Security Relaxes as IT Threats Increase

By Allan Alter  |  Posted 09-15-2005

Security Relaxes as IT Threats Increase

The news on the IT security front is alarming. Recent months have seen one report after another of companies exposing, selling or simply losing customer data to criminals.

The reason: The security threat has changed, according to Bruce Schneier, CTO of Counterpane Internet Security Inc., of Mountain View, Calif.

In the past three years, he says, "criminals have taken over from hackers." The latest twist in cybercrime is online extortion.

The August 2 issue of "Newsweek International" reported that online gambling sites have been hit by extortionists who threaten to shut down their Web sites with denial-of-service attacks unless the gambling sites pay off the blackmailers.

According to Alan Paller, director of research at the SANS Institute, an IT security educational organization located in Bethesda, Md., banks and online retailers have also quietly paid off online extortionists, whose demands have, to date, ranged as high as $1 million.

And in June, the U.K.'s National Infrastructure Security Co-Ordination Centre warned that Trojan horses (transmitted by e-mail or through Web sites) that appear to come from legitimate sources, and so can evade antivirus software and firewalls, were specifically targeting individuals who work with sensitive "commercially or economically valuable information."

Click here to read about how some customer data may be too risky to keep.

The latest update from IBM Corp.'s "Global Business Security Index" indicates that such targeted attacks are a fast-growing percentage of the 237 million infected e-mails and attacks perpetrated in the first half of 2005.

In light of these reports, our latest security survey of nearly 300 IT executives presents some pretty grim findings.

Three out of ten respondents admit that their company's attitude toward security has become more relaxed as the events of Sept. 11 fade into the past.

Two-thirds report some kind of security breach, from penetration by viruses or spyware, to lost data and inappropriate access.

And while security experts are encouraged to see that the sort of carelessness and negligence that lets hackers and thieves get past a company's defenses is now recognized as the top security issue problem.

"It's a good sign, a sign we're starting to see CIO awareness match actual risks," says Counterpane's Schneier.

Still, many companies aren't taking steps to improve awareness and education.

This last problem was also identified as a major concern in both Ernst & Young's 2004 "Global Information Security Survey" and in Deloitte's 2005 "Global Security Survey" of major financial services companies.

"What's disturbing is that while employee negligence is a big concern, training and awareness programs are not high on the radar screen," says Ted DeZabala, a principal in the security services group of Deloitte & Touche LLP, in New York City.

The IT executives and experts we spoke with agree that defending companies from attack and theft requires more than deploying security technology.

"It takes a combination of people, processes and technology, not one thing," says David Siesel, the CTO of the direct marketing group at Harte-Hanks Inc., a $1 billion media company based in San Antonio.

So why the reluctance to invest in security awareness and training?

Next Page: Increasing awareness is not enough.

Increasing Awareness is not


Says Paller of the SANS Institute: "Awareness education doesn't work. The current security awareness programs are not effective at keeping people from making the mistakes that cause their computers to become zombies.

"Managers are right to resist security awareness training that's ineffective. Why should I send a person to training if they won't do anything differently?"

Alarming Results:

Finding 1
Four years after Sept. 11, not all IT executives remain on their guard.

Finding 2
Negligence is the biggest security worry for IT executives

Finding 3
Companies are failing to take steps to improve security awareness.

Finding 4
Security isn't truly strategic until it's integrated with risk management.

Finding 5
Companies still aren't going the extra mile to keep customer and employee data private.

Finding 6
Technologies that prevent identity theft lag behind other security technologies.

DeZabala notes that it is easier to justify spending on technology than on training.

"If you are skeptical about these programs, will you be criticized if a security event occurs, and you've spent your money on training and awareness rather than on something that's technological or operational in nature?" he said.

Our survey suggests that if companies want to lower the risk of negligence, carelessness and management resistance, they need to put security into a broader, more strategic perspective, rather than just take a defensive posture.

Companies with a real security strategy—especially one that's grounded in corporate risk management—typically take more steps to protect themselves from employee carelessness and ignorance.

Does cyberterror matter to counterterrorists? Click here to read more.

Such companies are much more likely to provide training and security updates, and to develop policies regarding e-mail attachments and network access.

Harte-Hanks, for example, has taken many steps to raise employee awareness, from alerting employees about new threats, to brown-bag luncheons and asking employees to sign documents attesting to their security and confidentiality standards.

According to Siesel, the key is to show employees the direct impact a security lapse could have on them and their company.

"When people understand how their behavior can affect their customers, their company or themselves, they are more likely to take steps to protect them. They could lose stock value. The company could be shut down. We could lose important customers."

Companies that develop an integrated IT-risk management strategy are also more likely to establish responsibility for managing IT risk between IT and business managers, which helps to make sure that management will stand behind the company's IT security policies.

If, as Schneier says, companies need to create "a culture of security" from the top down, putting in the time and effort to work with executives to develop a real, workable security strategy appears a necessary step.

More Alarming Results:

  • 5.9 percent of the average IT budget is dedicated to security.
  • 64 percent have strengthened security in the wake of recent news reports on identity theft.
  • 37 percent of companies have been penetrated by spyware.
  • 72 percent rank careless or risky employee behavior as one of their top three security concerns.
  • 48 percent provide special training to employees who handle customer data.

    To download the survey results, click here.