Electronic business (e-business), as we know it today, is transforming the global marketplace, resulting in the Internet being widely used for the transmission of financial transactions. The Gartner Group predict that between 2002 and 2005, the number of consumers using online account management will more than double, reaching 45% of the US adult population. However, because the Internet was designed to be an open means of communication, it is difficult to secure. Messages and electronic files thus move along insecure networks, making information more vulnerable to being intercepted, and proving that security is difficult to manage. It is therefore not surprising that organisations and their consumers are becoming more and more concerned about the privacy of such information, whether data has been tampered with or whether someone is eavesdropping or waiting to intercept such data.
A number of surveys have shown that security is still one of the major stumbling blocks to e-business. Theoretically, companies, especially those in the financial sector are exposed to a plethora of possible attacks if they are connected in any way to the Internet. Attacks range from hackers, who are out for a challenge, to crackers whose intent is to steal valuable company data. The risks include viruses, denial-of-service (DoS) attacks, and the like.
Results from a recent global survey conducted by KPMG, revealed that 87% of organisations have suffered some form of security breach this year. Of this 87%, 61% were as a result of virus attacks, 14% were due to DoS attacks, and 12% were attributable to website intrusion. The survey also revealed that approximately 46% of the companies surveyed spend only 5% or less of their IT budget on securing their networks. However, on a positive note, it appears that the spend on IT security is expected to increase within the next year. One of the main decisions faced by IT directors across the globe is exactly how to go about protecting a company's assets from such attacks.
The soft underbelly of business
Hackers and crackers are opportunistic and count on organisations not fixing known vulnerabilities. They exploit the best-known flaws with the most effective and widely available attack tools. Enterprises, as suggested by Singleton in the EDPACS newsletter (August 2002, No.2) should establish processes to ensure that they promptly apply all security patches to all Internet-exposed systems. A good basic plan to securing Internet systems is:
* List all probable vulnerabilities.
* Use this list as a checklist to fix applicable vulnerabilities.
* Subscribe to mailing lists that specialise in providing security alerts.
* Always test the changes or fixes in a test environment prior to them being applied to the production systems.
* Monitor on an ongoing basis.
In their book, Security Transformation, McCarthy and Campbell emphasise that companies that take control are those that have established an appropriate security environment by ensuring that such an environment is complementary to the business practices and is not isolated to the role of the IT manager. In taking advantage of e-business, one has to consider the whole business. It is not only about the opportunities, but also the risks, and these risks need to be effectively managed. Moreover, proactive approaches to security not only make for more protection of assets, but also lead to a proactive approach to risk management.
A layered approach to security
Often, companies feel that having a firewall to prevent intruders accessing the internal network or simply implementing encryption technology is enough. However, what must be considered are the potential risks and vulnerabilities existing for them. Security needs to be addressed for the entire perimeter and any weakness in any of the links could cause the entire structure to collapse. This not only includes your connection to the Internet, but also all customers and suppliers that are connected to your network. Thus, minimising security risks should be approached by investing in extra layers of security, such as vulnerability testing, intrusion detection, and e-mail scanning. The risks can be significantly reduced, as each control might only be 50% effective. However three or four of them working together can produce a greater level of security than one control can, even one that is 80% effective (KPMG comment - Global Survey, 2002). For example, firewalls serve to keep intruders from gaining unauthorised access to a company's internal network. However, by installing intrusion detection, the same company can take a proactive step toward security by identifying a possible attack before it happens.
In addition to this, effective security policies and procedures need to be put in place and appropriate legislation enforced. Training and a security culture amongst staff are vital as it is often proven that the easiest way to get around a security system is through the weakest link - the user. Having said all this, it is also important to realise that preventative measures to security are not enough. System management professionals need to move from a product perspective to a process perspective. What is essential is ongoing monitoring and rapid responses, while at the same time maintaining firewalls and gateways to keep out the intruders. Schneier in one of his books, Secret and Lies - Digital Security in a Networked World, emphasises that it is far more effective to think of security as an ongoing process of risk management that includes not just protection but also detection and reaction mechanisms.
There are many opportunities arising from e-business. However, the surrounding security needs to be effectively managed in order to ensure that it is successful. No longer is security just an issue of reducing risk; security has become a key e-business enabler. Without a securely protected infrastructure to support e-business, it may be vulnerable to abuse, misuse, and failure in many ways. This can result in great financial loss to a company and incorrect perceptions of the company's consumers. Companies should adopt a layered approach to security to ensure that all accesses to intruders are somewhat restricted. Accompanying this layered approach is the ongoing process of monitoring the systems and rapid response to attack.
KPMG Information Security Services
011 647 6396