The only thing worse than network security threats are business executives - including CIOs - who bury their heads in the sand Reader ROI Learn how to make the case for network security systems Discover simple, low-cost steps to protect your networks THE STORY YOU ARE ABOUT TO READ IS TRUE. A NAME HAS BEEN CHANGED TO PROTECT THE CIO (FOR REASONS THAT WILL SOON BE OBVIOUS) Sam Howard is the CIO of a local subsidiary of a very large, very well-known global manufacturing organisation. This company's Internet connection is as secure as any, protected behind a standard firewall that alerts Sam's people to attempted intrusions. Hacking is not a huge issue at Sam's company. Computer viruses? Well, that's a different story.
Sam's office employs about 700 people, who together receive about 50,000 external e-mail messages per week. In a typical week, 5 per cent of these e-mails - we're talking 2500 messages - are infected with potentially malignant computer viruses. Last year it was the Melissa virus, which jammed servers with spam e-mail that was more than annoying; it forced some entire companies to shut down their networks and eradicate the rogue application. This year it was the Love Bug, which outperformed Melissa and even shut down one of Sam's company's European offices for three days. Recently, old faithful, the Worm virus returned. Let that into a PC and it'll make a hard drive look like the core of a bad apple.
Sam knows how to keep these viruses at bay. He's already installed off-the-shelf virus protection software on individual users' PCs. Problem is, the users are annoyed by the security applications popping up on their screens and delaying log-in time, so they disable them. Sam also knows he could purchase more sophisticated off-the-shelf systems to scan incoming messages as they enter his four huge e-mail servers. Problem is, his CFO and CEO don't want to spend the $90,000 to $100,000 necessary for such security. "They call it nuisance protection." Sam says. "They just don't understand the threat."
But Sam is nothing if not resourceful. He makes do with a single dedicated security specialist who tries to monitor incoming messages. On a given day, this person will catch and clean up 100 or so infected messages. Still, every once in a while, Sam intervenes and lets one of those tainted messages get through - right to the desktop of one of those people who scoff at "nuisance protection".
"Occasionally I do let a few viruses get through to the right executives," admits Sam, who'd just as soon not tip his hand to his boss (thus the name change for this story). "Nothing dama-ging, of course - just something to let them know that even though the threat is invisible, it's very real. We'll do any-thing we can to emphasise our point: these things are destructive."
You'd think the point would be obvious by now. After the corporate network havoc-wreaking by Melissa, Love Bug and other viruses during the past couple of years, not to mention the well-publicised hacking at high-profile businesses (eBay, to name one) and government agencies earlier this year, shouldn't business executives be flocking to cover their assets with state-of-the-art intrusion detection and protection systems? Not so, says James Adams, CEO of IDefense - an Inter-net security specialist in the US - and author of the book The Next World War: Computers Are the Weapons and the Front Line Is Everywhere (Simon & Schuster, 1998), about the threat posed by cybercriminals and cyberterrorists. True, there is a greater awareness of security issues in the business world today than, say, a year ago. "If you're a CEO, you've at least heard of the Love Bug - that's progress," Adams says. But there is little move-ment to change the misguided attitude that only the high-profile companies and government agencies are at risk, and that preventive security is just a money pit for other enterprises. "The attitude among some [business executives] is Why should I give $100,000 to [security] when I don't see the need?'" And yet the need has never been more apparent. The San Francisco-based Computer Security Institute recently released its fifth annual "Computer Crime and Security Survey", which reveals that 90 per cent of the respondents (643 computer security professionals from throughout the public and private sector in the US) have detected computer security breaches within a year. Seventy-four per cent of these respondents acknowledged financial loss as a result of these breaches, and 42 per cent were willing to give numbers, which add up to $US265,589,940 in downtime, lost data and recovery efforts. Now, granted, cybersecurity statistics are tricky because they rely on reports from companies that know they've been attacked and are willing to say so, neither of which is a sure bet. But the reported incidents alone are frightening. CERT, a 12-year-old computer emergency response team based at Carnegie Mellon University's Software Engineering Institute in Pittsburgh, has tracked cybersecurity breaches since 1988, when only six were reported nationwide that entire year. That number has exploded in the years since, leaping from 3734 incidents in 1998 to 9859 last year and 8836 through just half of this year. Viruses alone cost US companies an average of $US50,000 to $US80,000 per 1000 users each year in downtime and maintenance, says Peter Tippett, chief technologist of International Computer Security Association (ICSA), a security assurance service in the US. "And that's with average antivirus protection," Tippett says. "Without it, the cost is about $US1 million plus."
