Chapter 1. Introduction

As we have seen in Part 2, much can be done by individual users to secure their computers and the data stored on them. In small organizations, provisions for IT security may also be quite simple, with each person holding responsibility for his or her own computer and files. However, for somewhat larger groups, groups that are engaged in commercial transactions, or groups that maintain confidential data for customers or public citizens, the need to establish formal security policies and procedures becomes more important. When managers and their staff consider the issue of IT security, whether they are operating businesses, non-profit organizations, or government agencies, they will all have similar concerns. Each group will want a certain level of security for their data, procedures that are clear and easy for employees to follow, the ability to retain and build on knowledge of customer needs, and an understanding of how their security policy is faring in a given operational environment. In addition to these general needs, each type of organization has special concerns related to its mission and goals. Managers must emphasize information security policies in the appropriate context in order to pursue stated objectives effectively. It is also important to understand the costs involved with implementing good security practices. Security procedures and technologies are an investment and should be evaluated against the costs of potential losses; the practical recommendations in Part 3 are provided with an understanding of the rigorous cost-benefit analysis that is necessary in a resource-constrained environment.

Some Statistics on IT Security in Organizations

Ernst & Young's Global Information Security Survey 200335 reveals that 90% of organizations say information security is of high importance for achieving their overall objectives. 78% of organizations identify risk reduction as their top influencer for information security spending.

These organizations are typically Fortune 1000 companies with substantial financial and personnel resources available to tackle challenging security-related issues. Even so,

- More than 34% of organizations rate themselves as less than adequate in their ability to determine whether their systems are currently under attack.

- More than 33% of organizations say they are inadequate in their ability to respond to incidents.

- Only 34% of organizations claim to be compliant with applicable security-driven regulations.

- 56% of organizations cite insufficient budget as the number one obstacle to an effective information security posture.

- Nearly 60% of organizations say they rarely or never calculate return on investment for information security spending.

- Only 29% of organizations list employee awareness and training as a top area of information security spending compared with 83% of organizations that list technology as their top information security spending area.

- Only 35% of organizations say they have continuous education and awareness programs.

These statistics illustrate the fact that all organizations, no matter how large and seemingly well-off, feel the pressures, both psychological and financial, that come from threats to IT security. The chapters to follow will focus on the priorities and concerns of small to medium sized organizations. However, it may be useful to keep the Ernst and Young survey in mind as a symbol of the challenges faced in a range of business environments.

Small and Medium-Sized Businesses₃₆

If you are running a small or medium sized business, your top priorities are profitability, business continuity, sustainability, and customer service. SMEs are also bound by local, regional, or national laws and may be accountable to a range of authorities, depending on the business that they are engaged in and the country’s overall business environment. Security will be focused on protecting the enterprise and its customers from fraud and costly malicious attacks on their systems and services. In addition to computer crime and network security, data protection is also important to SMEs and encompasses two main areas: enterprise data protection from corporate spies or attackers and customer data protection, including credit card and transaction information.37

35 http://www.ey.com/global/download.nsf/International/TSRS_-_Global_Information_Security_Survey_2003/$file/TSRS_- _Global_Information_Security_Survey_2003.pdf

36 The definition of a small to medium sized enterprise will vary from country to country. In some cases, a single owner will run every aspect of a traditional business such as a farm stand or a grocery store; the owner may be the business’s sole employee. In other cases, a few hundred people may be involved in a more complex enterprise focusing on consumer or technology products. In the developed world, technology based startups are considered SMEs, but they may receive substantial funding from investment groups, grown rapidly, and ultimately be acquired by large corporations. Some highly successful SMEs issue stock and become large, publicly owned corporations themselves.

Non-profit Organizations

In non-profit organizations, your managers and employees are focused on effectiveness in the field, coordination with communities and partners, and reputation. Systems may be widely disbursed and are often of lesser quality due to the budget constraints present in the non-profit world. In addition, the staff may be less experienced with technology and thus will be facing a substantial challenge as they seek to provide uninterrupted service to their constituencies and maintain a positive image to their donors, overseers, and peers.

Universities

As with non-profits, budget constraints, disbursed networks, and a wide range of technological skill are present in university systems. Universities may face a greater number of internal threats as students may find hacking the institutional system an engaging pastime. In addition, universities may be operating under a unique set of internal policies and also need to comply with government regulations. In the university environment, personal data protection is extremely important, as student files include much sensitive information including identification numbers, health records, and academic transcripts. Potential attackers could steal, modify, or destroy such data, causing serious damage to the credibility and effectiveness of the university system.

