- Email: [email protected]
When Ignorance Is Not Bliss!
issue.qxd
10/1/01
11:20 AM
Page 20
soapbox
When Ignorance Is Not Bliss! Over time, a number of 'myths' have built up based on opinions, reports and surveys in the security market. Many of these 'myths' are now seen as immutable truths. In fact, nothing could be further from the truth!
Myth 1: The "greatest threat is internal" The annual CSI/FBI survey for 2001 shows that the largest source of illegal access comes from the Internet. Over the last five years the proportion of security breaches attributable to unauthorized external access has grown from 38% to 70% of all reported incidents, whereas the proportion attributable to internal security breaches has declined from 54% to 31%.
Myth 2: The "stereotypical hacker" Although some 16–22 year old males may be hackers, this is not the norm. These are just the ones that get caught and achieve '15-minutes of fame'. They are not the major source of professional hacking. And, $378M (source: CSI/FBI survey 2001) was the reported loss from computer crime this year. The hackers you need to worry about are the ones we know nothing about.
Myth 3: “It'll never happen to me" There are many system managers who say they have never been hacked. In reality, those who say 'never' have about as much clue as those that say 'don't know?' Seemingly secure networks are still vulnerable, and invariably the weakest link in any corporate network comes from the devices that are not managed by the IT department (e.g. modem connections, PDAs connected to networked PCs).
Myth 4: The "technology will protect me" Security technology alone will not protect an IT system. Almost 100% of users have implemented anti-virus software yet most would admit to having experienced a virus problem in the last year. Security technology is essential, but is not the answer in itself. It forms one part of a company security policy, but only offers limited protection if it is not correctly installed, configured and managed.
Myth 5: “We have a published security policy therefore we are more secure" Having a security policy at all is the first step. However, an effective network security policy is not held in a ring-binder in the IT department. It needs to be a living process — regularly reviewed, effectively communicated and where possible evangelized as good business practice to all users. Security needs to come 'out' of the closet. Poor security costs companies real financial loss and incalculable loss of reputation. Board directors must focus on security and not leave it in good faith, with inadequate budgets, to the "specialist" in the IT department. This SoapBox was brought to you by Ian McKenzie, business development director of Vistorm. Vistorm provides managed Internet security services. Its security services provide effective 24x7 protection to organizations in need of a secure Internet infrastructure for E-business and VPN-based remote connectivity solutions. Vistorm delivers specialist consulting and technical expertise, as well as security technologies and constant monitoring and management from its secure global network operations centre.
Events Calendar SECURITY SOLUTIONS EXPO 21-23 September 2001. Location: Mumbai, India. Contact: Anthony Pereira, Bandwidth Expo; tel: +91 22 3694959; fax: +91 22 3634266; E-mail: [email protected] website: www.securitysolutionsexpo.com
MOBILE COMMERCE WORLD EUROPE 2001 25-27 September 2001. Location: London, UK. Contact: Sheila Wan; tel: +44 20 7827 5943; website: www.mobilecommerceworld.com
11TH ANNUAL VIRUS BULLETIN CONFERENCE 27-28 September 2001. Location: Prague, Czechoslovakia., Contact: Karen Richardson, Virus Bulletin, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK; tel: +44 1235 555139; fax: +44 1235 531889; E-mail: [email protected] website: www.virusbtn.com
COMPSEC 2001 — The 18th World Conference on Computer Security, Audit & Control Covering all aspects of information security, with a focus on trust and security for e-business, 17-19 October 2001. Location: London, UK. Contact: Melanie Wheeler, Compsec 2001, Elsevier Advanced Technology, The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, UK; tel: +44 (0)1865 843089; fax: +44 (0)1865 843958 E-mail: [email protected]; website: www.compsec2001.com
DEFENDING AGAINST INFORMATION WARFARE
October 18-19,2001. Location: Roosevelt Hotel, New York, NY. Contact: The Strategic Research Institute, tel: +1 888 6668514 website: www.srinstitute.com/ck106
BIOMETRICS 2001 The fourth world conference and exhibition on the practical application of biometrics. 28-30 November 2001. Location: London, UK. Contact: Sophie Hayward, Biometrics 2001, Elsevier Advanced Technology, PO Box 150, Kidlington, Oxford, OX5 1AS, UK; fax: +44 (0)1865 843971; Email: [email protected] website: http://www.biometrics2001.com
10/1/01
11:20 AM
Page 20
soapbox
When Ignorance Is Not Bliss! Over time, a number of 'myths' have built up based on opinions, reports and surveys in the security market. Many of these 'myths' are now seen as immutable truths. In fact, nothing could be further from the truth!
