The Sorry State of Cyber Security

By Elizabeth Wasserman

The year 2005 may well go down in history as the year of living dangerously in cyber space. The sheer number and scope of online data security breaches reported by public and private organizations was a testament to the overall sorry state of cyber security. CIOs need to take steps now to learn from those breaches and ensure that history doesn't repeat itself in 2006, experts say.

Reports of the loss or theft of sensitive data online during 2005 seemed endless. Data aggregator ChoicePoint Inc. disclosed it had been infiltrated by thieves, who made off with the personal records of 145,000 people. Boston College advised that hackers gained access to a computer with the Social Security numbers and addresses of some 120,000 alumni. MasterCard and Visa announced that thieves broke into computers at a credit card processing company, CardSystems Solutions, leaving holders of nearly 40 million credit cards vulnerable.

Companies lost $130 million to computer crime in 2005, according to the annual Computer Security Institute (CSI)/FBI "Computer Crime and Security Survey. While virus attacks cost companies the most, at $42 million, unauthorized access showed a dramatic increase from previous years, placing a strong second and costing companies $31 million, the report says.

A federal government panel in 2005 concluded there is a big gap between what we already know about cyber security and our deployment of technologies and processes to improve it. The President's Information Technology Advisory Committee (PITAC) reported that important IT systems in the U.S. are at risk, and attacks could threaten not only national security but the foundation of the economy in the 21st century. The panel urged more investment in cyber-security research to the tune of another $90 million in federal funds per year.

CIOs can't wait for federal government help, but they can play a vital role in improving the state of cyber security by working to secure and protect their own IT systems one at a time. The CSI/FBI survey found that 48 percent of respondents said their organizations spent between 1-5 percent of their IT budget on security. A quarter of the respondents said their annual security spending comprised 6 to upwards of 10 percent of their IT budget. But there is much more that needs to be done.

"Your house isn't secure just because it has locks," says Edward Lazowska, chairman of the Computer Science & Engineering at the University of Washington, who served as co-chair of PITAC from 2003 until 2005. "People don't break into your house because they stand a reasonable chance of being detected and apprehended and punished. In addition to making an investment in better locks, companies need to make an investment in the sort of forensics that allows us to detect break-ins and apprehend the perpetrators."

In addition to investing in security tools and pursuing perpetrators, CIOs should consider taking some of the following steps to help better cyber security:

• Get CEO Buy-In  The CEO and the board of directors need to understand the importance of IT security and the risks it poses to the enterprise. They need to understand the escalating sophistication of attacks. They also need to understand that organized crime -- not teenage hackers -- are behind many attacks, and that the threats have been moving up the protocol stacks, from operating systems to Web service applications to database systems and so on.
• Run Security Tests   A good practice is to undertake "red team" attacks, hiring a set of skilled professionals to attempt to penetrate your IT systems and expose vulnerabilities. The good news is that these teams are on your side and deploy all the techniques of hackers. The bad news is that this type of test can cost a lot of money.
• Insist on Security Components from Vendors   Very little software has been designed today with the assumption that it will face a highly skilled and well-funded adversary. Says Lazowska, "At best, we have designed software to be reliable if used as intended." He says CIOs need to convey to software vendors their need for operating systems and applications engineered to withstand a determined adversary.
• Build Security into Contracts  CIOs can use the power of procurement in order to insist on more security software being incorporated into projects, says Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA), a public policy advocacy group focused on cyber security. Security of these systems can also be written into contracts along with maintenance, he says.
• Compare Notes with Other CIOs  CIOs can link up with peers through industry associations, professional groups, or advocacy organizations, such as CSIA, to share best practices.

While computer crime is on the rise nationally, another factor is also at play behind the headlines. Many companies must now disclose data security breaches under a landmark California notification law, and that spells double trouble: not only does a company need to fix the security problem, but it must divulge the breach publicly and face repercussions in the marketplace. Notifications are likely to increase, too. The California Data Privacy Act, now two years old, has since been joined by similar laws in a half-dozen other states. In addition, Congress is considering making it a law that the public must be notified in the event of a data security breach.

The price can be steep for companies that fall victim to lost or stolen data. Market capitalization can decline, and brand names can be damaged. And that damage can impact the bottom line.

"At the end of the day, corporations should be taking this issue very seriously to protect market share, to protect investors, to protect employees, and to protect their brand," says the CSIA's Kurtz. "If individual firms take this issue more seriously and raise the overall bar, the possibility of a major attack lessens."

Elizabeth Wasserman has written about technology and business for Inc., CIO Insight, and the San Jose Mercury News. She is a freelance writer based in Fairfax, Virginia.