Weathering the security storm

Richard Reiner isn’t a meteorologist, but he knows about bad weather. As the CEO of FSC Internet Corp., which has just launched a 24-hour e-security emergency response service, Toronto-based Reiner has seen a lot of drenched rugs and tattered curtains-metaphorically speaking.

“You can’t wait for the hurricane before you close the windows,” Reiner said.

FCS’s new e-security emergency response service provides expertise in handling hacker attacks, identifying and resolving potential security issues, and preventing denial of service attacks. This service is an extension of its suite of e-security services including penetration testing, security assessment and audit, security policies and procedures consulting, security architecture services, security implementation and deployment, Web privacy assurance and managed care service.

According to Reiner, the service focuses on two aspects of e-security: situational response and proactive preparation, which is an attempt to ready users for a security storm before it ever hits.

“The first few minutes can be really critical in terms of how an incident is handled,” Reiner explained. “There’s a proactive component to our service that consists of modules, training and process development that we do with our clients so that they are in a state of readiness in case there is a problem.”

Reiner admits that there is no way to achieve perfect security, but believes that educating a company’s staff to recognize signs of a potential security breach and implementing a structured procedure to react to such an incident is integral.

Edmonton-based Geza Szenes, a senior analyst at Enbridge Pipelines Inc., agrees that awareness is the key to a company’s security.

“Companies think that security is a technology problem,” Szenes said. “Security is a people problem. It is people that don’t necessarily follow procedures. Companies need to implement solid, fundamental practices and policies, and make their employees aware of potential problems. Awareness programs are invaluable to an organization.”

According to Reiner, services such as FSC’s are necessary because the instinctive responses of non-security specialists often focus in the wrong direction.

“The instincts that most network managers would have if they came face to face across a server from a hacker wouldn’t be consistent with their employer’s objectives,” Reiner said. “The priorities should be to contain the damage, to protect information and to restore systems into service. Only far down the list below those primary objectives do you have the goal of catching the perpetrator. Most system managers or network managers, whether it’s just because they get caught up in the chase or for some other reason, seem to want to turn into an amateur detective the minute they hear there’s a potential hacker. More often than not, in the process of catching the bad guys, they’re doing as much harm as the bad guys did. At the very least, they’re letting the bad guy continue unimpeded while they try to catch him. We’ve put together a method of helping businesses meet their objectives more effectively.”

FSC client Greg Brydun of Toronto’s Goodmans LLP recognizes the benefit of a 24-hour security service in an industry where up-time is critical.

“It’s beneficial for us to employ someone who deals with security issues on a regular basis and who knows what the current problems might be,” Brydun said. “It’s hard for us to keep up with security problems and do our other jobs.”

This is the sort of response that Reiner and FSC hopes that other companies will have to the new service.

“Our 24-hour response capability meets a major gap that large companies have internally,” Reiner explained. “Large enterprises have a growing awareness that once you’ve connected the crown jewels of your corporation to the Internet, new risks are provided along with new business opportunities. We’re here to make sure that they’re prepared for those risks.”