Myth 1: The "greatest threat is internal" The annual CSI/FBI survey for 2001 shows that the largest source of illegal access comes from the Internet. Over the last five years the proportion of security breaches attributable to unauthorized external access has grown from 38% to 70% of all reported incidents, whereas the proportion attributable to internal security breaches has declined from 54% to 31%.
Myth 2: The "stereotypical hacker" Although some 16–22 year old males may be hackers, this is not the norm. These are just the ones that get caught and achieve '15-minutes of fame'. They are not the major source of professional hacking. And, $378M (source: CSI/FBI survey 2001) was the reported loss from computer crime this year. The hackers you need to worry about are the ones we know nothing about.
Myth 3: “It'll never happen to me" There are many system managers who say they have never been hacked. In reality, those who say 'never' have about as much clue as those that say 'don't know?' Seemingly secure networks are still vulnerable, and invariably the weakest link in any corporate network comes from the devices that are not managed by the IT department (e.g. modem connections, PDAs connected to networked PCs).
Myth 4: The "technology will protect me" Security technology alone will not protect an IT system. Almost 100% of users have implemented anti-virus software yet most would admit to having experienced a virus problem in the last year. Security technology is essential, but is not the answer in itself. It forms one part of a company security policy, but only offers limited protection if it is not correctly installed, configured and managed.
Myth 5: “We have a published security policy therefore we are more secure" Having a security policy at all is the first step. However, an effective network security policy is not held in a ring-binder in the IT department. It needs to be a living process — regularly reviewed, effectively communicated and where possible evangelized as good business practice to all users. Security needs to come 'out' of the closet. Poor security costs companies real financial loss and incalculable loss of reputation. Board directors must focus on security and not leave it in good faith, with inadequate budgets, to the "specialist" in the IT department. This SoapBox was brought to you by Ian McKenzie, business development director of Vistorm. Vistorm provides managed Internet security services. Its security services provide effective 24x7 protection to organizations in need of a secure Internet infrastructure for E-business and VPN-based remote connectivity solutions. Vistorm delivers specialist consulting and technical expertise, as well as security technologies and constant monitoring and management from its secure global network operations centre.
Events Calendar SECURITY SOLUTIONS EXPO 21-23 September 2001. Location: Mumbai, India. Contact: Anthony Pereira, Bandwidth Expo; tel: +91 22 3694959; fax: +91 22 3634266; E-mail: [email protected] website: www.securitysolutionsexpo.com
MOBILE COMMERCE WORLD EUROPE 2001 25-27 September 2001. Location: London, UK. Contact: Sheila Wan; tel: +44 20 7827 5943; website: www.mobilecommerceworld.com
11TH ANNUAL VIRUS BULLETIN CONFERENCE 27-28 September 2001. Location: Prague, Czechoslovakia., Contact: Karen Richardson, Virus Bulletin, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK; tel: +44 1235 555139; fax: +44 1235 531889; E-mail: [email protected] website: www.virusbtn.com
COMPSEC 2001 — The 18th World Conference on Computer Security, Audit & Control Covering all aspects of information security, with a focus on trust and security for e-business, 17-19 October 2001. Location: London, UK. Contact: Melanie Wheeler, Compsec 2001, Elsevier Advanced Technology, The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, UK; tel: +44 (0)1865 843089; fax: +44 (0)1865 843958 E-mail: [email protected]; website: www.compsec2001.com
DEFENDING AGAINST INFORMATION WARFARE
October 18-19,2001. Location: Roosevelt Hotel, New York, NY. Contact: The Strategic Research Institute, tel: +1 888 6668514 website: www.srinstitute.com/ck106
BIOMETRICS 2001 The fourth world conference and exhibition on the practical application of biometrics. 28-30 November 2001. Location: London, UK. Contact: Sophie Hayward, Biometrics 2001, Elsevier Advanced Technology, PO Box 150, Kidlington, Oxford, OX5 1AS, UK; fax: +44 (0)1865 843971; Email: [email protected] website: http://www.biometrics2001.com