- Email: [email protected]
Security surveys spring crop
Security surveys spring crop Stephen Hinde IS Audit Editor
What does the latest round of IT security surveys have to tell us? Stephen Hinde samples, savours and pronounces.
hackers and security breaches continue to hit the headlines, organizations see the external threat as of greater concern than the internal.
Having digested this year’s crop of computer security surveys I had a queasy feeling of déjà vu. Once again the after-taste was one of underinvestment in security technology and processes.
The DTI Survey explored the issue of internal and external threat, and the oft quoted statistic that most IT security threats are internal. This is no longer so. The results of this survey and supporting evidence from the CBI Cybercrime and the Computer Security Institute/FBI Surveys of 2001 suggest that the changing technology environment, with its greater connectivity and globalization, has seen the major threats migrate from internal to external. The latter two surveys put the external threat in the 70-75% range and the internal threat at 25-30%. Respondents to the new Ernst and Young survey were also more concerned about external attacks (57%) than internal (41%).
Respondents to the Ernst & Young Survey indicate significant gaps in security management around critical business systems and data, despite awareness and recognition of the threats. However, the KPMG Survey noted that most respondents were taking reasonable steps to protect themselves. Having said that, some 87% of the KPMG respondents had suffered some security breach during the year. The DTI Survey reported that 44% of UK businesses have suffered at least one malicious security breach in the past year and 80% of organizations classified at least one of their breaches as serious. On the positive side, all three surveys found a greater acceptance by senior management that information needs to be protected. The prime driver for this Damascene conversion appears to have been caused by the lack of consumer confidence in the privacy and security offered by e-commerce and the Internet, especially with respect to credit card details. But, and this is a great but, although many organizations have taken significant steps to address some of the issues, there is a perception that these actions are failing to keep pace with the changes in technology and with the ever changing and expanding threat portfolio. Organizations could, therefore, be placing a wholly inappropriate degree of reliance on some less than effective security activities, to provide corporate protection. The piecemeal approach seems to have extended to the concerns about the sources of threats. Perhaps because external
310
0167-4048/02US$22.00 ©2002 Elsevier Science Ltd
External threats The most common external security breach according to the DTI Survey is virus/worm and distributed denial of service attack (41% of businesses this year compared with only 16% last year). The KPMG survey also reported that 61% of their respondents had experienced virus attacks and 14% a denial of service incident. Unauthorized access to sites had also increased over the year from 4% of businesses to 14% in the UK Survey and 12% in the KPMG Global Survey. The increase reported was mainly due to a surge in website hacking attacks. Other less common, but significant problems quoted were theft of IT equipment, email spamming and misuse of email.
Internal threats Having said that the threat risk is migrating from internal to external, the internal risk is still of concern to organizations. In addition to published data suggesting a very high level of attacks originate from within an organization,
Stephen Hinde Security surveys spring crop
we are in a period of economic uncertainty. Difficult economic climates usually see greater motivation for individual gain, and risk of frauds or sabotage by employees. There is also the disaffected employee to consider, who may simply want to cause damage to an organization and its reputation. An informal survey of attendees at the RSA 2002 Conference found that a staggering 91% of them break their own company security policies. And these are the computer security professionals! If they do not follow best practice, what hope of ordinary employees who lack an understanding of all the risks complying? The results of this informal survey illustrate the need for organizations to protect their email systems with application level security measures since internal threats cannot be prevented by network-level protection. With such a high percentage of attendees willing to break their own company security policies, it’s no wonder that viruses and worms still pose a threat to organizations and the Internet. The survey also found that policies are violated at every level. In fact, a quarter of respondents said that it was someone at the CEO/CIO level who launched Code Red and/or Nimda within their organization. The best way to protect your corporate email system is to truly understand how it is being used. If your email security is being threatened from within your organization, network-level defences, such as corporate firewalls, just will not provide adequate, or effective, protection. In addition to security at the network level, organizations should implement application level defences that are designed to protect the email system from both internal and external threats.
The E-world Securing IT infrastructures is a task that can have no international boundaries. The Ernst & Young Survey shows that there are troubling
disparities around the world in the vigilance placed on managing the security risks of network systems and that is something that should be a major concern for organizations operating in today’s global economy. The impact of increased IT connectivity and forecast that financial and reputational risk will increase as connectivity increases. Indeed nearly two thirds of respondents expected to experience greater vulnerability as connectivity increases. Furthermore, the global economic uncertainty poses new risks that companies must quickly identify and address. Respondents to their survey indicated that significant gaps exist in security management around critical business systems and data, despite an awareness and recognition of the threats. Their conclusion is that while information security has become a major concern for companies around the world, approaches to the risks are inconsistent and often insufficient. The DTI Survey found that British businesses’ enthusiasm for doing business on the Internet is not being backed by the appropriate security measures. The upshot of this failure of protection is that customer’s personal data and commercially sensitive information is exposed. A European Survey by Orthus to demonstrate the availability and ease of access to wireless networks and quantify the associated security issues and vulnerabilities found that European businesses are inviting cyber attack from hackers and crackers by failing to secure their wireless computer networks. Of the 1639 networks identified in 10 major cities, 69% were found to be “leaking” their data and sensitive information into the streets from their organization wireless networks because they were broadcasting unencrypted traffic and 43% of the networks identified were still on the default settings!
Stephen Hinde, FCA, FIIA, MIIA, is currently Information Protection Manager for the BUPA Group. Prior to joining BUPA, Stephen was Head of Internal Audit, UK & Europe for Fosters Brewing Group and held senior positions in audit with Unilever, Brooke Bond Group and Rediffusion Group. Stephen qualified with KPMG before moving to Ernst & Young. Stephen is editor of Information Systems Auditor, and was the founding editor of Computer Audit Update in 1988. Stephen is a Past President of the Institute of Internal Auditors - United Kingdom and Ireland. He currently or has been chair or member of various computer audit and computer security, research, education or training committees of the Institute of Chartered Accountants in England and Wales, of the Institute of Internal Auditors – United Kingdom and Ireland, of the Institute of Internal Auditors Inc., and the European Confederation of Institutes of Internal Auditing. He currently is Secretary of the United Kingdom Information Security Forum. Stephen has lectured around the world and written books and articles on computer security, data protection, and computer audit.
The research clearly demonstrates that European companies turning to wireless networks for reasons of costs, flexibility and performance are
311
Stephen Hinde Security surveys spring crop
neglecting to properly secure them. They are not even enabling basic manufacturer security settings and needlessly exposing their systems to “drive by hacking” — where a hacker can literally sit in a car outside of an office building and easily monitor and capture data as it travels over the wireless system.
Take the opportunity to examine your own organization’s information security strategy. Is it business risk-based? Or is it technology driven? Is there a synthesis of technology protection and procedural processes that afford effective, efficient and economic protection? If you do not have a strategy, now is the time to act.
The Black Box syndrome reigns supreme?
The Weakest Link
There is a perception from the surveys that information security is still widely regarded as a technical issue, not a business issue, resulting in technology solutions without supporting business processes. The corollary of this is that being regarded as a technical issue, it is left to the IT department alone, resulting in: • implementation of the ‘bottom layer’ alone • technology solutions without supporting business processes • ‘point solutions’ such as firewalls or virus protection that give senior management a false sense of security. A perception that the organization is adequately protected, when in reality significant technical investments are undermined by: • inadequate business processes • lack of awareness or training • third-parties and business partners • absence of testing and assurance processes This fundamental gap could potentially cause organizations to prepare inadequately for threats that are increasingly sophisticated and rapidly changing. As I said with respect to Corporate Governance in my last article the ‘Tone at the Top’ is crucial to the success of any policy. If the senior management believes that computer security is purely a technical issue they will never fully understand the nature of the beast, nor will they stand any chance of having effective counter measures.
