Visiting Asia on business trips, Robert Clyde used to find computer systems security to be a tough sell. While the rest of the corporate world accepted that the greatest threat to corporate information systems lay within — among disgruntled and dishonest employees — this region’s business leaders were convinced it wouldn’t happen to them. “They felt that cultural mores would prevent employees from harming their employer,” he recalls, adding: “To an extent, they were probably right.”
These days, that’s a dangerous attitude. “No geographies are immune to Internet attacks because you don’t have to be in a particular geography to launch one,” says Clyde, who last year took over as chief technology officer at US-based Symantec, the world’s largest security software provider. Clyde’s new role places him at the vanguard of information security at a precipitous moment. In 2001, the number of intrusions perpetrated on companies by outsiders overtook those committed by people on the payroll. At the same time, the incidence of cybercrime grew exponentially, not just in line with the growth of Internet usage generally. The proliferation of viruses such as Code Red and Nimba is evidence of that.
Apart from being the source of viruses that have wreaked havoc on a global scale, Asia has its own set of problems. A 2001 survey into security threats and management issues in Asia undertaken by Pinkerton, a US-based consultancy, found business espionage and threats to intellectual property to be of particular concern in this region. What’s more, the survey found employee fraud and theft at all levels was indeed a growing problem. “This can reach epidemic proportions in countries where cultural differences often result in views on ethics and standards that vary from those held in the West,” the report said.
And if hackers have always been a part of the high-tech milieu, the days of the gentleman hacker are well and truly over. “The idea of the original hacker was look, but don’t touch,” says Clyde. “They would break in, look around, didn’t do any damage but maybe sent a message to the system administrator.
Nowadays, people are definitely interested in taking down the network,” he says. What’s more, just about anyone with time and a motive can manage it. Clyde says the “democratization” of hacking has been aided by the advent of simple “click-and-hack” programs. By Symantec’s count, wannabe hackers can turn to any one of more than 30,000 hacker-oriented Web sites for guidance, giving social activists a new vent — “hactivism.”
Where in the World
Clearly, the events of 9/11 raise fears that terrorists might bring the Internet to its knees. “I firmly believe that not only is the threat of a cyber attack real, but the first phase is already under way,” says Mark Fabro, president and chief scientist at Terrasec, an information security consultancy based in Toronto. Fabro says the intrusion detection logs of large multinational corporations “show precise data-gathering operations in which outsiders are looking at network structure, points of weakness, and infrastructure locations of weak security.” Since 1998, three global scanning projects have been sponsored by “rogue” nations, he says.
Yet many businesses remain alarmingly complacent. Studies show the typical company spends barely 5 percent of its IT budget on security. “Not only is that not enough, but the money itself is not being spent on a dedicated line item called ‘security,’ ” Fabro says. Only when security is a dedicated line item in the budget does management recognize it, he maintains, adding that if companies are serious about information security, the figure should be more like 15 percent. The Pinkerton study, albeit conducted before 9/11, found barely half of companies in Asia planned to increase expenditure on security in the next three to five years.
Given the potential for damage, it’s easy to argue in favor of increased investment. Symantec’s Clyde reckons just 10 to 15 percent of cybercrime is ever reported because it makes for bad PR. Still, various groups have tried to identify the cost. In 2001, the US-based Computer Security Institute, working with the FBI, found that the average loss of the 600 respondents was US$13 million, up considerably in recent years. Information Week magazine and PricewaterhouseCoopers estimate the total annual loss of security breaches and virus attacks, including downtime and recovery efforts, to be US$1.6 trillion.
Know Thyself
Companies should apply the same kind of measured approach to security that they did for Y2K, the experts say. This entails taking a fine-tooth comb to the entire infrastructure — firewalls, routers, applications, operating systems, Web applications and databases — in a search for weak spots. Often, a successful attack takes advantage of a service or function inside the server that is never or only rarely used. Fabro says this “additional functionality” should be removed, and the operating system secured so attackers cannot penetrate the system.
Above all, companies should make sure that they bring plenty of human intelligence to bear. “Careful inspection of the frequency, type and source of attacks can lead to insights that the intrusion detection software can’t provide,” says Fabro.
That may motivate more companies to create the position of chief information security officer, a growing trend among security-conscious companies. Some 65 percent of respondents to the Pinkerton study said their company had a security manager overseeing the Asia Pacific region. Yet 35 percent of them rely on someone who is based in the US or Europe to oversee Asia from afar. Now might be the time to bring them back in from the cold.
Adam Lincoln is executive editor of CFO Asia in Hong Kong. Additional reporting by Esther Shein of CFO.com in New York.
What’s It Worth?
How much a company should spend on security depends on the nature of its business. A system that executes financial transactions has a lot more at stake than an informational Web site; spending must be in line with the risk — a price range as long as a piece of string.
But even technologists like Robert Clyde, chief technology officer of US-based Symantec, the world’s largest security software provider, and Mark Fabro, president and chief scientist at Terrasec, an information security consultancy based in Toronto, concede that technology cannot do the job by itself.
Firewalls, VPNs and the emerging breed of intrusion detection and user authentication systems are well and good, but as more companies use the Web to hook up with suppliers, employees and customers, security education and awareness demand equal attention. That process must extend from the IT department — easily distracted by day-to-day concerns like keeping a network up and running — through all levels of the organization.
Symantec’s Clyde says that companies such as Microsoft, Sun, Hewlett-Packard, and IBM have done a good job at coming up with “patches” when they’ve found bugs in their operating systems or Web server software. Problem is, many servers aren’t installed properly in the first place, or companies fail to keep up with the patches.
CFOs who don’t know where to start are best advised to look for a trusted outsider to handle the job. A recent Pinkerton report acknowledges the emerging role of outsourcing as a viable security option. Says the study: “Outsourcing can increase the bottom line without compromising an organization’s security programs and procedures.”