- Email: [email protected]
UK business writes off cybercrime losses
n e w s
No time for complacency Joe O’Halloran
Most IT shops in Britain take security seriously, but only constant vigilance offers the right protection, says Joe O’Halloran
P
Infosecurity Today March/April 2004
aranoia pays. That’s the conclusion one can draw from the results of a survey of 20,000 British IT security professionals conducted in January. The survey, by the trade newspaper Computer Weekly, showed that IT shops face constant threats from the MyDoom virus and its variants, and must also cope with almost daily updates and patches from Microsoft and other software vendors. This makes it a golden time for computer security managers. And they have risen to the challenge. Most companies surveyed feel safe. This feeling of relative comfort stems from some serious planning. But smugness is misplaced. Less than half of the respondents have escaped a security breach, and more than a third were cracked in the past year. According to the survey, more than four out of five companies regard viruses, worms or Trojans as the biggest threat to their businesses Given that the survey took place just before MyDoom arrived, this seems prescient. The next most mentioned threats are data theft, cited by a third, and spam, by nearly two out of five. When asked specifically about denial of service attacks, just under one in three see them as the biggest threat. (Software house SCO, the main victim of MyDoom, was not part of the survey.) Encouragingly, 99% of respondents use both anti-virus software and firewalls to combat such threats. Also heartening is the fact that nearly two-thirds use virtual private networks and access/authentication management techniques to protect access to their systems. Three in 10 firms use vulnerability scanning technology on their networks and, as expected for a technique still in its infancy, only three per cent use biometrics. Firms are generally well up on what security systems they have, with most doing regular audits of security technology. Nearly 90% has an inventory of security technology that includes checks on operating system patches and on service packs in use. Two-thirds have checked for illegal or unauthorised material stored on company systems and on the physical infrastructure of the corporate IT infrastructure itself. This should not surprise anyone, given that 86% of firms have governance policies regarding Internet and email usage, and nearly two-thirds wipe data from old or unused PCs before they leave the enterprise. Nearly three out of five companies have some policy regarding patches
of the systems that they use. Nearly half patch their systems automatically and a quarter routinely patch systems at least monthly. The level of paranoia is such that only seven per cent of firms needed to update or patch systems after being warned of imminent attacks. Another sign of firms’ preparedness is that nearly three-quarters have an action plan if their security is breach. The Computer Weekly survey also asked how much firm spend on IT security technology. Over two-thirds spent up to five per cent of their company’s total infrastructure costs on security products and services, while 12% spend between five and 7.5%. Fewer than one in 10 spend more than 10 per cent of their company’s IT budget on security. Despite the high spending rates, only 15% of respondents worked out a clear return on investment plan for their security infrastructure. Outsourcing has been one of the most popular ways to keep down the cost of IT, but it’s a different matter when it comes to security. More than nine in 10 respondents do not outsource their security arrangement. The reasons cited most often are that outsourcing is inappropriate to companies’ business needs (41% ) and that the core security function is too important to outsource (31%). For those that do outsource, the main reason is not cost. Some 42% said that they do so because an external source had better qualified staff or could provide a better quality service (20%). In fact cost was only the third most common reason (14%). A key trend of IT last year was wireless access to the corporate network. Even though many wireless technology players spent most of last year assuring potential customers of how secure their systems are, 36% of respondents remain very concerned about it, and 45% are slightly concerned. Only 5% believe there is not problem. Companies’ processes and infrastructure need to evolve to stay on top of the manifest threats. Andrew McGovern, global security awareness manager at Reuters, says that even though virus and worm outbreaks are a constant threat to his company and must be dealt with, his focus is less on technology than process. “[My job] is more about ensuring that the organisation understands its processes as it evolves, the location of possible weaknesses that might occur as a result of this organisational changes, and ensuring they are addressed quickly. This is a constant process and one that requires
• This is a golden time for computer security managers. • Only 15 per cent worked out a clear return on investment plan. • Nearly 80 per cent are worried about wireless access. considerable thought and resource,” he says. McGovern believes in having a pragmatic security framework, controls that are relevant to the organisation and an infrastructure that helps staff comply with these controls. In addition he believes that today’s companies need to incorporate risk management processes to ensure that their controls keep pace as the organisation and threat environment changes. The survey suggests the industry has responded to the threat environment. But any deterioration means complacency will prove a killer. By and large companies have in place the fundamental tools such as anti-virus systems and firewalls that protect against external threats. Now they need to secure the internal systems and processes whose weak spots are often ignored in the hype around events such as MyDoom and Blaster.
UK business writes off cybercrime losses Sarah Hilley
L
en Hynds, the head of the UK National Hitech Crime Unit, (NHTCU) announced that the financial loss to UK business from hi-tech crime could be in the "billions of pounds rather than millions" at the Unit's E-crime Congress in London on 24 February. Despite this cost impact, however, companies are opting to sweep the losses under the carpet. The Unit's survey, released at the Congress, revealed that three financial firms lost £20 million pounds each in 2003. But it also showed that disruption of business continuity was seen as the main threat to companies, with 74% citing this as a major concern. Concern at actual financial loss comes in at a low 6%. The Unit's research also shows that "no category of crime was considered by respondents to cause a 'high' financial impact ," said Hynds. "Arguably this demonstrates a pragmatic approach on the part of industry, which can factor in cybercrime as an unwelcome but manageable overhead".
