VideoBack in the 1950s, when Pitney Bowes was in the uncomplicated business of supplying postage meters to U.S. corporations, the company's big security concern was relatively pedestrian: now and then, somebody's relative would walk off with a meter machine.
Over the past 50 years, risk management at Pitney Bowes has undergone a slight bit of scope creep. Now a $4.6 billion (in revenues) mail-and-document-management specialist, the Stamford, Connecticut-based company provides, among other things, electronic billing, invoicing, and statement presentation for thousands of corporate customers. Last year alone, Pitney Bowes processed more than $14.5 billion in electronic postal payments.
While the move to E-document management has opened up whole new revenue streams for Pitney Bowes, it has also opened up a Pandora's box of operational risks. And those risks strike at the very heart of the company's 21st-century business model. "Unless we can give customers confidence about the security of our network," says CFO Bruce Nolop, "we don't have the ability to execute our business strategy. We might as well call it a day."
Shareholders tend to take a dim view of calling it a day. Hence, Pitney Bowes deploys state-of-the-art firewalls, software, and encryption algorithms to fend off network invaders. But despite sizable investments in network security, managers at the company have come to a rather startling conclusion. Says Nolop: "We've learned that an employee culture about security is just as important as security software — if not more so."
Surprising stuff, but spot on. The truth is, the recent string of damaging denial-of- service worms, Trojan-horse scripts, and E-mail viruses have amply demonstrated the limitations of network security systems. The numbers tell the tale. Investment in IT security was up 16 percent last year, says UBS security-software analyst Dan Cummins in a recent report, yet Herndon, Virginia-based consultancy TruSecure Corp. says companies spent 23 percent more fixing infected machines. TruSecure reckons that a record 108 of every 1,000 corporate computers were hit by a virus in 2003. This year, fast-spreading digital pathogens MyDoom, SoBig, and Klez have inflicted an estimated $75 billion in damage.
The trail of destruction left by malicious code has driven home a simple point: human error can undo almost any firewall or safeguard. Chris Byrnes, a research director at tech consultancy The Meta Group, believes using technology to combat technology is only 20 percent of the solution. "If you look at the most common [computer] security failure in Corporate America today," says Byrnes, "it's the employee who clicks on an attachment in an E-mail that infects his machine that then infects the entire corporate network."
Patching that vulnerability has become a top priority of late for many companies. In some cases, the fixes are remarkably simple. For example, a few senior managers, spooked by "malware" that targets vulnerabilities in Microsoft's Internet Explorer, now advise employees to use browsers that are less attractive to virus writers. Still others have formulated companywide policies for computer-security procedures, fining workers who fail to follow the rules. More effective yet, a few corporations have begun to enroll employees in security-awareness training programs — and then test those workers to see if the lessons have been absorbed. Says Richard Mogull, research director at technology research firm Gartner: "You want to turn your employees into security assets, not security liabilities."
True Artisans
This emphasis on the users of computers — rather than the computers themselves — can lead companies down some peculiar paths. For example, Chicago-based Rewards Network, a loyalty and rewards program, hired Intense School, a Fort Lauderdale, Florida-based company that offers security-awareness training. The twist? The classes are taught, in many cases, by former so-called black hats — onetime hackers who now use their powers for good.
Rewards Network CIO Mario Cruz says the training appears to be paying off. In June, Cruz hired Intense School's consulting arm, Knowledge Shield, to see if the lessons had made an impression on employees. The IT consultancy performed ethical social-engineering testing — that is, the manipulation of workers (aka lying to them) to gain unauthorized access to IT systems or electronic information.
The ploy: a man called the company's help desk claiming he was a remote worker and saying he had lost his password. The caller even offered personal details, including particulars about his children and his Social Security number. Remarkably, all but one employee referred the caller to security.
Then again, one lapse is all an intruder needs, which may explain why hackers are increasingly turning to social engineering to gain access to network systems. "I watch these public lists of social-engineering attacks day in and day out," reports Art Manion, an Internet security analyst at the Computer Emergency Readiness Team Coordination Center, a Pittsburgh-based organization that publishes information on security incidents. "In the past six months, there has been a noticeable spike in their number."
Reader Comments» Post a comment