Book Excerpt Part III: The Executive Guide to Information Security

By Mark Egan with Tim Mather

The following article is adapted from Chapter 1 of "The Executive Guide to Information Security," by Mark Egan with Tim Mather, which is scheduled to be published in November 2004. This is the final in a series of three.

Recent information security incidents and increased reliance upon the Internet have prompted governments around the world to create additional legislation to regulate the technology ecosystem. This legislation spans broad areas, such as consumer privacy, to specific regulations for industries, such as health care and financial services. Because the Internet is easily accessible from many places in the world, it is important to understand and operate in compliance with these regulations. Companies that adhere to these regulations and thereby offer their customers a safe and secure method for conducting business can differentiate themselves from their competitors.

Privacy is a major issue in electronic commerce due to the high risk of misuse of personal information. Computer systems contain personal information for millions of customers, and if companies do not take the necessary precautions to ensure that this information is safe and secure, their customers can have their identities -- including data such as name, address, phone number, and credit card numbers -- stolen and sold to the highest bidder on the Internet. Previously, only a highly skilled hacker could break into these systems and access confidential information. This is no longer the case; now a novice can use readily available tools and gain access into these systems if the company does not use the proper safeguards.

This situation has prompted considerable legislation to protect the rights of consumers because their personal information is now much more readily available in electronic format. The European Data Protection Directive is an important regulation because Europeans take a much stricter view of privacy than the United States. This directive prohibits the export of personal data such as name, address, and telephone number to countries that do not meet the European Union's minimum standards for consumer privacy protection. These standards require that no one can sell, rent, or transfer consumer data to a third party without that individual's explicit permission. This directive applies to customer information but also includes employee information contained in companies' internal human resource systems.

In May 2000, the Safe Harbor Agreement was enacted for U.S. companies that are regulated by the U.S. Federal Trade Commission (FTC) and have operations in the European Union. This agreement enables these organizations to comply with the European Data Protection Directive by adopting Safe Harbor Agreement Principles.

These principles require controls to ensure that personal information is protected from loss, misuse, unauthorized access, disclosure, and so on, as a condition to obtain certification. Companies certified under the Safe Harbor Agreement can obtain permission to transfer data out of the European Union for renewable one-year periods. It is safe to say that other countries will adopt similar legislation for protecting the privacy of consumer information for their respective citizens.

An important consideration for business executives to remember is that laws and regulations are generally enacted on a country-by-country basis and electronic commerce is performed globally. As soon as your business uses the Internet to conduct business, you are doing business on a worldwide basis. This has the tremendous advantages of offering your products and services globally; however, you also need to comply with local regulations. These regulations are by no means consistent, and you could easily find yourself conflicting with one regulation by complying with another. The Safe Harbor Agreement is an example of the U.S. working out an agreement with the European Union to meet their regulations. Other countries will follow similar strategies to ensure that their industries are competitive and that they can operate freely in major markets such as the European Union.

One major challenge is that certain countries do not place a high priority on protection of personal information or intellectual property. They might have more pressing issues, such as food or medicine, and might be unwilling or unable to police individuals who are engaged in activities such as software piracy. These criminals operate freely in these countries without the fear of law enforcement agencies shutting down their operations. These safe-havens for cyber criminals pose additional challenges for legitimate businesses that have little legal recourse to combat the illicit activities of software pirates. Unless business executives put strategies in place to protect their intellectual property and customer information, they run the risk of falling victim to these individuals.

Mobile workforce and wireless computing

The arrival of mobile computing devices has had a significant impact on everyday life. Wireless communications liberate employees and consumers from relying on phone lines to communicate. Looking for a phone booth to make a call or going to the office to access email is quickly becoming a fading memory. Information availability and communications have greatly increased due to mobile computing devices. With the convenience of these devices, information security concerns increase because the confidential information stored on them needs to be protected.

In the past, staff members typically used one computer in the office for business purposes and a different one at home for personal use. These lines have blurred considerably over the past few years, with the use of mobile computers now surpassing the number of desktop computers that remain in a home or office. Laptop computers now enable employees to continue working at any time from any location. Personal computing devices for storing name and address information, phone numbers, and so on are no longer restricted to business professionals; even teenagers now keep track of this information using mobile devices.

The introduction of the 802.11 protocols for wireless local area networking in 1999 has revolutionized the mobile computing industry. The 802.11 protocols are the equivalent of a common "language" that enables these mobile devices to communicate with each other. Wireless adapters that take advantage of the 802.11 protocols are available for mobile devices. In some areas, wireless ISPs have begun offering high-speed Internet access without the need for phone lines or a cable connection. Accessing the Internet, sending email, and logging into the company network is now possible from the home, backyard, or your favorite park.

The challenge from a security perspective is twofold -- first, all the protection offered in the company office must now be incorporated on the laptop computer or mobile device, and second, 802.11 protocols have weak security features. When physically in the office, employees can take advantage of the company's security protection such as firewalls and anti-virus software. These products can be set up to operate in the background, and employees often do not realize that these products continually protect their systems from threats such as computer viruses. When employees leave the office, this same protection must be included on notebook computers or handheld devices to ensure that they can continue to operate in a safe and secure manner. In addition to the lack of information security tools, mobile devices that might contain valuable intellectual property, customer information, or other sensitive information also run the risk of theft or loss.

New technologies often initially focus on features and functionality at the expense of security to obtain critical mass and adoption. This is the case of 802.11, as individual consumers have initially embraced this technology and are less concerned with someone reading their email or obtaining access to their personal address book. Businesses, on the other hand, cannot take those risks because enterprise systems contain vital company records that could disrupt their operations if divulged to unauthorized parties. Companies must give careful consideration before leveraging wireless technology in mainstream business.

These information security risks include all the mobile devices such as cell phones, personal digital assistants, and so on that contain valuable information. As a result, companies need to ensure that their information security program extends to all devices that frequently leave the office and that are easily lost or stolen. They can no longer count on safely locking computers in the offices when employees go home at night. Wireless communication offers many compelling advantages over traditional wired communications, but controls must be in place to ensure that the company's most valuable secrets are secure.

Summary

The Internet is a powerful tool for businesses today, and it is important to understand the inherit security risks when leveraging this technology. The Internet was based on ubiquitous communications between trusted parties that does not exist today, now that the number of users has grown to hundreds of millions. Major challenges exist today that businesses must consider when leveraging the Internet, and this chapter provided some insight into the importance of including information security in your future business strategy.

These risks will not go away, and successful companies will adopt strategies to minimize them and offer unique solutions to their customers. Information security can be used as a strategic differentiator, especially in a global economy that conducts more business electronically. Secure business systems are a value-added selling tool in an increasingly savvy and cautious customer base. It is much better to incorporate some basic information security principles in your business operations rather than delegating these activities to your IT department and hoping that they adequately address them.

Mark Egan is chief information officer for Symantec and vice president of Information Technology.
 
Tim Mather is Symantec's Senior Director of Information Security, and is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Manager (CISM).