312
One of the most overused clichés in the computer security field is a variation of the 19th Century proverb — computer security is only as good as the weakest link. The problem for most organizations is identifying what or where the weakest link is. And, of course, this may vary with time — what is a security strength when designed may become a security weakness. The conclusion in the KPMG Survey is ‘Look for the Weakest Link’. It highlights, as does the DTI Survey, the impact of the world of E-business and extended enterprises, which mean that that there are no effective geographical, organizational, or jurisdictional boundaries. This means that if levels of Internet protection are not applied equally and everywhere, the weakest link will expose all others in the chain to attack. The KPMG Survey concludes, “Because of the weakest link, because organizations are not as well protected as they think they are, because significant regional and market sector variations exist in levels of protection and because few organizations measure and report on security performance, millions of dollars are lost each year in security incidents. And down the drain with those dollars go customer confidence, the trust of business partners and opportunities that may never occur again.” The most important factor for reducing an enterprise’s overall risk profile is to proactively manage a firm’s complete security agenda. Ernst & Young consider this should encompass three critical security aspects: • organizations must first develop systems and processes to prevent unauthorized access to systems and work environments;
Stephen Hinde Security surveys spring crop
• then they must support authorized access to data and data integrity, • and finally organizations need to have appropriate plans in place for systems availability and overall business continuity in the event of an attack or natural disaster. This theme of proactive access control processes is echoed by the US National Institute of Standards & Technology’s (NIST) Information Technology Laboratory. It has pioneered an approach using a new technology for controlling access to computer networks known as Role Based Access Control (RBAC). Computer security specialists at NIST began working on RBAC in the early 1990s after an examination of federal agencies showed the need to develop better ways to manage large networked systems and complex access issues. NIST believes that taking the right approach to computer security not only provides an enhanced level of computer security and risk reduction, but can lead to significant financial savings for an organization. Over the 1992 – 2006 period for which impacts were estimated, NIST’s RBAC work is projected to generate economic benefits of about US $292 million, according to a study conducted for NIST by the Research Triangle Institute (RTI) of North Carolina. This estimate is translates into a benefit-to-cost ratio of 109 to 1. Based on interviews with software developers and companies that use RBAC products, the RTI study estimates that by 2006, between 20 and 50% of employees in the service sector and between 10 and 25% of other organizations will be managed by RBAC systems.
Detection of incidents It is axiomatic that the statistics on the relative sizes of types of security incidents are based on the known incidents. A bit like the toilet cleaners that kill 99.9% of known germs. We will probably never know how many unknown germs are also killed, and more importantly,
how many are not. How does your organization know whether it has suffered an attack, or an intruder has electronically copied confidential data? According to the KMPG Survey, just over a half of respondent organizations had no form of intrusion detection system. Furthermore, a tenth of organizations never test their security measures and cannot therefore know if they are effective. The Ernst & Young Survey found that less than half of organizations are carrying out security assurance activities. How, therefore, are organizations getting the confidence to know the real source of threats and that their security policies and procedures are being deployed effectively? Despite the lack of deployment of intrusion detection systems and active security assurance activities, organizations, probably naively, believe that they will be able to detect incidents. Those organizations who feel very confident they would detect an attack have increased in the last year from 33% to 40% (E&Y Survey). It is almost certain that some of those who are not entirely confident that they would detect an attack have actually been attacked, but were not aware of it. In all probability, this statement is likely to apply to the 40% as well. The KPMG Survey found that a greater number of businesses now have processes for dealing with security breaches as they arise, with large businesses and the financial services sector best prepared to deal with them. But it must be remembered that this survey was biased towards larger companies. The key questions for all organizations, including those who were confident they would detect an attack, is when are attacks detected (during or afterwards, and how long afterwards); do you know what to do when an attack is detected; do you have a PR damage limitation strategy; and can you measure the impact? Is there a post mortem of the incident that feeds back into the computer security strategy and defences and processes? One would have thought such a feedback loop to be so obvious
313
Stephen Hinde Security surveys spring crop
as not to need stating, but a staggering 40% of companies do not even investigate information security incidents. If you do not understand the attack how can you have any confidence that you will not suffer the same type of attack again and again? Failure to investigate systems incidents increases the likelihood of undetected damage and creation of ‘back doors’ for later malicious use. Only 40% of respondents admitted to having experienced a network, data or Internet security attack in the past six months. This seems at odds with the statistics appearing with almost every security breach headline, which suggest that the incidence of attack is much higher. However, it is also recognized that many organizations do not admit openly to experiencing information security breaches or attacks. On the costs of breaches, the DTI Survey suggested an average cost of £30 000 but about two thirds of all incidents would cost less than £10 000 to resolve. In the Ernst & Young Survey, 4% of respondents had an incident costing more than £500 000 and 7% of contributors to a Web survey run in conjunction with the study also admitted to incidents costing more than this amount. The KPMG Survey of larger companies quoted average direct costs of breaches of £73 000, average annual losses on viruses in excess of £110 000 and a highest reported annual loss for one company in excess of £6 million.
Investment in Security I said at the beginning that there is still an under investment in security technology and processes. A survey of visitors to the Information Security Show in London in April, revealed that whilst attitudes to computer security have improved and organizations are now taking it more seriously in response to the rise in sustained network attacks over the past few years, they remain reluctant to pay for increased
314
protection. This is a worrying development, considering such a high proportion admitted to suffering multiple attacks. They know that the danger is there, but readily admit that their company is not spending enough money on securing their network, and think that they need to allocate more of the IT budget to security solutions. While almost half the respondents put security at the top of their network priorities, a third thought their company should spend more on security. Security was rated as the number one concern ahead of manageability and running costs, while performance limped in last. The results highlight the increasing threat to UK and world-wide business, especially from Internet based Distributed Denial of Service type attacks. And while it is clear companies are beginning to take this threat seriously, there is clearly a long way to go yet. Based on its Enterprise Technology Trends Survey findings as well as recent developments, IDC expects Financial Services organizations in North America will focus on several items in the first part of 2002 such as: • Disaster recovery, security solutions, and remote access systems to ensure business continuity. • Customer relationship management (CRM) to retain profitable customers and identify new revenue-generating opportunities. • Outsourcing to improve efficiencies and expedite time to market. The study, released in December 2001, estimated IT spending in banking to reach US $56.3 billion by the end of 2001 with IT spending in insurance and other financial services estimated to reach US $25.3 billion and US $21.4 billion, respectively. This whole area of budgets was examined by the Ernst & Young Survey. It found that information security expenditure may appear in
Stephen Hinde Security surveys spring crop
the overall IT budget or in the business unit budget. However, organizations identified several components that were not monitored nor easily identifiable in either budget, typically application security design and management, and intrusion detection services. In addition, some expenditure, including security headcount, security specific application operations, and business continuity appears in business unit budgets as well as in IT budgets, which can make it hard to see the full picture and ensure efficient use of scarce skill sets. Wherever the budget sits, it must be communicated and monitored if proper control and return on investment is to be achieved. If this is not the case, there may be a lack of visibility of the overall commitment and spending priorities and spend may be duplicated unnecessarily. In addition, it can result in unexpected additional expenditure during the year. For example, implementation spend may be in the business unit budget, but support and maintenance is expected to come from the IT budget, yet neither include security related elements. Some 73% of respondents felt the budget to be sufficient for their organization’s short-term needs. Just over a half believe that information security is viewed as a priority compared to other IT-related projects and about a third view it as at least an equal priority. Only 13% expected to see cuts to the IT security budget, although 41% said they did not know.
Security Policy A computer security policy is, it should go without saying, a sine qua non of effective computer security. It lays down the security strategy and staff responsibilities. But, as I said earlier, it should not be an IT document designed by IT in isolation from the business. The organization must incorporate computer security into the business strategy. It is part and parcel of corporate governance, and of consumer and investor confidence.
