Web security - a contradiction?

By RICHARD POYNDER

19th June 2002

BOOK REVIEW SAFETY NET, PROTECTING YOUR BUSINESS ON THE INTERNET

One of the mantras of the dotcom boom was that, since the internet introduces a truly "frictionless market", companies had nothing to lose and everything to gain from embracing e-commerce. What was often forgotten, however, was that web-enabling a business can be enormously costly.

Leaving aside the expense of building the necessary technical infrastructure, connecting an enterprise to the internet introduces significant security costs. Costs, moreover, that are increasing year on year, as companies are confronted by a rising tide of "electronic warfare" - hacking, denial-of-service attacks, cyber fraud, theft, and espionage. A Department of Trade and Industry survey published in April suggests 44 per cent of UK businesses have suffered at least one malicious security breach in the past year.

In addition, organisations face constant bombardment from computer viruses. In a recent US-based survey, interviewees reported $45.3m ( £30.5m) in losses resulting from viruses alone in 2001 - 65 per cent higher than in the year before. Tellingly, however, 37 per cent of respondents were unable to quantify their losses.

Since most hacking cases go unreported, and companies generally do not size the losses incurred from security breaches and viruses, the true cost of the problem is unknown. What are the financial implications, for instance, if a $55,000 computer that processes $2m in monetary transactions a day goes offline because of a virus? What are the costs in negative public relations and loss of customer confidence (and perhaps business) if a company suffers a serious attack by a hacker?

For this reason, many managers do not appreciate the seriousness of the threat they face, and few companies have adequate security policies in place.

Kathleen Sindell argues that internet security is a serious management issue, and her book, Safety Net, is designed to be both a wake-up call and a handbook to help managers get the right policies in place. Security of a web-based business is not only a technical matter, but also a business issue that can determine the success or failure of the enterprise, she says.

"Traditional brick and mortar businesses would not consider operating without some type of security, such as security guards, an alarm system, video cameras, and the like," Sindell says. "In contrast, many web-based businesses view security as an unnecessary expense."

Managers often assume that network security requires little more than the installation of a firewall. But as Sindell points out, firewalls are only one element of an effective security system. They are not, for instance, generally designed to screen for viruses, or prevent the physical destruction of data. Nor can they guard the confidentiality of data on the internal network, or protect a company from attacks designed to circumvent firewalls.

Whether many managers will plough through the huge array of technical terms and checklists in the book, however, is doubtful. Those who do are likely to feel a growing sense of powerlessness at the increasing sophistication of the many cyber weapons now targeted at them.

They are also likely to be concerned at the potential costs associated with installing the growing list of defensive tools designed to ward off these attacks - including firewalls, Secure Socket Layer, proxy servers, intrusion detection systems, network monitoring tools, digital rights management systems, digital certificates, authentication systems and encryption tools, as well as the plethora of anti-virus tools. Moreover, the launch of wireless networks and web services (not mentioned in the book) means that cyber security is set to become both more complex and more costly.

But the most worrying aspect highlighted in Safety Net is that none of the defensive tools available today is anything like foolproof. "For web-based businesses, internet security impenetrability is not possible," says Sindell. "Consequently, web-based businesses are open to crimi nal practices that brick-and-mortar counterparts can easily overcome."

The nub of the problem, she says, is that the internet was created as a non-secure system, yet it is now being asked to become a channel for commerce.

As a result, it is hard not to conclude that corporate security efforts could usefully encompass a greater degree of carrot, and less stick, than Sindell envisages. For instance, while she points out that professional hackers often prefer "social engineering" techniques - such as persuading employees to hand over passwords by deception rather than spending hours trying to break in to a system - most of the countermeasures she proposes rely on costly, often intrusive, and generally fallible technology solutions, rather than positive social engineering approaches.

Thus, while pointing out that an estimated 68 per cent of all security breaches are perpetrated by disgruntled employees, Sindell misses the opportunity to suggest that reducing the level of disaffection among employees could perhaps prove a useful component of the wider security effort.

True, she recommends that managers also try to instil a strict culture of security in the company, adding disapprovingly that "the culture of some enterprises encourages the sharing of information". However, not only is this unlikely to deter the disaffected employee, it runs counter to the central tenet of one of today's most dynamic business philosophies: knowledge management.

Internet security is a topic managers ignore at their peril. Books such as Safety Net can play a useful educational role, but the harsh truth is that there is no silver bullet, and the problem is likely to get worse before it gets better.

Safety Net, Protecting Your Business on the Internet, Kathleen Sindell, John Wiley & Sons, 2002, £22.50