A little past midnight on the morning of January 25, a computer worm called SQL Slammer began attacking 300,000 servers on five continents. In just 14 minutes, from start to finish, the worm ripped through a flaw in a popular Microsoft database package called SQL Server 2000, knocking out 911 emergency response systems in Seattle, forcing Continental Airlines to cancel some flights because of problems in its electronic check-in system and rendering some mobile phone service in South Korea inoperable. Before it was through, Slammer also had crashed many of the 13,000 ATM machines belonging to Bank of America.
The irony? Microsoft had released a patch for the SQL bug a full six months earlier, one of hundreds of patches issued by software makers to companies last year. But many companies around the globe, including Charlotte, N.C.-based BofA, didn’t apply the patch in time. Says Rhonda MacLean, the company’s director of corporate information security: “Slammer was a good example of a time when the bad guys got us first.”
BofA’s experience is hardly unique; even Microsoft got hit by the Slammer. According to Carnegie Mellon’s national Computer Emergency Response Team, which tallies cyber attacks on company systems, the number of security flaws in software is roughly doubling every year, along with the number of reported attacks. Companies now get hacked, on average, 30 times a week, with 15 percent of attacks resulting in system entry. For the first three months of this year, more than 42,000 attacks were reported to CERT monitors. And that’s only a partial reading: The FBI says just one in five attacks are reported, thanks to reluctance on the part of companies to broadcast security failings to customers and shareholders. Worse yet? The new viruses are becoming more sophisticated: Slammer scanned more than 55 million computer systems per second, 100 times faster than the previous Code Red virus, says Allan Paller, director of research at the SANs Institute, a Washington, D.C.-based security information center.
Trouble is, most companies are making little, if any, real headway in countering the rising information security threat. Most companies weren’t designed for information security, but for maximum efficiency and transparency in the way they hire and train people, collaborate, and churn out goods and services—all in a highly networked environment. Further, most companies still put more emphasis on physical security, Paller says.
Could we lose the cyber-security war? Former White House cyber-security czar Richard Clarke says companies are at a “tipping point,” where the ability of hackers to attack networks may soon eclipse the ability of companies to fight back. Says Gartner Inc. research director Roberta Witty, “There’s a momentum building for sweeping corporate security reforms that will be hard for any company to ignore moving forward.”
Stepping up to the plate won’t be easy. The issue isn’t whether companies have the right security tools, or even whether the new guy just hired to head up security has the best available skills. Boosting a company’s resistance to threats old and new is going to require what Clarke likes to call a “deep defense,” a whole new way that everyone inside the organization—from the people in the mail room to the CEO—must follow instructions, make decisions, collaborate, plan, market and produce. Says Mark Doll, a partner and director of security services for Ernst & Young in New York: “To take it to the next level, companies are going to have to completely re-engineer the entire way they systematically think about risk. It’s a cultural issue, not just a technology issue. It’s a management issue, a training issue, a business process issue as much as it is a leadership challenge, to pull together people from across the company to jointly figure out new strategies that will determine how they think about risk.”
Sure, we’ve all heard the re-engineering cry before: In the 1980s, companies were forced to retool operations to meet the challenge of rising imports and falling U.S. market share in industries from autos to agriculture. Then came the re-engineering craze set off by Michael Hammer and James Champy’s Re-engineering the Corporation. In the mid to late 1990s, companies restructured yet again for the Internet, kicking off a wave of innovation and automation that continues to digitize and influence the way companies make, market, buy and sell every kind of product.
Retooling for security will, again, be disruptive, analysts say, posing what could become stiff new leadership challenges in the months and years ahead as companies step up their push to create new cultures of control. More management and strategy cooperation between business risk and operations managers, CIOs, IT security officers, HR and marketing executives will be a must in this new environment. Also required: new limits on the workplace and how employees conduct their business and interact with customers, clients and each other, at work and at home.
Some companies are already finding mixed and sometimes awkward lessons in their attempts at security re-engineering: Teaching people to shut off their computers at night will probably always be easier than trying to convince them to start thinking of the UPS carrier as a potential cyber criminal who could be wearing a uniform purchased on eBay for $49.95—a scenario suggested at a recent Gartner security conference in Washington, D.C., by analyst Rich Mogull. “Americans have always been better at accommodating resistance in our culture than at accepting cultures of paranoia and control,” Mogull said in a recent interview. “It’s hard to get people to take some of the new thinking seriously. They get angry, or they laugh.”
The ultimate goal, of course, is not to slow down the business of business but to create new ways to think about security and control in the context of the corporation, as long as it doesn’t interfere too much with the process of making money. Says Motorola CISO Bill Boni, who reports to Motorola’s senior vice president and CIO Sam Desai, “Frederick the Great, one of the greatest military geniuses in history, said that ‘he who defends all defends nothing.’ The requirement of a companywide security policy is figuring out which threats take priority and what responses are most effective—or could be. My goal here is to always be working with things from a business impact perspective, and working hard to make sure everyone knows precisely what that means.”
But very few companies, says E&Y’s Doll, are even close to thinking through the new risk paradigm. Most, he says, are still struggling to create a single, coordinated security message. They’ve also been slow to select the right people to put in charge of making the correct calls between productivity and caution, risk and reward, amid continuously changing levels of threats and sets of business priorities. Until more companies make that leap, he says, it will be ery difficult for many corporations to construct any sort of consistently effective security shield that can survive the demands of day-to-day business, much less the growing new threats waged against it. Says Doll, “CEOs are not saying to CIOs: ‘Fix the security, fix the controls.’ What they’re saying to them is: ‘Give me all the productivity and fix the controls, and by the way, give me 10 percent off the budget.’”