10
No time for complacency Joe O’Halloran
Most IT shops in Britain take security seriously, but only constant vigilance offers the right protection, says Joe O’Halloran
P
Infosecurity Today March/April 2004
aranoia pays. That’s the conclusion one can draw from the results of a survey of 20,000 British IT security professionals conducted in January. The survey, by the trade newspaper Computer Weekly, showed that IT shops face constant threats from the MyDoom virus and its variants, and must also cope with almost daily updates and patches from Microsoft and other software vendors. This makes it a golden time for computer security managers. And they have risen to the challenge. Most companies surveyed feel safe. This feeling of relative comfort stems from some serious planning. But smugness is misplaced. Less than half of the respondents have escaped a security breach, and more than a third were cracked in the past year. According to the survey, more than four out of five companies regard viruses, worms or Trojans as the biggest threat to their businesses Given that the survey took place just before MyDoom arrived, this seems prescient. The next most mentioned threats are data theft, cited by a third, and spam, by nearly two out of five. When asked specifically about denial of service attacks, just under one in three see them as the biggest threat. (Software house SCO, the main victim of MyDoom, was not part of the survey.) Encouragingly, 99% of respondents use both anti-virus software and firewalls to combat such threats. Also heartening is the fact that nearly two-thirds use virtual private networks and access/authentication management techniques to protect access to their systems. Three in 10 firms use vulnerability scanning technology on their networks and, as expected for a technique still in its infancy, only three per cent use biometrics. Firms are generally well up on what security systems they have, with most doing regular audits of security technology. Nearly 90% has an inventory of security technology that includes checks on operating system patches and on service packs in use. Two-thirds have checked for illegal or unauthorised material stored on company systems and on the physical infrastructure of the corporate IT infrastructure itself. This should not surprise anyone, given that 86% of firms have governance policies regarding Internet and email usage, and nearly two-thirds wipe data from old or unused PCs before they leave the enterprise. Nearly three out of five companies have some policy regarding patches
of the systems that they use. Nearly half patch their systems automatically and a quarter routinely patch systems at least monthly. The level of paranoia is such that only seven per cent of firms needed to update or patch systems after being warned of imminent attacks. Another sign of firms’ preparedness is that nearly three-quarters have an action plan if their security is breach. The Computer Weekly survey also asked how much firm spend on IT security technology. Over two-thirds spent up to five per cent of their company’s total infrastructure costs on security products and services, while 12% spend between five and 7.5%. Fewer than one in 10 spend more than 10 per cent of their company’s IT budget on security. Despite the high spending rates, only 15% of respondents worked out a clear return on investment plan for their security infrastructure. Outsourcing has been one of the most popular ways to keep down the cost of IT, but it’s a different matter when it comes to security. More than nine in 10 respondents do not outsource their security arrangement. The reasons cited most often are that outsourcing is inappropriate to companies’ business needs (41% ) and that the core security function is too important to outsource (31%). For those that do outsource, the main reason is not cost. Some 42% said that they do so because an external source had better qualified staff or could provide a better quality service (20%). In fact cost was only the third most common reason (14%). A key trend of IT last year was wireless access to the corporate network. Even though many wireless technology players spent most of last year assuring potential customers of how secure their systems are, 36% of respondents remain very concerned about it, and 45% are slightly concerned. Only 5% believe there is not problem. Companies’ processes and infrastructure need to evolve to stay on top of the manifest threats. Andrew McGovern, global security awareness manager at Reuters, says that even though virus and worm outbreaks are a constant threat to his company and must be dealt with, his focus is less on technology than process. “[My job] is more about ensuring that the organisation understands its processes as it evolves, the location of possible weaknesses that might occur as a result of this organisational changes, and ensuring they are addressed quickly. This is a constant process and one that requires
• This is a golden time for computer security managers. • Only 15 per cent worked out a clear return on investment plan. • Nearly 80 per cent are worried about wireless access. considerable thought and resource,” he says. McGovern believes in having a pragmatic security framework, controls that are relevant to the organisation and an infrastructure that helps staff comply with these controls. In addition he believes that today’s companies need to incorporate risk management processes to ensure that their controls keep pace as the organisation and threat environment changes. The survey suggests the industry has responded to the threat environment. But any deterioration means complacency will prove a killer. By and large companies have in place the fundamental tools such as anti-virus systems and firewalls that protect against external threats. Now they need to secure the internal systems and processes whose weak spots are often ignored in the hype around events such as MyDoom and Blaster.
UK business writes off cybercrime losses Sarah Hilley
L
en Hynds, the head of the UK National Hitech Crime Unit, (NHTCU) announced that the financial loss to UK business from hi-tech crime could be in the "billions of pounds rather than millions" at the Unit's E-crime Congress in London on 24 February. Despite this cost impact, however, companies are opting to sweep the losses under the carpet. The Unit's survey, released at the Congress, revealed that three financial firms lost £20 million pounds each in 2003. But it also showed that disruption of business continuity was seen as the main threat to companies, with 74% citing this as a major concern. Concern at actual financial loss comes in at a low 6%. The Unit's research also shows that "no category of crime was considered by respondents to cause a 'high' financial impact ," said Hynds. "Arguably this demonstrates a pragmatic approach on the part of industry, which can factor in cybercrime as an unwelcome but manageable overhead".
10