Shaping up your security for 2001

It’s the new year. And like those unfortunate souls among us who resolve to either tone down or beef up our bodies, companies in Canada are probably making similar resolutions about strengthening their corporate security.

Most likely, many of them are determined not to fall prey to the security breaches which befell major companies in the early months of last year: the Yahoos, Amazons, and others whose sites were knocked down by a bewildering denial of service blitz; and the thousands of companies infected by the so-called “Love Letter” worm.

However, as is the way with resolutions that fall by the wayside, many companies this year will balk at the effort needed to become strong enough to fend off such security attacks. The problem is price, especially in the leaner financial times of 2001.

Like the dieter who succumbs to a cookie for immediate gratification, company executives still seem transfixed on an immediate return on investment, says Dan McLean, an analyst with IDC Canada in Toronto.

“Little has changed in terms of investment,” McLean says. “I think a lot has changed in terms of awareness.”

Last May, IDC issued a somewhat discouraging look at security levels in medium- and large-sized Canadian enterprises. Among the lowlights included the admission by one in five companies that their organization’s network, data or Internet security had been compromised in the past. And the same ratio reported their networks had been “knowingly hacked” in the past year. Viruses had also infected 75 per cent of the company’s computing environments at least once in the past year, the report noted.

Since most security professionals maintain that almost every company will experience a security breach at some point in time, perhaps those numbers aren’t alarming.

The real problem could lie in the lack of resolve by many companies to spend the cash necessary to improve their security.

“I think the battle right now is going to be waged with the budgetary folks,” says McLean.

Michael Murphy agrees. The general manager in Canada for Symantec Corp., maker of the Norton Anti-Virus product, says executives tend to view security costs like IT purchases. That is, they may provide a certain function but they don’t visibly make you money.

“Unfortunately, security is still viewed as a necessary evil,” Murphy says. “Nobody really wants to do it because it’s complicated, it’s difficult, the (amount) of skill and experience in the marketplace is still limited. So people do it in sort of a patchwork fashion. Typically, security is funded out of IT budgets, which means when it comes down to buying new laptops or new desktop computers or some new networking hardware, often times those purchases win out over security purchases, whether it be security infrastructure, technology or applications.”

According to Murphy, this relegation of security to a subset of IT is an example of a mindset that plagues many companies.

Security “doesn’t have to be second nature to the security professionals, they’re already aware of everything,” he says. “But the education awareness needs to get to the masses, not to the few.”

If there is one positive, according to McLean, it’s that 75 per cent of Canadian companies he surveyed said they have defined security policies. And everyone from analysts to vendors to security integrators seem to agree that formulating a policy is the first step to protecting a company.

In most cases, a security policy is devised by preparing what is called a “threat-risk assessment.” Basically, this amounts to a valuation of a company’s assets, the level and degree of vulnerability these things are exposed to, and what the degree of risk is that these things might be compromised. A company’s comfort factor with risk is also taken into account.

“When you do a proper risk assessment, it lets you understand what security breaches could conceivably cost your company, how likely these things are to occur, and that in turn sort of points you to the level of investment you ought to be making to minimize the risks,” says McLean.

Going from a good start to winning the race against hackers and other malicious threats to your company requires more than a policy, though: it requires a buy-in from employees, says Murphy.

“There are volumes of security policies in corporations and governments that sit on a shelf and collect dust,” Murphy points out. “Somebody’s job was to write a security policy, and someone writes volumes one, two, and three – the red book, the orange book, and the black book. For security to be understood and managed it means that policy has to be distilled into a one-page, or two-page pamphlet that every employee understands, every employees tries to integrate in their day-to-day routine, and that’s when security becomes effective.”

To Murphy, a security policy should be an instant response plan. That is, everybody should know what to do when a security breach happens, the same way they know where to go in case of fire.

While Victor Keong firmly believes in the benefits of good employee behaviour, he also knows the history of human behaviour. Keong, a senior manager of e-business technology and security for Deloitte and Touche in Toronto, cautions that IT departments cannot rely solely on employees to maintain a company’s security.

“You need the technology to enforce the policies,” Keong says simply. “Innately, human beings don’t like to abide by rules. If you have the technology to facilitate the execution of a security policy, that’s important.”

Keong advises that many companies invest in methods to update virus protection remotely, instead of expecting employees to keep up the duties every week. He also suggests looking into content filtering technologies, which can help detect possibly dangerous incoming emails.

Content filtering is also becoming more popular because of the protection it provides for companies from their most likely attacker: the employee.

“I think it’s a combination of carelessness as well as abuse,” Keong says. “For example, people looking at porn sites is still a very big factor, and security companies are out there trying to sell products for content filtering.”

McLean says access controls are also useful in making employee security easier. “If you don’t give people access to certain files they shouldn’t have access to… they’re not likely to get into something they shouldn’t.”

If employees have access to the public network, other tools like firewall protection become essential, McLean adds.

Of course, all the tools in the world won’t work unless they’re deployed with forethought. A proper security plan is considered a total solution, not a mere collection of the latest tools. Like the company itself, it is probably only as good as its employees, suggests Murphy.

In many vertical markets, this is welcome news. In the financial sector, for instance, banks and insurance companies have taken a lead in hiring security experts, as well as having a chief information officer. In Canada’s smaller mid-sized companies, this often isn’t the case, Murphy says.

“Economies of scale are such that the network administrator is also the firewall person, the e-mail person is also the PKI or crypto-guy,” he explains. “Which tells me that people won’t fund separate positions for experts in security, which in my opinion is not the way it should work.”

Many in the security industry are heartened by Canada’s new Personal Information Protection and Electronic Documents Act, commonly known as Bill-C6, which came into law at the beginning of this year. Essentially a law governing the collection and dissemination of personal data, it will impact almost all Canadian businesses by 2004. Perhaps the most important aspect is the requirement that any company collecting personal data appoint a person responsible for their privacy conduct.

According to Keong, similar legislation governing the health care system in the United States spurred a major purchase in security technologies among those companies affected.

Keong is hopeful C6 will have the same effect here. “We’ve been seeing that business people are talking to IT people increasingly,” he notes. “I think the tunnel vision or even the short-range, myopic vision we’ve seen in the past is correcting itself.”

McLean says he will remain skeptical until he sees if companies put their money where their mouths are. Specifically, he feels many companies should begin by untying their security budgets from the regular IT budget.

“When it’s broken out as a separate line item, I think what a company is doing then is making a commitment and saying, ‘We absolutely must invest in this area, and we’re allocating a specific budget. And it’s money that’ll be there when we need to invest. And, in fact, we plan to invest it.'”