An information security strategy provides a framework for making decisions and agreeing priorities. Many organizations develop technical plans. These may include policies, procedures and some indication of technologies — in other words, focus on technical specification. For a security strategy to be of real value it must be driven and embraced by line and functional business leaders across disciplines, and include sound consideration of the nature of the business risks and the organization’s culture. It must be a living document which drives tactical and operational decisions in all business areas. Components often overlooked are training and awareness, sourcing strategy, and performance and assurance measures. Eighty five percent of respondents at the Information Security Show claimed that their company now has a dedicated security policy and two thirds were confident that their network could stand up to a viral attack. This shows that the main concerns for network managers today are the high-speed web based attacks such as Denial of Service (DoS). In contrast the KPMG Survey found that only 27% have a documented security policy, but that this rose to 59% for large businesses. Although not quite the same question, 74% of E&Y respondents believe they have an information security strategy. Of concern is the finding that only 14% of organizations in the KPMG Survey always document how security will be addressed in the design of IT projects.
Awareness and training Also of concern is that the majority of UK businesses are unaware of the contents of BS7799 (now also ISO 17799) and only 5.5% claim to be compliant with it! And if organizations are unaware of the Computer Security Standard how can they expect staff to be aware of the need for computer security? Ernst & Young found that one of the major challenges for organizations in achieving the
315
Stephen Hinde Security surveys spring crop
required level of computer security is employee awareness. Employee awareness of information security policies and procedures is cited by twothirds of the respondents as a barrier to achieving effective security, yet less than half of those surveyed have employee awareness and training programmes in place that address these critical security policies. Just under a third of respondent organizations are planning to address this key activity. The KPMG Survey found that only 28% of respondent organizations make staff aware of their obligations in information security as part of an induction process and 13% have no mechanism at all for making staff aware of their obligations. The lack of an awareness programme indicates a critical gap in effective security implementation, that is all the more surprising because three quarters of respondents stated they have an explicit and well-understood security strategy. Security training and awareness programme as a fundamental component of an effective information security strategy. The statistics about security activities seem to indicate many organizations are taking a somewhat piecemeal approach to information security. For example, anti-virus procedures and access management processes are in place, but little training and awareness activity exists to help ensure they are effectively implemented and there is limited assurance activity to help ensure compliance. This is borne out by the Security Awareness Index Survey (SAI), conducted by Pentasafe. According to the company, “Companies are clearly failing to protect their most valuable asset — their information. Companies will train staff how to sell, but they are selling themselves short by a lack of security training. We believe that an information classification scheme is essential for effective protection and that organizations need to determine through
316
clear security policies what information is important.” The results of this survey are based on the responses of international organizations to an online security awareness audit. Pentasafe found that healthcare employees fail abysmally when it comes to securing their companies most valuable asset, ‘confidential company information’, Six out of 10 employees just scraped a “D” grade in the test to find out the levels of their security awareness, with 90% naively admitting to opening or executing a dangerous email attachment. The survey found that one in four employees would opt for ‘Banana’ as a safe and acceptable password, even though it would take a hacker seconds to break into a corporate network using this password. However, these initial results reveal that corporations around the world are still not getting it right when it comes to training their staff to respect the information and systems they work with on a day to day basis. Other staggering results from the Security Awareness Index include: • Two-thirds of security managers feel the overall level of security awareness in their organization is either inadequate or dangerously inadequate. • Almost 50% of employees said that they had never received any formal security awareness training, with a third of organizations not requiring their workers to read security policy statements. • One out of ten employees said that they had never read any of their company’s security policies. • 25% of the 1348 employees questioned had not read their organization’s security policies in over two years, and said that the document was not readily available.
Stephen Hinde Security surveys spring crop
• 70% of companies admitted not tracking or following up cases where staff had not signed a statement to say they had read and understood the security policy. • 90% of employees would open or execute a dangerous email attachment, ranging from a simple Word or Excel file to the potentially all-powerful VB scripts and binary executables. Financial institutions, healthcare organizations and public sector who are especially sensitive to security issues failed to earn a satisfactory “C” score in the SAI test, with those in the communications industry coming bottom with the worst results. The survey found the financial services industry employs more security awareness practices on average than any other industry, beating the average 49 times out of 50 — although beating the averages is not good enough. The financial services industry’s score was still below 70 and is considered inadequate by Pentasafe.
Business Continuity Plans A majority of E&Y respondents indicated that critical business systems are increasingly interrupted, with three quarters experiencing unexpected unavailability. Yet only 53% of organizations have business continuity plans. It is now nearly a quarter of a century since the Institute of Internal Auditors – UK and Ireland published a definitive manual on Disaster Recovery Planning. A quarter of a century in which the dependence on computing has increased exponentially, with global connectivity and computing power move from fortress computer room bunkers to desk top workstations; a quarter of a century in which the risks and threats have increased to levels not imaginable then. A quarter of a century of corporate governance. Auditors have to sign statutory accounts on the basis of a “going concern”, but without adequate backup and recovery of computer systems the
concern will be not going but gone. And yet only 53% of survey respondent organizations have business continuity plans. I have emphasized business continuity plans because there continues to be a view amongst many senior managers that business continuity planning and IT disaster recovery planning are one and the same thing. It is yet another manifestation of the Black Box syndrome. This is borne out by the fact that just under three quarters of the respondents had IT disaster recovery plans. But what use is a computer network if there are no work stations, or offices, or telephones? But the bad news does end here. Of those who have plans, many have not gone through the expected activities to develop the plan. For example, just over 40% of organizations have carried out a business impact analysis and prioritized their critical business processes and 21% have not tested the plan. In addition, just under half the organizations surveyed have not agreed recovery timescales with the business, which could mean a wide expectation gap between what the business needs and what IT might be able to provide. Of those with organizations with an IT disaster recovery plan, one in six had not been tested! History is littered with IT dependent organizations that do not have tested business continuity plans which fail to survive a disaster. It is hard to identify those organizations that are not IT dependent in today’s world and this makes the recurring statistics about the number of organizations without plans all the more alarming. Even where they have been developed, many plans may not be effective if they have been developed in isolation of the business, or have not been tested. Whilst recovery from the majority of breaches might be achievable within a day, one-fifth of large UK businesses reported breaches which took in excess of a week to resolve.
317
Stephen Hinde Security surveys spring crop
It is encouraging that 70% of the respondent organizations intend to enhance business continuity and IT disaster recovery plans, but history is littered with good intentions. Only 29% of respondent organizations treated business continuity planning as a business unit expenditure and 45% said it is within the IT budget, indicating perhaps, that many organizations still perceive business continuity as a responsibility of IT and not the business. Another manifestation of the Black Box syndrome? Late 2001 changed the set of probabilities that businesses face in preparing for business interruption. I wrote extensively on this at the time (‘Lessons Learned.’ Computers & Security, Vol. 20, No. 7) But only three quarters of US business continuity professionals have reviewed their business continuity plans since 11th September according to the results of a recent survey conducted by Strohl Systems and CPM magazine. The top causes of business interruption failures were cited as hardware or software failure (56%) and telecommunications failure (49%). Around a quarter of failures were due to operational errors, system capacity issues and third party failures. These latter could be the result of poor management of operational basics, such as sound operational procedures for loading new software, change management and capacity planning.
I hold it as certain, that no organization was ever written out of reputation but by itself (Richard Bentley, 1662–1742) Respondents regarded the operational impact of failures as higher than the financial or reputational impact. It is interesting to note reputational risk is highlighted in the E&Y Survey. The risk to reputation has always been there but, in my memory at least, never so explicitly stated. Perhaps it is the onslaught of
318
so much shareholder/stockholder litigation against boards of directors that has propelled it up the risk list. It is clear that financial and reputational risk will increase as Information Technology connectivity increases, and that global economic uncertainty poses new risks that companies must quickly identify and address. The results also pose the question of whether organizations are able to quantify the financial and reputational impact of operational downtime, compared to simply recognizing operational impact. Also of concern is that most respondents could not articulate the operational loss in business terms, for example, the opportunity cost or financial cost of 10 000 employees without access to systems for four hours.
