While many IT and business managers lie awake at night worrying about security, surprisingly few are doing enough about it.

Not only is data security management a full-time job (and then some) for the IT department, it is now keeping many senior business managers awake at night too. This is not just because they know their company brand, customer relationships and profits could be irreversibly damaged by a major security breach: they also now have to contend with ever-growing legal implications.

Being vulnerable to security threats means potentially falling foul of regulations such as the Data Protection Act and the US Sarbanes-Oxley Act. Indeed, many organisations fear it is not so much a case of if, but when they will find themselves in court because of lost or corrupted data resulting from hacking, fraud, a worm or virus, or simple human error.

This fear is justified, too. The key to being able to address any threat to the business is to know the enemy, so that you can guard against attack. The trouble with today’s data threats is that new ones are emerging all the time. No one can predict the form or medium these will take, which makes planning fixed defences almost impossible.

The key, then, is to remain vigilant, and to build as much agility and intelligence into your defences as possible. The most important thing to realise is that, managed properly, data security will always be a project without an end point. Despite what many believe to be adequate defences, the average UK business is still being hit by a security incident every month, while many larger organisations are affected as often as once a week, according to the DTI’s latest security survey.

This found that as many as 74 per cent of UK companies suffered a security incident in 2003 – rising to a staggering 94 per cent for large companies. Although this figure includes accidents such as system failures and data corruption, malicious incidents now greatly outweigh ‘accidents’, with 68 per cent of all companies (and 91 per cent of large businesses) suffering at least one malicious attack in the past year. (Most malicious attacks were caused by viruses or inappropriate use of IT systems by staff.)

Escalating costs

For large companies, the average cost to the business of a security breach was found to be £120,000, though, as high-profile media coverage has shown, costs can soon escalate to well above this conservative figure, depending on the disruption to the business’s activities (typically governed by the extent to which the company has used backup and contingency planning). The cost to UK businesses of security breaches is now believed to run into billions of pounds a year.

Worryingly, in spite of these very real and sizeable risks, the DTI survey found that the average organisation is allocating just 3 per cent of its total IT budget to IT security today.

What’s more, only 12 per cent of the individuals responsible for a company’s security were aware of the contents of the BS 7799 standard for information security (see box) – a figure that has not increased in the past two years. (The DTI survey is conducted every two years.) This is despite attempts by the Government to encourage uptake of the security standard.

Business issue

So why isn’t the message getting through? “Security is still seen as an IT issue, and not a business issue,” says Chris Knowles, head of Computacenter’s security practice. “The risks are not being aligned to the business. Typically, the IT department will buy products and technologies such as anti-virus solutions, firewalls and intrusion prevention systems, without looking at how these will fit with the needs of the business. They think they are adequately covered, because they have bought a good spread of products, but, more often than not, this is creating a false sense of security.”

All too often, companies are taking a ‘one-size-fits-all’ approach, he explains. All data is being treated as equally valuable, when companies should really be looking at why they are protecting the data, and use this as their guide to what is required. For example, a list of customers and their account details is not only a highly valuable business asset, it is also subject to the Data Protection Act, so security considerations are vital. An internal service description, on the other hand, or information that is publicly available on the company’s website or in marketing brochures, is far less sensitive – if it gets into the wrong hands, does it matter?

Without classifying data, organisations risk frittering away their security budgets – and their IT people’s time. They also risk missing something important.

At the heart of the problem is a bigger issue – that companies are not approaching security strategically as part of a foolproof, all-encompassing plan. ‘Security’ is being confused with data integrity protection and backup, too.

“There is a difference between valuable data that is operationally important and needs to be highly available, and that which is security sensitive,” Knowles says. “For example, it may be perfectly acceptable if it takes four hours to recover some data, as long as it remains encrypted. Classifying data in these terms is something that storage people do; we would argue that this categorisation now needs to be shared with those responsible for data security.”

Security champions

This extends beyond the IT department. To be given adequate budget and mindset, and to be implemented to maximum effect, security needs to be championed by the highest powers in the company.
In the financial services industry, where data security is paramount for customer protection and regulatory compliance reasons, data security usually comes under the remit of a ‘risk’ manager. “Here, security is considered alongside compliance and business continuity, because the three disciplines are all inter-dependent,” Knowles notes. “The risk team will develop the strategy, then the IT department will execute it.”