Michael R Spano Jr understands the threat. As CIO of Siemens Power Transmission and Distribution in North Carolina, Spano says at any given time as much as 1 per cent to 2 per cent of his company's incoming e-mail messages are infected with potentially damaging viruses. When new viruses are released, this can be as high as 15 per cent. And even though he has a solid firewall protecting his private network from Internet intrusions, Spano still detects regular break-in attempts by hackers. "The problem is getting progressively worse," Spano says, particularly with viruses. "There are a lot more copycat viruses than before, and we're spending a lot more time trying to find them and clean them up."
David Cooper also gets it. As the CIO of the Department of Energy's (DOE) Lawrence Livermore National Laboratory in California, Cooper oversees two major networks - a secure one that is connected to the Internet and a super-secure one that is not. Although he can't reveal the exact number or nature of attempted breaches, Cooper does say that incidents have risen steadily by about 20 per cent a year in the three years he's been CIO. "We haven't had much of a problem with viruses, but we have seen an immense increase in attempts to break into our firewall," Cooper says. "I can almost tell you when the colleges in Europe are on holiday because that's when the hacking attempts increase."
Spano and Cooper see the difficulty that CIOs have securing funds and staff for network security systems. In Spano's experience, finance executives are the toughest customers. They're willing to fortify the company's network against external hackers, who haven't been a significant problem for Siemens, but like the bean counters at pseudonymous CIO Sam Howard's company, they baulk at antivirus systems as "nuisance protection". "Management has it backward," Spano says. "They seem to think of hacking as malicious but viruses as just a nuisance. They don't see the 99 viruses we clean up every day. From an IT perspective, [security] is a matter of life and death for data."
But it isn't just the non-IT executives who don't get it. Even some CIOs are slow to comprehend the extent of the security threat they face. Lawrence Livermore's Cooper recently attended a conference of 300 senior IT executives, and he was appalled by their response to a poll about network security issues: 59 per cent of these executives said their companies' networks had never been hacked. "Ignorance is bliss, I guess," Cooper says. "These people have been hacked; they just don't know it." And if they don't understand the danger of hackings, then what are they doing to prevent destructive viruses?
Part of the push back to network security systems is expense. Even the security experts admit that there is no benchmark for what security could or should cost. "The general rule of thumb is that [network] security should cost 3 [per cent] to 5 per cent of a company's revenue," says Jon Darbyshire, CEO of eSecurityOnline.com, a new Internet security venture by Ernst & Young (US). "But there's a huge difference between 3 [per cent] and 5 per cent, and the numbers can be so broad and disparate that they really don't make sense."
The other form of resistance results from sheer denial that network security is a problem. David Starr, CIO of networking vendor 3Com, sees thousands - sometimes tens of thousands - of intrusion attempts per month at his company; he doesn't need any convincing. But he's met plenty of executives who do. "In my experience, CIOs are the worst problem," Starr says. "Security generally hasn't been high on their list of priorities. They've been worrying about desktops, ERP and Y2K, and their attitude has been We're not eBay; why would anyone want to bring us down?'" Well, 3Com isn't as well-known as eBay or Microsoft, but that doesn't make the company any less of a target for mischievous kids, organised crime and even foreign countries. "We recently traced one attempted intrusion to a site in Kosovo," Starr says.
Even among companies that claim to take security threats seriously, protection methods are often inadequate. "Most organisations don't even have the basics set up right," says ICSA's Tippett. Among its services, ICSA conducts "security snapshots" of clients' network systems. Of 172 companies examined in the second quarter of this year, only four had covered the basics - firewall and virus protection. "It's like they've locked their doors but left their windows wide open," Tippett says.
Some decision makers need hard evidence of a security threat to their companies before they'll respond. But "do nothing" can't be a viable option. "One time is all it takes," says Siemens' Spano. "I know people who never change the oil in their cars too. Sometimes these cars will run just fine until the lease is up or it's trade-in time. But then that one time . . ." Or as Adams of IDefense says, "You might say It can't happen to me', but by doing nothing to secure your systems, you virtually ensure that it will be you."