Privacy and Confidentiality Only one third of organizations were very concerned about compliance with legislation and industry regulations. This is despite increased attention being paid to privacy and data protection issues, such as those evidenced by the EU Data Protection Directive in Europe and Gramm-Leach-Bliley Act in the US, and expected industry pressures to improve identification and authentication measures. It would be tempting to believe the other two thirds are fully aware, but as we saw above with respect to security, there was a general lack awareness. The concern is that many organizations may not be aware of the regulations themselves, or of the risk in not complying with them. Indeed the poor awareness of BS7799 indicates this. The UK registration form for data controllers to register under the Data Protection Act 1998 (which brought the EU Data Protection Directive into domestic legislation) categorically asks whether the data controller (organization etc.) complies with BS7799.
Stephen Hinde Security surveys spring crop
Protective technologies The uptake of protective technologies to enhance security protection is suprisingly low. Nineteen percent are piloting or widely deploying Public Key Infrastructure (PKI) and a further 26% are planning to pilot it. Biometrics is in use at only 5% of organizations and only a further 11% plan to pilot it. Thirty-six percent of organizations are making use of Intrusion Detection Systems (IDS) with a further 24% expecting to deploy. Cost is stated by 38% as a major barrier to deployment.
Conclusions This year’s surveys bring little assurance that companies are paying sufficient attention to information protection. The survey results indicate that while information security has become a major concern for companies around the world, approaches to the risks are inconsistent and often insufficient. If companies were improving their performance against a background of a static environment, there might be some comfort from the evidence that more companies are placing information security higher on the business agenda and some of the detailed statistics presented show increased action. Unfortunately, however, the environment is not static and the increasing external connectivity in today’s information technology infrastructure requires a much greater commitment and investment of time and money if the situation is to improve.
Ten steps to protection? Effective security must be directed and coordinated at boardroom level. As I said last month with respect to Corporate Governance, the tone is set at the top. Security governance is the responsibility of the Board. It should be a regular board agenda item. If it isn’t then it may become one in reaction to media headlines.
Two of the surveys posed 10 questions for the Board.
Global Information Security Survey 2002 - Ernst & Young 1. Does your board recognize that information security is a board-level issue and cannot be left to IT alone ? Is your information security strategy aligned with your business strategy? 2. Is there clear accountability for information security in your organization? 3. Can your board members articulate an agreed set of threats and critical assets? How often do you review and update this? 4. Do you know how much is spent on information security and what it is being spent on? Can you measure your return on investment? 5. What would be the impact on the organization of a serious security incident (reputation, revenue, legal, operational performance, and investor confidence)? 6. How does your organization see information security as an enabler (for example, by implementing effective security, could you enable your organization to increase business over the Internet)? 7. Has your business assessed the risk of getting a reputation for slackness in security? 8. What steps have you taken to satisfy yourself that well intended (or not) thirdparties will not compromise the security of your organization? 9. How do you obtain independent assurance that information security is managed effectively in your organization? 10. How do you measure the effectiveness of your information security activities?
319
Stephen Hinde Security surveys spring crop
DTI Information Security Breaches Survey 2002
The main findings of the Surveys
Make sure your business:
Global Information Security Survey 2002, Ernst & Young
1. Creates a security aware culture by educating staff about security risks and their responsibilities. 2. Has a clear, up to date security policy to facilitate communication with staff and business partners. 3. Has people responsible for security with the right knowledge of good practice (e.g. BS7799) and the latest security threats – consider supplementing their skills with external security experts. 4. Evaluates return on investment on IT security expenditure. 5. Builds security requirements into the design of IT systems and outsourcing arrangements. 6. Keeps technical security defences (e.g. antivirus software) up to date in the light of the latest threats. 7. Has procedures to ensure compliance with data protection and other regulatory requirements. 8. Has contingency plans for dealing with a serious information security breach. 9. Understands the status of its insurance cover against damage as a result of information security breaches. 10. Tests compliance with its security policy (e.g. security audits, penetration testing of its website). Most important of all, do not wait before a serious security incident to affect your business before you take action.
320
There are some alarming gaps, the management of which is now critical to business survival and competitive advantage. • Only 40% of organizations are confident they would detect a systems attack. • 40% of organizations do not investigate information security incidents. • Critical business systems are increasingly interrupted – over 75% of organizations experienced unexpected unavailability. • Business continuity plans exist at only 53% of organizations. • Only 41% of organizations are concerned about internal attacks on systems, despite overwhelming evidence of the high number of attacks from within organizations. • Less than 50% of organizations have information security training and awareness programmes.
Information Security Breaches Survey 2002, Department of Trade & Industry, UK Customers at risk as British businesses fail to adopt online security. • Half of businesses operating transactional websites do not use encryption technologies to secure transactions and files held on Web servers. • Less than one third of businesses encrypt files such as credit card details, leaving customer details and confidential company information wide open to be accessed and utilzsed. • One third of businesses fail to authenticate customers’ identities online prior to transaction completion.
Stephen Hinde Security surveys spring crop
• More than half of companies do not check credit card authorization online.
and IT Priorities in the Finance Sector Report 2002 both from IDC.
• Over a third of websites have no firewall, giving hackers an easy ride when it comes to obtaining critical business and financial information.
• Website compliance with the UK Data Protection Act 1998 – UMIST & OIC January 2002.
The Surveys • DTI Information Security Breaches Survey 2002. The survey was based on 1000 telephone calls with individuals responsible for information security within their UK organizations. • Global Information Security Survey 2002 Ernst & Young. Over 450 Chief Information Officers, IT Directors and business executives were contacted world-wide. This is the first of two studies based on a detailed analysis of many of the most information intensive companies in the world. It was developed to understand their views on information security and how they are responding to threats. An in-depth analysis of the survey is available on Ernst & Young’s website (http://www.ey.com/security). • Out of Thin Air - A European Study 2002 – conducted by Orthus (http://www.orthus.com/). With just a laptop computer, a wireless card and some network sniffing freeware available from the Internet, researchers spent one day per city walking through the commercial districts of: London, Dublin, Stockholm, Berlin, Amsterdam, Brussels, Paris, Zurich, Milan and Madrid and identified 1639 sensitive company networks accessible from the streets. The survey was designed to demonstrate the availability and ease of access to wireless networks and quantify the associated security issues and vulnerabilities. • Enterprise Technology Trends (ETT) Survey (December 2001) and Investment Climate
• Security Awareness Index Survey – PentaSafe 2002. A free self assessment programme that is designed to allow companies to benchmark their own levels of security against other companies, detailing attentiveness to security threats and vulnerabilities http://www.pentasafe.com. So far over 583 organizations have taken part in the Security Awareness Index (SAI). Copies are available to purchase for $195. • A survey of visitors to the Information Security Show conducted by Top Layer Networks 2002. The survey conducted on the last day of the show targeted IT mangers and network specialists in companies from 9 to 165 000 employees. • Know Your Enemy Security Survey conducted at RSA Conference 2002. An informal poll of computer security professionals conducted at the RSA Conference by CipherTrust. • KPMG’s 2002 Global Information Security Survey. Senior managers of global organizations with turnover of more than $50 million were surveyed. • Study for US National Institute of Standards & Technology’s Information Technology Laboratory on its Role Based Access Control project, conducted by the Research Triangle Institute (RTI) of North Carolina. http://www.nist.gov/director/progofc/report02-1.pdf • Strohl Systems and CPM magazine survey of US business post 11 September.
