After the Millennium

Y2K was the psychological point-break for e-business. For reasons that I will never understand, British businesses felt that the best way to minimise the threat that old systems would bring them to their knees at the turn of the millennium was to freeze development of new systems that would otherwise have replaced them! Now the gloves are off and everyone, including the Prime Minister, is racing to embrace the Internet and e-commerce.

Businesses have always regarded security as an overhead rather than something that contributes to the bottom line. In some ways that is wise, after all there are enough impediments to getting the job done without creating more, but how many of Britain's captains of industry would endorse a policy of leaving all corporate premises unlocked twenty four hours a day? Security is a fact of life and something which we all practice every day. We lock our doors when we leave for work, we remove valuables from view when we park our cars, and we don't leave our wallets lying around. In years to come this unconscious acceptance of security measures will extend to the digital world, but right now we are still getting used to the exciting new features and the ways we can exploit technology. Let's not put on the brakes and get left behind, right? Wrong.

The big players are already learning their lessons. We have witnessed hackers causing major damage to Yahoo!, Amazon and even space agency NASA. RSA Security, one of the largest in the security marketplace, was hacked days after unwisely stating that they had the silver bullet.

Security professionals divide threats – the people or things that are out to do us harm – in two ways. They are either internal or external and structured (deliberately targeted) or unstructured (targeted at the population in general). For example, computer viruses are classed as external unstructured threats and are becoming pretty familiar. Strangely, the very fact that we are not specifically targeted makes us feel much safer - "if I go down with the Love-Bug Virus so will everyone else". It's when we feel ourselves to be caught in the cross-hairs that we learn what fear is all about.

Words of advice

  A few words of free advice then. If your organisation is already the target of political pressure groups; if you test drugs on animals; if you recover, refine and ship petrochemicals, then it cannot be long before your opponents consider the idea of electronic warfare. If you are part of the country's critical infrastructure, distributing power for the nation or running the national communications networks, then real world terrorists, who in the past would use bombs and guns, may consider an electronic attack on your organisation a soft option. If on the other hand you are a straight sales and marketing set-up then you only have to worry about your own staff stealing your client lists, fraudsters purchasing goods with fake credit cards, your competitors penetrating your network for price lists, hackers bringing down your website prior to attempting extortion… OK, enough of the scare mongering. The good news is that security isn't always about spending a fortune on the latest black-box. The security measures that we practice every day are the best start. Physical theft is still the most popular method of getting information, even if it does reside on computers. You wouldn't leave a thousand pounds in cash on your desk every night so why not take some time to secure your PC. It's not just the hardware but also the disclosure of data that causes the greatest loss. Try to minimise the amount of data that is unnecessarily duplicated on multiple systems and once you have centralised your high value data it's far easy to make backups, control access and deter theft.

Most executives if asked, would probably say that their colleagues on the Board, along with their corporate lawyers and accountants, have the most privileged access to sensitive company data. WRONG! Systems administrators generally have access to all of the confidential material held by all of those previously mentioned. What is more they are normally not bound by professional oaths, share option schemes or "golden handcuffs". They represent the single largest potential threat to an organisation and yet in my experience very few companies run any form of extended vetting on applicants. Try it and you may, like some of my clients, be surprised by the results. Security vendors and particularly those offering consultancy, design and management of countermeasures should also be looked at closely.

Poacher turned gamekeeper

  One recent trend has been to seek out the "poacher turned gamekeeper". Who better to employ than an ex-hacker to recommend, maintain and test the security of your network? Well, it sounds good when put that way. How about if we re-phrase it as: 'I entrust the security of my network to a convicted criminal whom I know to be highly technically skilled and otherwise unemployable. Oh, and by the way I give this person privileged access to confidential information about the structure of the network and the placement of the most valuable data.' Hmm, maybe not the best idea after all.

It's now Y2K and our technological future is spread out before us. But rest assured, as e-commerce, e-business and e-everything else continues to proliferate, the security risks will grow accordingly. The more we rely on the systems to live our lives, the more we need to protect them. Think carefully, how secure is your network?