E-Business -- IT's Growing Threat

Last fall the equivalent of an electronic gong should have sounded in the heads of chief information officers across America when Microsoft Corp. was victimized by a hacker who broke into the software giant's data banks and accessed its future product files via the Internet. If it can happen to the world's biggest software company, they should have realized, everyone's at risk. Despite the much-publicized breach at Microsoft -- and the fact that theft of proprietary information from the 1,000 largest industrial firms exceeded $45 billion in lost revenue in 1999, according to the American Society for Industrial Security, Alexandria, Va., and PricewaterhouseCoopers -- most CIOs appear oddly complacent about security. A study last year by RHI Consulting of 1,400 CIOs found that nine out of 10 expressed confidence in their network security. What gives? Most surveys of data security -- and the lack thereof -- seem to suggest that losses are even greater than studies indicate, because most incidents go unreported. According to a study by the Computer Security Institute, San Francisco, more than half of companies surveyed had a policy of not disclosing security breaches. Reasons cited included fear of bad publicity and the desire to keep unflattering information from competitors, customers, and shareholders. To be sure, the risks rapidly increase as companies adopt e-business strategies. Consider the e-business goal trumpeted in the 2000 annual report of Cleveland's Eaton Corp.: "By 2003, we expect 90% of all our employee, customer, and supplier interactions to be Web-enabled." The company already has made substantial e-business progress. Its Industrial and Commercial Controls segment conducted over $1 billion in sales over the Internet. More than 95% of all construction items are configured, engineered, and priced electronically; 80% of all stock items are ordered by customers online; and total volume processed via pricing and configuration software has increased by more than 200% since 1998. To safeguard those goals requires a commensurate investment in security. "The important thing to remember is that there are some security fundamentals that don't change when entering the e-business era," asserts Cal Slemp III, director, global trust and e-commerce, IBM Global Services, Somers, N.Y. He refers to the senior-management responsibility to develop a set of controls that is consistent with the business strategy -- to manage the risk that they see with an investment in security. (Another unchanged fundamental is that most security risks -- perhaps as much as 80% -- continue to come from inside the enterprise, says Slemp.) "There is a tendency for everyone to make a leap of faith that all those controls that were put in place for the pre-Internet world were automatically attached and implemented in an Internet world. And that assumption, unfortunately, is not correct," Slemp observes. Hackers Proliferate Securing the integrity of information technology today is a complicated task. In the pre-Internet era data tended to reside on a mainframe and a point solution such as IBM's RACF software would keep it secure. If telecommunications existed, the systems were private links that were far more secure than the Internet connections common today. Those links weren't absolutely hacker proof, but that was before the deterioration in Web ethics helped turn the word "hacker" into a pejorative reference, says Simon Perry, vice president, security solutions, Computer Associates International Inc. (CA), Islandia, N.Y. Perry suggests that the Internet, in effect, deskilled hacking, no longer requiring practitioners to be truly knowledgeable software experts. Today almost anyone can be a hacker. One sign is the emergence of the phrase "script kiddies" into the software lexicon. "The term denotes someone, relatively unskilled, who just downloads some hacking tools from the Internet. If they don't know where to find the tools, books available from online bookstores will help them find sources and instruct them how to use the tools," Perry adds. He says that more than 98% of organizations in any kind of industry have underestimated their vulnerability. Complicating the extent of today's e-security problem is the rapid proliferation of new and vulnerable technologies. Perry says the security challenge is going to grow and expand in at least direct proportion to the growth of pervasive or ubiquitous computing. Wireless is one example. Perry estimates that as many as 125 million such devices will be sold in North America this year, and devising security strategies is complicated by the diversity of the installed base. The absence of a standard such as Microsoft Windows for PCs also is a challenge. "Business users are finding it strategically important to be able to move a part of the management information system out to managers who are on the road," says Hayward, Calif.-based Bill Anderson, managing director of MobileTrust, the certificate-authority service of Certicom Corp. (Other companies working on security solutions for wireless devices include IBM's Tivoli Systems Inc., Austin, and Baltimore Technologies PLC, Needham, Mass.) The Bluetooth wireless specification could pose unique security challenges. Invented by Stockholm-based L.M. Ericsson Telephone Co. (and backed by organizations such as Nokia, IBM, Intel, 3Com, Toshiba, Lucent, and Microsoft), Bluetooth is designed to let wireless devices automatically communicate with each other within a 10-meter area. For example, permitting a Bluetooth-equipped PDA to automatically and wirelessly update a file on a PC is convenient, but security must be in place. New technology also has drastically changed the risk exposure in manufacturing. Traditionally a secure, insular island of information technology, production operations become more vulnerable as factory automation and networking technology finally come together, adds Lanny Metcalf, manager of business development networking, Schneider Automation Inc., North Andover, Mass. He's referring to