321
What does the latest round of IT security surveys have to tell us? Stephen Hinde samples, savours and pronounces.
hackers and security breaches continue to hit the headlines, organizations see the external threat as of greater concern than the internal.
Having digested this year’s crop of computer security surveys I had a queasy feeling of déjà vu. Once again the after-taste was one of underinvestment in security technology and processes.
The DTI Survey explored the issue of internal and external threat, and the oft quoted statistic that most IT security threats are internal. This is no longer so. The results of this survey and supporting evidence from the CBI Cybercrime and the Computer Security Institute/FBI Surveys of 2001 suggest that the changing technology environment, with its greater connectivity and globalization, has seen the major threats migrate from internal to external. The latter two surveys put the external threat in the 70-75% range and the internal threat at 25-30%. Respondents to the new Ernst and Young survey were also more concerned about external attacks (57%) than internal (41%).
Respondents to the Ernst & Young Survey indicate significant gaps in security management around critical business systems and data, despite awareness and recognition of the threats. However, the KPMG Survey noted that most respondents were taking reasonable steps to protect themselves. Having said that, some 87% of the KPMG respondents had suffered some security breach during the year. The DTI Survey reported that 44% of UK businesses have suffered at least one malicious security breach in the past year and 80% of organizations classified at least one of their breaches as serious. On the positive side, all three surveys found a greater acceptance by senior management that information needs to be protected. The prime driver for this Damascene conversion appears to have been caused by the lack of consumer confidence in the privacy and security offered by e-commerce and the Internet, especially with respect to credit card details. But, and this is a great but, although many organizations have taken significant steps to address some of the issues, there is a perception that these actions are failing to keep pace with the changes in technology and with the ever changing and expanding threat portfolio. Organizations could, therefore, be placing a wholly inappropriate degree of reliance on some less than effective security activities, to provide corporate protection. The piecemeal approach seems to have extended to the concerns about the sources of threats. Perhaps because external
310
0167-4048/02US$22.00 ©2002 Elsevier Science Ltd
External threats The most common external security breach according to the DTI Survey is virus/worm and distributed denial of service attack (41% of businesses this year compared with only 16% last year). The KPMG survey also reported that 61% of their respondents had experienced virus attacks and 14% a denial of service incident. Unauthorized access to sites had also increased over the year from 4% of businesses to 14% in the UK Survey and 12% in the KPMG Global Survey. The increase reported was mainly due to a surge in website hacking attacks. Other less common, but significant problems quoted were theft of IT equipment, email spamming and misuse of email.
Internal threats Having said that the threat risk is migrating from internal to external, the internal risk is still of concern to organizations. In addition to published data suggesting a very high level of attacks originate from within an organization,
Stephen Hinde Security surveys spring crop
we are in a period of economic uncertainty. Difficult economic climates usually see greater motivation for individual gain, and risk of frauds or sabotage by employees. There is also the disaffected employee to consider, who may simply want to cause damage to an organization and its reputation. An informal survey of attendees at the RSA 2002 Conference found that a staggering 91% of them break their own company security policies. And these are the computer security professionals! If they do not follow best practice, what hope of ordinary employees who lack an understanding of all the risks complying? The results of this informal survey illustrate the need for organizations to protect their email systems with application level security measures since internal threats cannot be prevented by network-level protection. With such a high percentage of attendees willing to break their own company security policies, it’s no wonder that viruses and worms still pose a threat to organizations and the Internet. The survey also found that policies are violated at every level. In fact, a quarter of respondents said that it was someone at the CEO/CIO level who launched Code Red and/or Nimda within their organization. The best way to protect your corporate email system is to truly understand how it is being used. If your email security is being threatened from within your organization, network-level defences, such as corporate firewalls, just will not provide adequate, or effective, protection. In addition to security at the network level, organizations should implement application level defences that are designed to protect the email system from both internal and external threats.
The E-world Securing IT infrastructures is a task that can have no international boundaries. The Ernst & Young Survey shows that there are troubling
disparities around the world in the vigilance placed on managing the security risks of network systems and that is something that should be a major concern for organizations operating in today’s global economy. The impact of increased IT connectivity and forecast that financial and reputational risk will increase as connectivity increases. Indeed nearly two thirds of respondents expected to experience greater vulnerability as connectivity increases. Furthermore, the global economic uncertainty poses new risks that companies must quickly identify and address. Respondents to their survey indicated that significant gaps exist in security management around critical business systems and data, despite an awareness and recognition of the threats. Their conclusion is that while information security has become a major concern for companies around the world, approaches to the risks are inconsistent and often insufficient. The DTI Survey found that British businesses’ enthusiasm for doing business on the Internet is not being backed by the appropriate security measures. The upshot of this failure of protection is that customer’s personal data and commercially sensitive information is exposed. A European Survey by Orthus to demonstrate the availability and ease of access to wireless networks and quantify the associated security issues and vulnerabilities found that European businesses are inviting cyber attack from hackers and crackers by failing to secure their wireless computer networks. Of the 1639 networks identified in 10 major cities, 69% were found to be “leaking” their data and sensitive information into the streets from their organization wireless networks because they were broadcasting unencrypted traffic and 43% of the networks identified were still on the default settings!
Stephen Hinde, FCA, FIIA, MIIA, is currently Information Protection Manager for the BUPA Group. Prior to joining BUPA, Stephen was Head of Internal Audit, UK & Europe for Fosters Brewing Group and held senior positions in audit with Unilever, Brooke Bond Group and Rediffusion Group. Stephen qualified with KPMG before moving to Ernst & Young. Stephen is editor of Information Systems Auditor, and was the founding editor of Computer Audit Update in 1988. Stephen is a Past President of the Institute of Internal Auditors - United Kingdom and Ireland. He currently or has been chair or member of various computer audit and computer security, research, education or training committees of the Institute of Chartered Accountants in England and Wales, of the Institute of Internal Auditors – United Kingdom and Ireland, of the Institute of Internal Auditors Inc., and the European Confederation of Institutes of Internal Auditing. He currently is Secretary of the United Kingdom Information Security Forum. Stephen has lectured around the world and written books and articles on computer security, data protection, and computer audit.
The research clearly demonstrates that European companies turning to wireless networks for reasons of costs, flexibility and performance are
311
Stephen Hinde Security surveys spring crop
neglecting to properly secure them. They are not even enabling basic manufacturer security settings and needlessly exposing their systems to “drive by hacking” — where a hacker can literally sit in a car outside of an office building and easily monitor and capture data as it travels over the wireless system.
Take the opportunity to examine your own organization’s information security strategy. Is it business risk-based? Or is it technology driven? Is there a synthesis of technology protection and procedural processes that afford effective, efficient and economic protection? If you do not have a strategy, now is the time to act.
The Black Box syndrome reigns supreme?
The Weakest Link
There is a perception from the surveys that information security is still widely regarded as a technical issue, not a business issue, resulting in technology solutions without supporting business processes. The corollary of this is that being regarded as a technical issue, it is left to the IT department alone, resulting in: • implementation of the ‘bottom layer’ alone • technology solutions without supporting business processes • ‘point solutions’ such as firewalls or virus protection that give senior management a false sense of security. A perception that the organization is adequately protected, when in reality significant technical investments are undermined by: • inadequate business processes • lack of awareness or training • third-parties and business partners • absence of testing and assurance processes This fundamental gap could potentially cause organizations to prepare inadequately for threats that are increasingly sophisticated and rapidly changing. As I said with respect to Corporate Governance in my last article the ‘Tone at the Top’ is crucial to the success of any policy. If the senior management believes that computer security is purely a technical issue they will never fully understand the nature of the beast, nor will they stand any chance of having effective counter measures.
