Recent attacks against web-sites such as Yahoo, Amazon.com, E*Trade, and eBay plus periodic virus outbreaks such as ILOVEYOU and Melissa should remind companies that security issues must remain a primary concern for everyone doing business on the Internet. The Internet opens new doors for a company worldwide, but it also opens the company up to security vulnerabilities.
Businesspeople who participated in Ernst & Young's sixth annual Information Security (EYIS) survey, for example, believe that "as connectivity grows, driven by eCommerce and the Internet, so does risk [from industrial spies, foreign governments, competitors, and even legitimate business partners]." The Information Infrastructure Standards Panel is growing concerned as intruders become even more sophisticated at stealing or destroying information. And the threat isn't limited to external perpetrators. Disgruntled employees actually are more likely to commit some type of computer crime against their former employers. They're more familiar with system weaknesses, and they're better able to cover their tracks. The Computer Emergency Response Team (CERT[R]) at Carnegie Mellon University receives multiple daily reports of security breaches, an increase from the one every other day reported in 1990. (Current reports are available at www.cert.org/summaries/CS-2000-03.html.)
In the EYIS survey, more than 59% of the participants reported financial losses in the past year due to system downtime, system failures, or security breaches, yet only 41% of the organizations had Business Continuity Planning (BCP) in place. In approximately 45% overall, BCP wasn't even in the budget.
How can you manage the threat of Internet security if your company is conducting or contemplating business online? Access to information on the Internet is decentralized, so the security of the information should also be decentralized. Setting up security measures involves time, money, and inconvenience for everyone involved--and all levels of management need to be involved.
HOW DOES YOUR COMPANY USE THE INTERNET?
The Open User Recommended Solutions (OURS) Consortium is a task force made up of 60 corporate users and computer vendors. OURS has identified several steps companies should take to establish Internet security. First, a company must identify how it will use the Net, and then it should assess the risks involved and perform a cost/benefit analysis to determine if the benefits outweigh the potential costs.
In the EYIS survey, 80% of those reporting provide some degree of remote access to their organization--dialin, leased line, Internet, or Virtual Private Network (VPN). This is just one of several good reasons to perform a risk analysis. For example, in a healthcare organization patient information is extremely confidential. This high degree of confidentiality demands rigid information security. That means a healthcare organization most likely would assess its potential risk as high. But a company with information of very little value on its system may assess its risk as low, with fewer required security measures.
IDENTIFY POSSIBLE THREATS
After a company identifies how it will use the Internet, it needs to identify the threats that are present online, OURS suggests. Here are nine basic threats that cover the areas that should be of greatest concern for any company:
1. Data destruction,
4. Misrepresentation/false use of data,
6. Inadvertent misuse,
7. Unauthorized altering/downloading,
8. Unauthorized transactions, and
9. Unauthorized disclosure.
The objective is to make an attack on your company's computer system as difficult as possible. Deterrence is the logical approach because a good hacker can get into almost any system. A recent survey of IS …