Six Tips for Selling Security
In protecting their own or their clients' networks, CIOs and security experts have devised some strategies for selling security to reluctant senior managers. Here are six top tips:
1. Establish Need Before Cost
If you know money is going to be a stumbling block, then don't lead with a budget request. Instead, break down your company's functions by business process, and illustrate how these processes are tied to the company's network. Then ask your bosses to determine which of these processes are most critical to protect from intrusion - and then be sure you know how much it would cost to secure each of those systems. "Turn the whole budgeting process around," says Darbyshire of eSecurity Online.com. "Ask these people What do you want to protect?' and then show them This is what it will cost to do it'."
2. Hit 'Em with Numbers
It isn't enough to talk about "The Threat" in broad, sweeping terms. Bring the point home with numbers. CIO Starr not only tracks the number of attempted intrusions and viruses, he plots them on a graph, which he then presents monthly to top executives at 3Com. This gets people's attention and shows evidence of the growing threat. Starr also puts together what one might call a negative ROI - analysis of what costs might be incurred without the necessary security systems. For instance, in preparing to install a new $US400,000 antivirus application on 3Com employees' desktop systems, Starr encountered resistance from workers who didn't want another pop-up screen delaying their PC log-ins. In response, Starr put together a financial analysis of what it would cost per hour in productivity, lost business and system maintenance if either the e-mail servers or the entire network had to be brought down to eradicate a virus. That figure was well in excess of $US400,000 - plenty to make his successful case for the antivirus system.
3. Use Others' Losses to Your Advantage
Even if your company has been spared significant damages from hacking or viruses, you can still get your executives' attention by showing them what's happened to unlucky companies. At Lawrence Livermore, for instance, Cooper's networks have been relatively unscathed by intrusion. The same isn't true at some of the Department of Energy's other facilities, particularly the Los Alamos National Laboratory, where computer security has been embarrassingly lax. These problems have been to Cooper's advantage. "With the problems DoE has had, I've had no problem getting money for computer security," Cooper says. Indeed, his security budget has grown from $US2 million to $US18.5 million in just two years, as the lab has standardised and bolstered network security efforts, brought new secured systems online, and built a staff of security specialists.
4.Put It in Legal Terms
Just as corporate officers are accountable for protecting their businesses' financial assets, so are they responsible for maintaining critical information. According to Adams of IDefense, attorneys and boards of directors are very receptive to the argument that they have a fiduciary responsibility to detect and protect areas where their information assets might be exposed.
"Business continuity is the best argument to use with these people," Adams says. "The cost of putting in security is very small in comparison to the cost of an attack. That's not too difficult to understand." Neither is market capitalisation, which can also be affected by publicised security problems. "Show how companies in your own industry have been hit and lost market cap because of it," urges Darbyshire of eSecurityOnline.com.
5.Keep It Simple
You don't need to dig a moat, install razor-wire fences or fortify the network with Mission Impossible-style security systems. Really, some of the best defences are simple: a firewall to protect the network, server protection to scan incoming e-mail and antivirus software installed on desktops. At a business of, say, 500 desktops, an enterprising CIO can probably batten down the hatches for $100,000 per year in hardware/software costs - not that much, considering the risk. Then reinforce these systems with user training that hammers home the basics: change passwords frequently, keep an eye on laptops and floppies, and don't open or forward unknown e-mail attachments that may carry deadly viruses. Most important to IS organisations: Back up your servers frequently so that you're never at risk of losing more than a single day's business data.
6.Hit 'Em Where It Hurts
This tactic probably falls under the category of "CIOs, don't try this at home", but remember Sam Howard, the pseudonymous CIO? His selective defence, allowing certain viruses to reach the desktops of certain senior executives, has had limited success. After months of wrangling, Sam was finally able to get his CFO to spring for a $60,000 e-mail backup server. And although Sam built a good business case for the server by showing how much it would cost if the e-mail server crashed and business was halted for any prolonged period, he thinks part of his success came because the CFO saw firsthand what a virus could do.
"The CFO now knows he didn't lose any time or business for the $60,000 spent on the server," Sam says, "and in fact he knows he could have lost maybe $800,000 in that same time without the backup." - T Field
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.