld Canada. I’m always struck by how consistent the message is from the security experts, and how simple they make defending organizations seem. I suppose that’s no different from when we used to devote a lot of ink to IT project management best practices (or lack thereof), and to the hazards of monolithic ERP implementations in the mid to late nineties. Over time, and with lots of practice, the latter two issues have faded somewhat. Industry knowledge has built-up, and lessons have been learned. True, mistakes are still made. But frankly, if they’re still not working at your company, you or your superiors are not taking advantage of the resources that are available.

The same cannot be said of security – at least not yet. And this time the stakes are much higher.

So perhaps it’s time to really take a look at the truisms around corporate security, and see if they’re actually taking root in your organization. Do the business managers understand the threats facing them, and if so, are they willing to commit the dollars and resources? Who will convince them if they don’t? Perhaps you’re a small organization – do you at least have a security point-person whose task it is to update/patch software as required?

And of course, do you know what information is currently sitting on your servers that someone might want, or at least could do some damage if they got their hands on it? Knowing what to sink money into protecting is half the battle.

No doubt you’re heard this all before. Many of you have even taken it to heart and did your best to secure your workplace. If so, you should be commended. Just remember that there are at least 3 million people out there who would love to prove you wrong.