SQL Slammer. Code Red. Nimda. Worms, viruses, blended threats. Not to mention hackers, crackers and security slackers. There are more threats to the security and integrity of corporate data than ever before.
Compromising a system from the outside used to be a difficult chore, require skill and
insight into the nature of networking. Now, a comparative novice can cobble together a successful attack from readily available “”script-kiddy”” tools.
The economic implications can be frightening.
SQL Slammer, the latest high-profile worm to paralyse the Internet, took advantage of a well-known vulnerability in Microsoft’s widely used SQL Server software. The worm locked database servers into endless handshakes, compromising the performance of a quarter of the servers on the Internet, according to Moscow-based anti-virus company Kapersky Labs. London-based research firm MI2G estimated the damage at about $1 billion in lost productivity.
A patch for the vulnerability had been released months earlier.
When a Montreal teen lauunched denial-of-service attacks on major Internet portals including Yahoo, E-Bay and Buy.com, authorities figure the economic cost was in the neighbourhood of $1.7 billion.
The exploits of Mafiaboy, SQL Server, Anna Kournikova — the virus, not the athlete — and other high-profile Internet threats made headlines worldwide and demonstrated the vulnerability of corporate networks to external tampering. But all threats to corporate data security aren’t Internet-based.
In January, a hard drive disappeared from a computer at a data managment outsourcing company in Regina. The drive contained personal and confidential information on customers of Co-Operators Life Insurance, SaskTel, SaskPower, the provincial workers compensation authority and thousands of other businesses.
As we’ll examine in this supplement to IT Business Group publications, there’s more to information security than firewalls and anti-virus software. It isn’t even primarily a technological issue. It’s a business process that uses technological tools as part of an overall strategy to secure a company’s information assets. Physical security, access control and thorough security policy planning are all elements of a security strategy.
Part of the challenge of developing a security strategy is justifying the cost. While a recent Gartner survey of 1,500 chief information officers cites security as their No. 1 priority, spending isn’t keeping pace — companies spend only four per cent of their IT budgets on security. Assigning hard dollar values to intangibles like damage to a company’s reputation and loss of competitive advantage and intellectual property is part of the security business case equation.
The most thorough security policy in the world can’t be effective if it isn’t rigorously applied. Employees can be careless about passwords and physical storage of information. But if, as some security experts claim, your people are the weakest link in the security chain, then the solution to many security woes is close at hand. Employees must be partners in the security strategy and its execution. Educating them about the implications — the potential financial and job losses that can result from a security breach, internal or external — can be the most important weapon in a company’s security arsenal.