312
One of the most overused clichés in the computer security field is a variation of the 19th Century proverb — computer security is only as good as the weakest link. The problem for most organizations is identifying what or where the weakest link is. And, of course, this may vary with time — what is a security strength when designed may become a security weakness. The conclusion in the KPMG Survey is ‘Look for the Weakest Link’. It highlights, as does the DTI Survey, the impact of the world of E-business and extended enterprises, which mean that that there are no effective geographical, organizational, or jurisdictional boundaries. This means that if levels of Internet protection are not applied equally and everywhere, the weakest link will expose all others in the chain to attack. The KPMG Survey concludes, “Because of the weakest link, because organizations are not as well protected as they think they are, because significant regional and market sector variations exist in levels of protection and because few organizations measure and report on security performance, millions of dollars are lost each year in security incidents. And down the drain with those dollars go customer confidence, the trust of business partners and opportunities that may never occur again.” The most important factor for reducing an enterprise’s overall risk profile is to proactively manage a firm’s complete security agenda. Ernst & Young consider this should encompass three critical security aspects: • organizations must first develop systems and processes to prevent unauthorized access to systems and work environments;
Stephen Hinde Security surveys spring crop
• then they must support authorized access to data and data integrity, • and finally organizations need to have appropriate plans in place for systems availability and overall business continuity in the event of an attack or natural disaster. This theme of proactive access control processes is echoed by the US National Institute of Standards & Technology’s (NIST) Information Technology Laboratory. It has pioneered an approach using a new technology for controlling access to computer networks known as Role Based Access Control (RBAC). Computer security specialists at NIST began working on RBAC in the early 1990s after an examination of federal agencies showed the need to develop better ways to manage large networked systems and complex access issues. NIST believes that taking the right approach to computer security not only provides an enhanced level of computer security and risk reduction, but can lead to significant financial savings for an organization. Over the 1992 – 2006 period for which impacts were estimated, NIST’s RBAC work is projected to generate economic benefits of about US $292 million, according to a study conducted for NIST by the Research Triangle Institute (RTI) of North Carolina. This estimate is translates into a benefit-to-cost ratio of 109 to 1. Based on interviews with software developers and companies that use RBAC products, the RTI study estimates that by 2006, between 20 and 50% of employees in the service sector and between 10 and 25% of other organizations will be managed by RBAC systems.
Detection of incidents It is axiomatic that the statistics on the relative sizes of types of security incidents are based on the known incidents. A bit like the toilet cleaners that kill 99.9% of known germs. We will probably never know how many unknown germs are also killed, and more importantly,
how many are not. How does your organization know whether it has suffered an attack, or an intruder has electronically copied confidential data? According to the KMPG Survey, just over a half of respondent organizations had no form of intrusion detection system. Furthermore, a tenth of organizations never test their security measures and cannot therefore know if they are effective. The Ernst & Young Survey found that less than half of organizations are carrying out security assurance activities. How, therefore, are organizations getting the confidence to know the real source of threats and that their security policies and procedures are being deployed effectively? Despite the lack of deployment of intrusion detection systems and active security assurance activities, organizations, probably naively, believe that they will be able to detect incidents. Those organizations who feel very confident they would detect an attack have increased in the last year from 33% to 40% (E&Y Survey). It is almost certain that some of those who are not entirely confident that they would detect an attack have actually been attacked, but were not aware of it. In all probability, this statement is likely to apply to the 40% as well. The KPMG Survey found that a greater number of businesses now have processes for dealing with security breaches as they arise, with large businesses and the financial services sector best prepared to deal with them. But it must be remembered that this survey was biased towards larger companies. The key questions for all organizations, including those who were confident they would detect an attack, is when are attacks detected (during or afterwards, and how long afterwards); do you know what to do when an attack is detected; do you have a PR damage limitation strategy; and can you measure the impact? Is there a post mortem of the incident that feeds back into the computer security strategy and defences and processes? One would have thought such a feedback loop to be so obvious
313
Stephen Hinde Security surveys spring crop
as not to need stating, but a staggering 40% of companies do not even investigate information security incidents. If you do not understand the attack how can you have any confidence that you will not suffer the same type of attack again and again? Failure to investigate systems incidents increases the likelihood of undetected damage and creation of ‘back doors’ for later malicious use. Only 40% of respondents admitted to having experienced a network, data or Internet security attack in the past six months. This seems at odds with the statistics appearing with almost every security breach headline, which suggest that the incidence of attack is much higher. However, it is also recognized that many organizations do not admit openly to experiencing information security breaches or attacks. On the costs of breaches, the DTI Survey suggested an average cost of £30 000 but about two thirds of all incidents would cost less than £10 000 to resolve. In the Ernst & Young Survey, 4% of respondents had an incident costing more than £500 000 and 7% of contributors to a Web survey run in conjunction with the study also admitted to incidents costing more than this amount. The KPMG Survey of larger companies quoted average direct costs of breaches of £73 000, average annual losses on viruses in excess of £110 000 and a highest reported annual loss for one company in excess of £6 million.
Investment in Security I said at the beginning that there is still an under investment in security technology and processes. A survey of visitors to the Information Security Show in London in April, revealed that whilst attitudes to computer security have improved and organizations are now taking it more seriously in response to the rise in sustained network attacks over the past few years, they remain reluctant to pay for increased
314
protection. This is a worrying development, considering such a high proportion admitted to suffering multiple attacks. They know that the danger is there, but readily admit that their company is not spending enough money on securing their network, and think that they need to allocate more of the IT budget to security solutions. While almost half the respondents put security at the top of their network priorities, a third thought their company should spend more on security. Security was rated as the number one concern ahead of manageability and running costs, while performance limped in last. The results highlight the increasing threat to UK and world-wide business, especially from Internet based Distributed Denial of Service type attacks. And while it is clear companies are beginning to take this threat seriously, there is clearly a long way to go yet. Based on its Enterprise Technology Trends Survey findings as well as recent developments, IDC expects Financial Services organizations in North America will focus on several items in the first part of 2002 such as: • Disaster recovery, security solutions, and remote access systems to ensure business continuity. • Customer relationship management (CRM) to retain profitable customers and identify new revenue-generating opportunities. • Outsourcing to improve efficiencies and expedite time to market. The study, released in December 2001, estimated IT spending in banking to reach US $56.3 billion by the end of 2001 with IT spending in insurance and other financial services estimated to reach US $25.3 billion and US $21.4 billion, respectively. This whole area of budgets was examined by the Ernst & Young Survey. It found that information security expenditure may appear in
Stephen Hinde Security surveys spring crop
the overall IT budget or in the business unit budget. However, organizations identified several components that were not monitored nor easily identifiable in either budget, typically application security design and management, and intrusion detection services. In addition, some expenditure, including security headcount, security specific application operations, and business continuity appears in business unit budgets as well as in IT budgets, which can make it hard to see the full picture and ensure efficient use of scarce skill sets. Wherever the budget sits, it must be communicated and monitored if proper control and return on investment is to be achieved. If this is not the case, there may be a lack of visibility of the overall commitment and spending priorities and spend may be duplicated unnecessarily. In addition, it can result in unexpected additional expenditure during the year. For example, implementation spend may be in the business unit budget, but support and maintenance is expected to come from the IT budget, yet neither include security related elements. Some 73% of respondents felt the budget to be sufficient for their organization’s short-term needs. Just over a half believe that information security is viewed as a priority compared to other IT-related projects and about a third view it as at least an equal priority. Only 13% expected to see cuts to the IT security budget, although 41% said they did not know.
Security Policy A computer security policy is, it should go without saying, a sine qua non of effective computer security. It lays down the security strategy and staff responsibilities. But, as I said earlier, it should not be an IT document designed by IT in isolation from the business. The organization must incorporate computer security into the business strategy. It is part and parcel of corporate governance, and of consumer and investor confidence.