Government Agencies

In government agencies, IT deployments may be assessed in terms of efficiency, ease-of-use, and ability to link up with other departments and agencies as needed. While profitability is generally not relevant in the governmental context, like non-profits, there are often budget controls that limit the agency’s ability to acquire the latest in hardware and software security. At the same time, governments must be keenly focused on data protection in targeted environment, as their databases contain sensitive information on individuals, including personal identification, health, criminal, and tax records.

Unfortunately, even in industrialized countries, data protection in government agencies lags behind and suffers from antiquated systems, inadequate funding, and overworked staff who lack core competencies in IT security. Like businesses and non-profits, the government must be concerned with its public image after hacking incidents or other security breaches are brought to light in the media.

SMEs - Engines of Growth

In a recent report on IT in developing countries, the UNDP outlined some of the promises and challenges facing individuals and organizations in the information age.38 The World Bank has been producing a series of reports on specific topics in information technology development and deployment.39 Although the enterprise technology experiences in the industrialized world are different in some ways (scale, costs, knowledge base of the personnel), there are some lessons to be drawn from their strengths and weaknesses in the area of IT security. Large enterprises are fewer, have specialized capabilities, and deeper pockets. However, there are still tensions between Chief Security Officers as managers of cost centers, Chief Financial Officers as cost controllers, and other branches of the organization

37 In general, corporate spies are a concern in larger enterprises, or enterprises that are producing high tech products, where the intellectual property (patents) may have value if stolen. For enterprises engaged in commerce, eavesdroppers may be of greater concern than spies, though the actions they take are similar. In particular, a company should protect its accounting records, personnel information, and credit card transaction data safe from unauthorized access.

38 See The Human Development Report 2001: Making New Technologies Work for Human Development” (UNDP: NY, 2001).

39 See references at the World Bank site: www.worldbank.org and also research projects and products available at the IT Governance Institute (ITGI): www.itgi.org.

(Chief Information Officers, Sales and Marketing, production).40 Without an overarching mandate to create a secure IT environment, each group could develop an approach to security that is driven by its own mission, goals, and operational targets. While these varied approaches might lead to some areas being over-secured and other being under-secured, clear communication from top-level management will emphasize that sound security practices are aligned with the well being of the organization. The technology policies and implementations required to operate a safe and secure system for the enterprise are a necessary part of meeting core business objectives effectively.

Small and medium sized enterprises have fewer resources to deploy, a flatter management hierarchy, and heavier reliance on the knowledge base of all employees. In SMEs, the business processes may be more transparent than those in a larger organization and there are special security risks inherent in a structure where so much corporate information is out in the open, for all employees to see. In businesses that are not focused on technology, there may be vulnerabilities to an employee or consultant who is more technologically savvy than the company managers. In a technology-focused company, there is the danger that critical intellectual property may be insufficiently protected from theft or destruction.

As a safeguard against such problems, all SMEs should conduct a complete review of their mission, goals, competencies, and information systems. If they are working in areas that may create security risks for others, developing emerging technologies, for example, they should examine the likely threats to their customers’ security and develop mitigation plans. If they are working in areas that will face government scrutiny, offering products and services in telecommunications, for example, then they should understand when and how they may be legally responsible for adhering to government mandates. An Internet Service Provider is an example of a business that runs both types of risk. By hooking customers up to the Internet, they are creating potential security risks for that customer’s data and equipment and by providing digital content and a means of communication, the ISP is subject to state and federal regulation. If one adds the capacity for e-commerce, the potential gains and attendant liabilities are substantial

The Risks of Blended Threats₄₁

Survey data from a range of respected sources illustrates an increase in the use of malicious code for egregious criminal purposes. Multiple reports generated in 2002 pertained to such things as: identity theft related to malicious code, web site defacements stemming from political motives, distributed denial of service attacks against specific organizational targets, and so on. Furthermore, the proliferation of blended threats poses serious risks for everyone on the Internet. These risks are not confined to a particular area, but threaten the entire global network. For example, the Klez worm family appears to have originated in Asia, with authorship attributions suspected in either China or Hong Kong. Asian countries are currently acquiring and making use of Internet connected computers at a rapid pace. Unfortunately, many of these computers are unprotected and their users do not understand basic safe computing practices. As a result, it is likely that areas of high technological growth, like China, will be exploited by attackers to spread viruses, worms, Trojans, and blends of all three around the world.

