Among the many thousands of networks that caught the "I Love You" virus last year was the one Cliff Harrison manages at Atlas Technologies Inc. in Fenton, Mich.
"It took my network down for about two hours," Harrison says, "and it costs us about $7,500 an hour if the network is down for any reason." Harrison is the information systems manager at Atlas, which supplies carmakers and other companies with manufacturing equipment. His experience puts a human face on the billions of dollars in damages the virus caused worldwide.
So this year Harrison will be installing network-supported anti-virus software, replacing the programs on individual workstations. "Typically, we would discover that users were two months to two years behind in updating their virus definitions," he says.
And so it goes, day after day, in every company, university and government agency we spoke to: a never-ending parry and thrust with those who threaten the security of their networks. Indeed, 77 percent of respondents to this month's security survey were hit by viruses last year. "Ultimately, with everything changing, you're in a constant battle," says Michael Schick, vice president for technology at Heitman Financial LLC, a real estate investment firm in Chicago. "Everything has to be updated as you get new and different threats."
Organizations must be constantly vigilant, says Richard Pethia, director of the CERT Coordination Center, a government-funded organization dedicated to network security. "New technologies bring new vulnerabilities," he says. "And we're constantly discovering vulnerabilities in old products." He expects that the number of vulnerabilities reported this year will be double last year's number.
As a result, CIOs are devoting more money and time to security. Harrison's security bill at Atlas nearly doubled this year, and more than half of our respondents will be spending more this year. And the costs will continue to grow as the world becomes more interconnected, and as the cleverness of those who would cause harm increases. In 1989, CERT/CC counted fewer than 200 security incidents (the Melissa virus, for instance, and everything that resulted from it counts as one incident). In the first quarter of this year alone, CERT/CC recorded more than 7,000 incidents.
No one is immune. When 30 computer security experts involved in a spare-time endeavor called The Honeynet Project hooked a typical computer network to the Internet to see what hackers would do, it was probed and exploited in 15 minutes. "You're dealing with intelligent adversaries who are going to find your weak points," Pethia says. "That's what makes it different from other kinds of risk management."
Network managers must balance security against the business advantages new technology brings. "My biggest issue is allowing our users to do everything they need to do to be efficient from a business standpoint, without opening the door to an attack," says Schick. At Heitman, investment deals were once made in person or on the phone. "Now even big deals are done by e-mail at some point. If a big deal was being done and our network went down, it could cost us millions," he says. He's now working through the security implications of Web-enabling parts of the business.
The CIOs we spoke to understand the key role employees play in security. Some take precautions when employees are being dismissedquickly removing their network access, for example. And everyone knows that education is key. "Your people can definitely cause you problems if they don't do the right thing," says Jim Fulton, corporate director of MIS at Ulbrich Stainless Steels & Special Metals, Inc., in North Haven, Conn. "We try to teach them good practices, such as what to do with strange e-mails. But we also have a facility to automatically update virus definitions on everyone's desktop, because if they had to remember it would never get done."
Employees can be allies in the battle. "We view our staff as a strength of our overall information security program," says Douglas Nagel, technology officer for Nationwide Federal Credit Union in Columbus, Ohio. "They are the ones who make sure viruses don't come in and holes aren't created in the firewall. They have to understand that our business is built on trust, and their role in maintaining that trust is critical."
It's also necessary to win support in the corner office. "Usually for me it's not an issue," says Fulton at Ulbrich, "because, in the case of a virus outbreak, everybody is affected. It's very visible, and anything we do is appropriate as far as they're concerned. Some esoteric things, like VPN hardware or encrypting outside communications, that's a little harder to sell. They want to know what it's going to cost and what's the risk. They can understand it on a gut level, but after all, we're not the Defense Departmentwe don't make nuclear arms, we roll and distribute stainless steel."
Nagel at Nationwide has created a team, consisting of himself, the company's security officer and the internal auditor, that meets regularly to review risks and then makes recommendations on spending. Pethia at CERT/CC encourages technical and business-side people to work together, since they will bring different perspectives to the matter. This collaboration should be part of an organizationwide, comprehensive plan, Pethia says, to prevent companies from focusing on one aspect of security and overlooking others. "Security is a mindset and a management practice as much as it is a technology," he says.
Nevertheless, one-third of our respondents indicated some difficulty in enlisting the support of senior executives at some point. Harrison at Atlas, who has been successful at it, says it's more political than technical. Full communication and credibility are important. "I don't believe in dealing with problems unless they really are problems," he says. "I don't impact the user any more than absolutely necessary."
The risk and the response vary from one industry to another. Says Ulbrich's Fulton: "There are lots of things that make us who we aremostly our people and the processes we have. It's not like there's data on our servers that makes us who we are. Here, our product is millions of pounds of stainless steel out in the warehouse. They're not going to come and take that away. But in a financial institution, the data is the product. And you don't need a stethoscope and sandpaper. All you need is a computer and a modem."
Indeed, at Nationwide, Nagel has had to conform to the Gramm-Leach-Bliley Act of 1999, which governs financial institutions and the privacy of their customer information. "Privacy is critical by law," he says, "and it's the security that enables privacy. We have to prove that we are securing our members' information. We're subject to at least an annual review. In the past it was 'Show me your vaults, show me your cameras, show me your paper-shredders.' Now it's 'Show me your password policy, show me your firewall.'"
In the end it's difficult, perhaps impossible, to measure the return on investment in security. But perhaps that's the wrong way to think about it. "It's difficult to say we are overspending or underspending," says Heitman's Schick. "You can't overspend, really. You have to protect your data. It only takes one timeone hacker getting in and stealing all your financial data. It would be irresponsible on my part to not have the toughest security possible."Terry A. Kirkpatrick