An information security strategy provides a framework for making decisions and agreeing priorities. Many organizations develop technical plans. These may include policies, procedures and some indication of technologies — in other words, focus on technical specification. For a security strategy to be of real value it must be driven and embraced by line and functional business leaders across disciplines, and include sound consideration of the nature of the business risks and the organization’s culture. It must be a living document which drives tactical and operational decisions in all business areas. Components often overlooked are training and awareness, sourcing strategy, and performance and assurance measures. Eighty five percent of respondents at the Information Security Show claimed that their company now has a dedicated security policy and two thirds were confident that their network could stand up to a viral attack. This shows that the main concerns for network managers today are the high-speed web based attacks such as Denial of Service (DoS). In contrast the KPMG Survey found that only 27% have a documented security policy, but that this rose to 59% for large businesses. Although not quite the same question, 74% of E&Y respondents believe they have an information security strategy. Of concern is the finding that only 14% of organizations in the KPMG Survey always document how security will be addressed in the design of IT projects.
Awareness and training Also of concern is that the majority of UK businesses are unaware of the contents of BS7799 (now also ISO 17799) and only 5.5% claim to be compliant with it! And if organizations are unaware of the Computer Security Standard how can they expect staff to be aware of the need for computer security? Ernst & Young found that one of the major challenges for organizations in achieving the
315
Stephen Hinde Security surveys spring crop
required level of computer security is employee awareness. Employee awareness of information security policies and procedures is cited by twothirds of the respondents as a barrier to achieving effective security, yet less than half of those surveyed have employee awareness and training programmes in place that address these critical security policies. Just under a third of respondent organizations are planning to address this key activity. The KPMG Survey found that only 28% of respondent organizations make staff aware of their obligations in information security as part of an induction process and 13% have no mechanism at all for making staff aware of their obligations. The lack of an awareness programme indicates a critical gap in effective security implementation, that is all the more surprising because three quarters of respondents stated they have an explicit and well-understood security strategy. Security training and awareness programme as a fundamental component of an effective information security strategy. The statistics about security activities seem to indicate many organizations are taking a somewhat piecemeal approach to information security. For example, anti-virus procedures and access management processes are in place, but little training and awareness activity exists to help ensure they are effectively implemented and there is limited assurance activity to help ensure compliance. This is borne out by the Security Awareness Index Survey (SAI), conducted by Pentasafe. According to the company, “Companies are clearly failing to protect their most valuable asset — their information. Companies will train staff how to sell, but they are selling themselves short by a lack of security training. We believe that an information classification scheme is essential for effective protection and that organizations need to determine through
316
clear security policies what information is important.” The results of this survey are based on the responses of international organizations to an online security awareness audit. Pentasafe found that healthcare employees fail abysmally when it comes to securing their companies most valuable asset, ‘confidential company information’, Six out of 10 employees just scraped a “D” grade in the test to find out the levels of their security awareness, with 90% naively admitting to opening or executing a dangerous email attachment. The survey found that one in four employees would opt for ‘Banana’ as a safe and acceptable password, even though it would take a hacker seconds to break into a corporate network using this password. However, these initial results reveal that corporations around the world are still not getting it right when it comes to training their staff to respect the information and systems they work with on a day to day basis. Other staggering results from the Security Awareness Index include: • Two-thirds of security managers feel the overall level of security awareness in their organization is either inadequate or dangerously inadequate. • Almost 50% of employees said that they had never received any formal security awareness training, with a third of organizations not requiring their workers to read security policy statements. • One out of ten employees said that they had never read any of their company’s security policies. • 25% of the 1348 employees questioned had not read their organization’s security policies in over two years, and said that the document was not readily available.
Stephen Hinde Security surveys spring crop
• 70% of companies admitted not tracking or following up cases where staff had not signed a statement to say they had read and understood the security policy. • 90% of employees would open or execute a dangerous email attachment, ranging from a simple Word or Excel file to the potentially all-powerful VB scripts and binary executables. Financial institutions, healthcare organizations and public sector who are especially sensitive to security issues failed to earn a satisfactory “C” score in the SAI test, with those in the communications industry coming bottom with the worst results. The survey found the financial services industry employs more security awareness practices on average than any other industry, beating the average 49 times out of 50 — although beating the averages is not good enough. The financial services industry’s score was still below 70 and is considered inadequate by Pentasafe.
Business Continuity Plans A majority of E&Y respondents indicated that critical business systems are increasingly interrupted, with three quarters experiencing unexpected unavailability. Yet only 53% of organizations have business continuity plans. It is now nearly a quarter of a century since the Institute of Internal Auditors – UK and Ireland published a definitive manual on Disaster Recovery Planning. A quarter of a century in which the dependence on computing has increased exponentially, with global connectivity and computing power move from fortress computer room bunkers to desk top workstations; a quarter of a century in which the risks and threats have increased to levels not imaginable then. A quarter of a century of corporate governance. Auditors have to sign statutory accounts on the basis of a “going concern”, but without adequate backup and recovery of computer systems the
concern will be not going but gone. And yet only 53% of survey respondent organizations have business continuity plans. I have emphasized business continuity plans because there continues to be a view amongst many senior managers that business continuity planning and IT disaster recovery planning are one and the same thing. It is yet another manifestation of the Black Box syndrome. This is borne out by the fact that just under three quarters of the respondents had IT disaster recovery plans. But what use is a computer network if there are no work stations, or offices, or telephones? But the bad news does end here. Of those who have plans, many have not gone through the expected activities to develop the plan. For example, just over 40% of organizations have carried out a business impact analysis and prioritized their critical business processes and 21% have not tested the plan. In addition, just under half the organizations surveyed have not agreed recovery timescales with the business, which could mean a wide expectation gap between what the business needs and what IT might be able to provide. Of those with organizations with an IT disaster recovery plan, one in six had not been tested! History is littered with IT dependent organizations that do not have tested business continuity plans which fail to survive a disaster. It is hard to identify those organizations that are not IT dependent in today’s world and this makes the recurring statistics about the number of organizations without plans all the more alarming. Even where they have been developed, many plans may not be effective if they have been developed in isolation of the business, or have not been tested. Whilst recovery from the majority of breaches might be achievable within a day, one-fifth of large UK businesses reported breaches which took in excess of a week to resolve.
317
Stephen Hinde Security surveys spring crop
It is encouraging that 70% of the respondent organizations intend to enhance business continuity and IT disaster recovery plans, but history is littered with good intentions. Only 29% of respondent organizations treated business continuity planning as a business unit expenditure and 45% said it is within the IT budget, indicating perhaps, that many organizations still perceive business continuity as a responsibility of IT and not the business. Another manifestation of the Black Box syndrome? Late 2001 changed the set of probabilities that businesses face in preparing for business interruption. I wrote extensively on this at the time (‘Lessons Learned.’ Computers & Security, Vol. 20, No. 7) But only three quarters of US business continuity professionals have reviewed their business continuity plans since 11th September according to the results of a recent survey conducted by Strohl Systems and CPM magazine. The top causes of business interruption failures were cited as hardware or software failure (56%) and telecommunications failure (49%). Around a quarter of failures were due to operational errors, system capacity issues and third party failures. These latter could be the result of poor management of operational basics, such as sound operational procedures for loading new software, change management and capacity planning.
I hold it as certain, that no organization was ever written out of reputation but by itself (Richard Bentley, 1662–1742) Respondents regarded the operational impact of failures as higher than the financial or reputational impact. It is interesting to note reputational risk is highlighted in the E&Y Survey. The risk to reputation has always been there but, in my memory at least, never so explicitly stated. Perhaps it is the onslaught of
318
so much shareholder/stockholder litigation against boards of directors that has propelled it up the risk list. It is clear that financial and reputational risk will increase as Information Technology connectivity increases, and that global economic uncertainty poses new risks that companies must quickly identify and address. The results also pose the question of whether organizations are able to quantify the financial and reputational impact of operational downtime, compared to simply recognizing operational impact. Also of concern is that most respondents could not articulate the operational loss in business terms, for example, the opportunity cost or financial cost of 10 000 employees without access to systems for four hours.