Current software tools offer a range of protection against malicious code, but they are unable to offer full defense against all forms of attack. Embracing a multi-layered defense model, from both a technical and human perspective, merely lowers the risk of a malicious code incident—it does not eliminate it. “Blended Threats” like Code Red, Slammer, Klez, and Bugbear can permanently compromise networks. Many worms do not carry destructive payloads themselves; instead, they install trap doors in computer systems, thus allowing easy and frequent network access for anyone familiar with the trap-door locations. Moreover, worms are, in some ways, more effective at disabling systems than viruses are, due to their ability to exploit vulnerabilities in common applications, such as web browsers.

40 In larger technology companies, or startups planning to grow rapidly, the management team is composed of individuals with specialized areas of business or technical expertise. These roles include, but are not limited to: Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Technology Officer (CTO), Chief Information Officer (CIO) and, increasingly Chief Security Officer (CSO). There are also a range of Vice President positions in a typical corporation, including VPs of Marketing, Sales, and Business Development. While such formal structure may not be necessary (or possible) in a smaller enterprise, it is useful to see how responsibilities are divided up in large firms and to note the growing importance of the CSO

41 See the 2003 World Bank paper “Blended Electronic Security Threats: Code Red, Klez, Slammer and BugBear” by Tom Kellermann and Yumi Nishiyama listed at: http://wbln0018.worldbank.org/html/FinancialSectorWeb.nsf/SearchGeneral?openform&E-Security/E-Finance&Publications .

Given this computing environment, users should educate themselves about the risks and take actions appropriate to their individual situations. When safe computing is exercised, the risk of an attack can be dramatically lowered, though it cannot be eliminated. Since the threat of deliberate computer sabotage is significant for organizations, it is important to examine the risks posed to individual security and to include the risks associated with financial transactions and the new challenges posed by mobile computing platforms.

Advantages of IT and IT Management

In spite of the challenges, entrepreneurs and managers in the public and private sectors in developing countries are investing in new information and communication technologies, including e-mail, the Internet, wireless telephony, and business software to assist in running their day-to-day operations. The advantages in efficiency, outreach, and cost savings in these new devices and services are clear:

1. They improve business communications with customers, suppliers, and partners;

2. They enhance the ability to access large quantities of information quickly and cheaply; and

3. They provide a means to expand data protection and management capabilities, resulting in better record keeping for financial managers, better customer analysis for sales and marketing managers, and better production statistics for line managers.

However, as we have seen, these improvements are not without risk, both the physical assets and to less tangible information assets. Part 3 of this Handbook will explore the IT security issues facing enterprises, large and small, in the developed and developing world. The sections are designed with a specific focus on actions to be taken by executives, managers, and employees in order to protect their systems, their customers, their suppliers, and other stakeholders in the enterprise. The checklists and procedural notes can easily be adapted for use in a non-profit or government agency context.

In addition to internal policies and procedures, some SMEs may choose to outsource their security needs. In the industrialized world, some experts say that outsourcing for non-core services like IT security has been the corporate strategy of the decade. In addition, some organizations have a specific interest in global security needs, particularly those of developing countries. As an example, ISACA, the Information System Audit and Control Association has partnerships in 60 countries and provides cases from various countries, and programs, all available as open source.42 ISACA also offers an audit and control framework for organizations and includes checklists for outsourcing situations.

Whether conducted and controlled in-house or through outside vendors, developing and maintaining strong security infrastructure, policies, and procedures is a balancing act for most enterprises. Executives, managers, and policy makers must weigh the risks and set a standard that balances the investment in security with the official objectives and bottom line growth of the company. Once a company has achieved the desired level of security, the management must not forget the importance of maintaining up-to-date systems and performing regular audits of the security plan. Changes in computer and networking equipment, from proprietary to Open Source software packages, for example, will require a complete review of the security blueprint. In short, security is an art form, rather than a science, and requires the coordination of many creative thinkers to ensure its successful impact on an organization and society as a whole.43

42 For further information on the cases and programs, see the Information Systems Audit and Control Association at: www.isaca.org. One such study featured the country of Uruguay that might be of particular interest to readers of this handbook: http://www.isaca.org/ct_case.htm.

COBIT (http://www.isaca.org/cobit.htm) provides a reference framework on e-Security for management, users, and IS audit, control, and security practitioners. The latest communication from ISACA will give you a good overview of current and future developments of the Association: Volume 8 2003 of Global CommuniquÈ: http://ISACF:RESEARCH4@www.isaca.org/@member/gcomm/gcv034.pdf

43 Due to the rise in security incidents globally, a number of consulting firms have been producing reports on IT in an international context. See, for example, Ernst & Young’s 2003 Global Information Security Survey:

http://www.ey.com/global/download.nsf/US/TSRS_Global_Information_Security_Survey_2003/$file/TSRS_- _Global_Information_Security_Survey_2003.pdf