25 Oct Companies still neglect network security
Madison, Wis. – Cyber threats are becoming more sophisticated and are headed in new directions, but too many companies aren’t acting on the threats, a panel of experts said this week.
In a panel discussion on the state of information security during the annual E-Business Best Practices & Emerging Technologies Conference, technology executives continued to emphasize the necessary balance between productivity and security, but said many businesses still aren’t serious enough about striking the balance.
Pointing to recent faux pas committed by people on the Hewlett Packard board of directors, panelist Jody Westby, CEO and founder of Global Cyber Risk, said even world-class businesses lack security expertise at the highest levels.
“Companies just don’t think about this at the board and CEO level, and they have to,” Westby said.
They have to because hackers aren’t writing malicious code for kicks, but for fun and profit, amateurs are doing their share of damage with rootkits, and internal sabotage remains the highest security risk.
In addition, cyber criminals already are targeting wireless communications, and the plaintiff’s bar is paying more attention to corporate negligence in the area of computer security. If that isn’t enough, compliance requirements are likely to speed adoption of security measures and products.
“Businesses think about security threats like they do an Earthquake,” said Mudit Tyagi, senior engineer for Nevis Networks, Inc. “They should be thinking about it in terms of an ice storm in Wisconsin. Is it going to happen? Yeah.”
Running the gauntlet
Practices such as establishing segregation of duties, identifying what employees can have access to sensitive information, and controlling what can be copied onto a USB flash drive should be spelled out and enforced. Sophisticated access and user-management controls go a long way to preventing internal threats, but building security into different pieces of the hardware and software is the new thinking with regard to external threats.
Available tools are mature enough, and they are constantly evolving. Self-healing memories, an increasing reliance on biometrics, and an emerging national defense posture that will treat cyber defense with the same seriousness as land, air, and sea defenses are likely to emerge over the next decade, Westby said.
Since it’s a matter of time before really good hackers gain access to a system, Tyagi said the counter measures of the future are likely to include having employees log into each application.
Jeffrey Sippel, director of hotel technology for Orbitz Worldwide, said security is being driven into the applications, themselves, which will require businesses and third-party vendors to collaborate on data transfer and related issues.
The challenge will be maintaining operational simplicity while building security into each network product.
Cordell Crane, strategic security advisor for Microsoft Corp., said in their attempts to develop a more secure network “ecosystem,” businesses should make compliance a value-added process.
Richard Thieme, principal of ThiemeWorks, said staying abreast of security threats will require constant attention. Ten years from now, there likely will be threats that now are unforeseen.
“Sometimes,” Thieme said, “we can’t see the asteroid coming.”
• Darrell Pruitt: Careful with that electronic health record, Mr. Leavitt
• Safe Internet requires total network security, prof. says
• Ron Kral: The Big Picture of SOX 404
• Are businesses getting what they need from IT?
• Joseph Campana: Identity theft: The business time bomb