the accelerating trend of manufacturing to move to Ethernet-based, open-standards architecture that will enable everything to talk to everything else. Behind that network architecture is the rising intelligence of the production equipment, adds CA's Perry. "In many cases the computing power on today's plant floor might exceed what IT departments had as recently as a decade ago. With the growing trend of Internet access and supply-chain connectivity, production becomes at least as vulnerable to security risks as any other part of the enterprise." But don't think that all of manufacturing's risk exposure is from the outside. Perry cites the case of a fired production engineer at a major U.S. chipmaker: "Unhappy with his termination, he went to his home PC, accessed the equipment he was previously responsible for, and caused $60,000 in production losses before the problem was detected. We warn our clients that scheduling periodic penetration tests is to no avail if severed employees still retain access to IT systems." Security issues tend to proliferate and become more complex as an enterprise integrates e-business into its operating model, notes Perry. "Suddenly huge numbers of point solutions need to be monitored such as firewalls, scanners, and antivirus detectors." Viewing that challenge as opportunity, Computer Associates augments its security products and services business ($750 million software revenue in 2000) with its eTrust solution. Perry says eTrust, now three years old, brings efficiency to security management through its ability to centralize and deskill the process. "Imagine being able to control and monitor the security systems of 100 UNIX machines from one central point." Comprising an "end-to-end" suite of security products, eTrust also can be used to integrate other security vendors' products into a comprehensive, centralized security-management system. Enterprises with the greatest potential for security-management systems typically have a large variety of software applications and hardware devices. One example is Du Pont & Co., Wilmington, Del., with operations in 65 countries, 135 manufacturing sites, and more than 100,000 networked clients. Its adoption of a centralized security system grew out of an intrusion-detection study DuPont requested in 1999, says Mike Estes, intrusion detection manager, Computer Sciences Corp. (CSC), El Segundo, Calif. At the time CSC already had been engaged to monitor network outages and provide computer help-desk resolution. "I remember sitting across from a DuPont security officer following an evaluation of some products we wanted to implement," he says. "Thumbing through a magazine we saw an ad by a start-up -- e-Security Inc., in Rockledge, Fla. What intrigued us was the claim that their system could monitor sites regardless of the security vendor or the resident operating system. The e-Security approach is designed to present a comprehensive view of an entire security infrastructure from a single console. A drill-down capability monitors security attacks and intrusion attempts." Reed Harrison, e-Security's chief technology officer, says his best customers have met their security requirements with multivendor solutions and are trying to efficiently monitor them in real time. He says that most companies use a variety of security software products from at least three vendors. Unfortunately, few if any of these products exhibit overlapping functionality or display an ability to talk to each other, Harrison adds. "The result is a kind of security 'tower of Babel' that turns enterprise security into a logistical management nightmare. Users must suffer labor-intensive administration aggravated by uncoordinated security information overload." With the advent of outsourcing and hosting strategies, it becomes important to include security risk potential when you evaluate new business partners, says Reed. "Make sure you do vulnerability scans and carefully study the service-level agreements. Knowing that your partner is having a bad day security-wise is essential information, so some level of security-strategy intimacy is not only unavoidable, it is essential. Each party must acknowledge the security policies of the other partner. If they don't match, make sure that they're at least compatible. Include security requirements in any service-level agreements. Also, it's not unreasonable to ask for an audit of a partner's security arrangements. Application service providers expect it." Ultimately, IT's function in an Internet age is all about attaining new process efficiency via access, says IBM's Slemp. "The price is substantially more security risk. At the most basic level, the considerations are efficiency vs exposure costs." CSC's Estes emphasizes that the security investment has to be viewed as a revenue generator. "If you build [your security strategy] right, you will greatly increase your business potential," Estes says. Slemp adds the customer angle: "Having adequate security measures makes points with customers because you create an appropriate awareness. Also part of security from [the customers' perspectives] is the knowledge that the brand they're dealing with electronically is the same one that they're familiar with in the brick-and-mortar world. We've seen e-businesses fail because they did not have the right kind of security. The users saw that and then walked away." Slemp admits, however, that it isn't always easy to reassure potential customers that security is adequate. "The best advice is to start by establishing a strong brand on the Internet, one that is consistent with the brand already established in the brick-and-mortar side of the business." The next step is to create security policies and publish them on the company's site. Not everyone reads them, but their presence is a positive influence. "The fact is that policies help those at the end of an Internet transaction feel comfortable," Slemp explains. "By indicating that the transaction is secure you transfer the confidence the customer experiences in your brick-and-mortar presence."