Privacy and Confidentiality Only one third of organizations were very concerned about compliance with legislation and industry regulations. This is despite increased attention being paid to privacy and data protection issues, such as those evidenced by the EU Data Protection Directive in Europe and Gramm-Leach-Bliley Act in the US, and expected industry pressures to improve identification and authentication measures. It would be tempting to believe the other two thirds are fully aware, but as we saw above with respect to security, there was a general lack awareness. The concern is that many organizations may not be aware of the regulations themselves, or of the risk in not complying with them. Indeed the poor awareness of BS7799 indicates this. The UK registration form for data controllers to register under the Data Protection Act 1998 (which brought the EU Data Protection Directive into domestic legislation) categorically asks whether the data controller (organization etc.) complies with BS7799.
Stephen Hinde Security surveys spring crop
Protective technologies The uptake of protective technologies to enhance security protection is suprisingly low. Nineteen percent are piloting or widely deploying Public Key Infrastructure (PKI) and a further 26% are planning to pilot it. Biometrics is in use at only 5% of organizations and only a further 11% plan to pilot it. Thirty-six percent of organizations are making use of Intrusion Detection Systems (IDS) with a further 24% expecting to deploy. Cost is stated by 38% as a major barrier to deployment.
Conclusions This year’s surveys bring little assurance that companies are paying sufficient attention to information protection. The survey results indicate that while information security has become a major concern for companies around the world, approaches to the risks are inconsistent and often insufficient. If companies were improving their performance against a background of a static environment, there might be some comfort from the evidence that more companies are placing information security higher on the business agenda and some of the detailed statistics presented show increased action. Unfortunately, however, the environment is not static and the increasing external connectivity in today’s information technology infrastructure requires a much greater commitment and investment of time and money if the situation is to improve.
Ten steps to protection? Effective security must be directed and coordinated at boardroom level. As I said last month with respect to Corporate Governance, the tone is set at the top. Security governance is the responsibility of the Board. It should be a regular board agenda item. If it isn’t then it may become one in reaction to media headlines.
Two of the surveys posed 10 questions for the Board.
Global Information Security Survey 2002 - Ernst & Young 1. Does your board recognize that information security is a board-level issue and cannot be left to IT alone ? Is your information security strategy aligned with your business strategy? 2. Is there clear accountability for information security in your organization? 3. Can your board members articulate an agreed set of threats and critical assets? How often do you review and update this? 4. Do you know how much is spent on information security and what it is being spent on? Can you measure your return on investment? 5. What would be the impact on the organization of a serious security incident (reputation, revenue, legal, operational performance, and investor confidence)? 6. How does your organization see information security as an enabler (for example, by implementing effective security, could you enable your organization to increase business over the Internet)? 7. Has your business assessed the risk of getting a reputation for slackness in security? 8. What steps have you taken to satisfy yourself that well intended (or not) thirdparties will not compromise the security of your organization? 9. How do you obtain independent assurance that information security is managed effectively in your organization? 10. How do you measure the effectiveness of your information security activities?
319
Stephen Hinde Security surveys spring crop
DTI Information Security Breaches Survey 2002
The main findings of the Surveys
Make sure your business:
Global Information Security Survey 2002, Ernst & Young
1. Creates a security aware culture by educating staff about security risks and their responsibilities. 2. Has a clear, up to date security policy to facilitate communication with staff and business partners. 3. Has people responsible for security with the right knowledge of good practice (e.g. BS7799) and the latest security threats – consider supplementing their skills with external security experts. 4. Evaluates return on investment on IT security expenditure. 5. Builds security requirements into the design of IT systems and outsourcing arrangements. 6. Keeps technical security defences (e.g. antivirus software) up to date in the light of the latest threats. 7. Has procedures to ensure compliance with data protection and other regulatory requirements. 8. Has contingency plans for dealing with a serious information security breach. 9. Understands the status of its insurance cover against damage as a result of information security breaches. 10. Tests compliance with its security policy (e.g. security audits, penetration testing of its website). Most important of all, do not wait before a serious security incident to affect your business before you take action.
320
There are some alarming gaps, the management of which is now critical to business survival and competitive advantage. • Only 40% of organizations are confident they would detect a systems attack. • 40% of organizations do not investigate information security incidents. • Critical business systems are increasingly interrupted – over 75% of organizations experienced unexpected unavailability. • Business continuity plans exist at only 53% of organizations. • Only 41% of organizations are concerned about internal attacks on systems, despite overwhelming evidence of the high number of attacks from within organizations. • Less than 50% of organizations have information security training and awareness programmes.
Information Security Breaches Survey 2002, Department of Trade & Industry, UK Customers at risk as British businesses fail to adopt online security. • Half of businesses operating transactional websites do not use encryption technologies to secure transactions and files held on Web servers. • Less than one third of businesses encrypt files such as credit card details, leaving customer details and confidential company information wide open to be accessed and utilzsed. • One third of businesses fail to authenticate customers’ identities online prior to transaction completion.
Stephen Hinde Security surveys spring crop
• More than half of companies do not check credit card authorization online.
and IT Priorities in the Finance Sector Report 2002 both from IDC.
• Over a third of websites have no firewall, giving hackers an easy ride when it comes to obtaining critical business and financial information.
• Website compliance with the UK Data Protection Act 1998 – UMIST & OIC January 2002.
The Surveys • DTI Information Security Breaches Survey 2002. The survey was based on 1000 telephone calls with individuals responsible for information security within their UK organizations. • Global Information Security Survey 2002 Ernst & Young. Over 450 Chief Information Officers, IT Directors and business executives were contacted world-wide. This is the first of two studies based on a detailed analysis of many of the most information intensive companies in the world. It was developed to understand their views on information security and how they are responding to threats. An in-depth analysis of the survey is available on Ernst & Young’s website (http://www.ey.com/security). • Out of Thin Air - A European Study 2002 – conducted by Orthus (http://www.orthus.com/). With just a laptop computer, a wireless card and some network sniffing freeware available from the Internet, researchers spent one day per city walking through the commercial districts of: London, Dublin, Stockholm, Berlin, Amsterdam, Brussels, Paris, Zurich, Milan and Madrid and identified 1639 sensitive company networks accessible from the streets. The survey was designed to demonstrate the availability and ease of access to wireless networks and quantify the associated security issues and vulnerabilities. • Enterprise Technology Trends (ETT) Survey (December 2001) and Investment Climate
• Security Awareness Index Survey – PentaSafe 2002. A free self assessment programme that is designed to allow companies to benchmark their own levels of security against other companies, detailing attentiveness to security threats and vulnerabilities http://www.pentasafe.com. So far over 583 organizations have taken part in the Security Awareness Index (SAI). Copies are available to purchase for $195. • A survey of visitors to the Information Security Show conducted by Top Layer Networks 2002. The survey conducted on the last day of the show targeted IT mangers and network specialists in companies from 9 to 165 000 employees. • Know Your Enemy Security Survey conducted at RSA Conference 2002. An informal poll of computer security professionals conducted at the RSA Conference by CipherTrust. • KPMG’s 2002 Global Information Security Survey. Senior managers of global organizations with turnover of more than $50 million were surveyed. • Study for US National Institute of Standards & Technology’s Information Technology Laboratory on its Role Based Access Control project, conducted by the Research Triangle Institute (RTI) of North Carolina. http://www.nist.gov/director/progofc/report02-1.pdf • Strohl Systems and CPM magazine survey of US business post 11 September.
321