Once an organisation has identified its most sensitive data, it then needs to establish how vulnerable it is. Who is it being exposed to? If the data is locked in a central system that is untouched by the Internet, it may be less open to attack than other company data, so this needs to be considered too.

“The key is to understand your particular risks, before you determine which security solutions are appropriate,” Knowles says. Working out the right balance is also important for ensuring that business operations aren’t slowed down by over-rigorous security measures – imagine how tedious it would be if every user was asked for one of many passwords each time they needed to access a different application or set of data.

Main threats

So what are the main threats in 2005? Clearly, emails, worms and viruses can be highly debilitating to a business, corrupting systems and slowing operations down. Last year saw a number of major epidemics caused by email worms such as Mydoom, NetSky, Bagle and Zafi. Yet user vigilance about opening suspicious attachments have helped stem new outbreaks. So have a number of significant technology advances, such as the ability to detect worms in password-protected Zip files and perform preliminary analysis of emails with executable attachments, have helped halt new outbreaks in the early stages. Microsoft has also been working hard to ensure that patches are available for all known critical vulnerabilities in Outlook and Outlook Express.

Of course, this relies on companies being vigilant about downloading the latest patches as soon as these are available. According to at least one security specialist, more than half the PCs on the Internet today remain unpatched, leaving users open to viruses and other forms of malware. This suggests more education is needed.

Critical scanning

Network worms that exploit Windows vulnerabilities pose a growing threat, making the scanning of network traffic critical. There has also been a substantial increase in security attacks associated with spyware (programs that surreptitiously monitor a user’s actions), instant messaging and phishing emails. Phishing, as many have learnt to their cost, is where an email, apparently from a legitimate source, attempts to scam the user into surrendering private information that will be used for identity theft.

Increasingly, Trojans are being distributed by phishing emails, along with key-logging programs that can send keyboard strokes to remote hackers. Knowles notes, too, that one of the most worrying trends today is the growth in organised crime, which means users on the inside of a company are potentially as much of a security threat as hackers on the outside. “Three to four years ago, security breaches meant teenagers creating worms from their bedrooms, Today, as cyber-crime takes over from physical crime, these activities are more sophisticated, and sinister.”

Speaking on a panel at the recent InfoSecurity Europe conference, Detective Inspector Chris Simpson of the Metropolitan Police Computer Crime Unit warned delegates that: “In the vast majority of cases, the culprits are current or former employees. They are not hacking into systems using flaws in software. Instead, they are using flaws in the security procedures of the company to carry out their attack.”

As an example, Computacenter’s Knowles points to the high-profile example of the attempted security attack on the London systems of the Japanese Sumitomo bank, where intruders tried to transfer money out of the bank via 10 accounts around the world, by recording keystrokes to steal passwords. This is a clear reminder that security policies must guard against too many staff being given access to highly sensitive data.

Mobile dimension

There’s a mobile dimension, too. Mobile viruses are on the increase, as malware writers turn their attention to mobile operating systems such as Symbian, while the whole issue of mobile and remote network access means organisations need to think beyond the physical company boundary when considering data security.

Typically this will require a multi-layered approach to security, involving network and application level access control as well as device-specific security measures. The long and the short of it is that comprehensive data security cannot be achieved easily – if, indeed, at all. Yet, approached with intelligence and common sense, as well as a sufficient budget – and the staff resources to monitor, manage and update the solutions that are appropriate to your particular business – organisations can go a long way in safeguarding the assets that underpin them. The dangers creep in when there is complacency or false confidence – or if the best policies in the world have been put in place, but are not communicated to the workforce.

“Security is a process issue, not a technology problem,” concludes George Anderson, IT security business development manager at Computacenter. “Success often means going back to basics. Companies’ IT infrastructures are so complex, so open and so wide-reaching today that you can’t simply build a fortress and assume no one will be able to get in. What organisations do need, however, is a holistic view of their security systems, services and policies, to ensure that there is no chink in their protection. And never forget that risks change, so unless you’re diligent, and address the changing risk scenario, you could be as vulnerable tomorrow as you were yesterday.”