In recent years the impact of the Internet and e-commerce has triggered major change in the traditional IT security scene. The exponential increase of Internet working in the e-world has resulted in a huge web of interconnectivity.
We are seeing a steady increase in business transactions over these networks, and the steady erosion of distinction between the front and the back office in organisations. The basic security risks - hacking from within or without, viruses, spoofing and so on - have not changed hugely, but the speed and business impact of security breaches have increased dramatically.
IT security has moved from a focus on products serving islands of mission critical activity to a pervasive blanket, protecting whole organisations, and their interactions with their supply chains and customers.
The changing security model: New risk areas
The traditional aims of security; to protect confidentiality, integrity, and availability of data, while still critical, have now broadened with far more emphasis on factors such as authentication, verification, identification and non-repudiation of electronic communications.
But above all, the traditional security model is changing from an IT issue focused on data. It is now squarely a business issue, embracing new areas of business risk. Two new risk areas have come to prominence as never before.
Firstly, the front office is very exposed in the e-world. If anything goes wrong there is an immediate impact on brand. An organisation's brand is of critical value, and is influenced as much by perception as reality. Therefore the business impact of security breaches can be out of all proportion to their actual impact.
Secondly, business processing is now becoming continuous and global. We're moving into the non-stop world, with order taking and processing being transacted day and night, and with this come strong interdependencies. Any security breakdown is mission critical, with a direct impact on the bottom line.
So the value network has become tighter. Every organisation's security is dependent like never before on its clients' security. This has been self-evident within the banking community but not within other sectors.
A prerequisite for the success of e-business is the need to promote trust in the overall transactional system - on both a global scale and on a company scale.
Customers require a seamless experience when making transactions. Much is being done internationally to get interworking trust models and services together - such as Identrus (www.identrus.com). Much preparatory work is underway and will have widespread impact. The aim is to provide confidence by using existing banking and credit frameworks to guarantee authorised transactions and provide/underwrite electronic cash and/or micropayments.
Security invariably involves a trade-off and some degree of business exposure. For example, many banks, ultra secure in their traditional operations, have experienced problems with Internet banking. That is a result of pressure to get to market quickly for competitive edge, and trade-off of security investment against costs. The value of the organisation's assets, including brand and reliance on non-stop trading, has to be balanced against the cost of not implementing certain security changes.
Experts reckon that good security should cost five to fifteen per cent premium on the IT budget. Actual figures are hard to come by, but UK companies, for example, currently spend about GBP 2.52 billion on IT security, about 4.5 per cent of the total IT budget, to rise to GBP 3.79 billion (5.6 per cent) in 2002 (source: KEW Associates).
There are basic management controls that will immediately reduce risk in most companies. These are in two broad areas: ensuring the security products themselves can be trusted, and building and enforcing strict security practices and procedures into the organisation.
Technology implementation must conform rigorously to business need. Good security depends on strong design and engineering detail, combined with strong policies and implementation rigor. The traditional security robustness of the mainframe era needs to be transferred across to the e-business era. However, sufficient rigour is often missing, especially for organisations that introduced IT in the post-mainframe era.
Care must also be paid to off-the-shelf security products, too. We cannot assume that software out of a box has the security features an e-business operation needs. Even if they are there, they may need to be positively selected during implementation and defaults reset. Software management tools are not always adequate. Many do not supply real-time management information, trend monitoring or auditing. Some won't let you apply the first rule of security: to divide up duties, and assign all rights with any rights. Such basic business-related questions are an essential part of any implementation.
The importance of effective internal management policies
However much is spent on technology, humans remain the weakest link in the security and the severest threats often come from within an organisation. The first priority in any organisation, therefore, has to be its internal security management policies. It is important to instill a security conscious climate throughout the organisation.
Risks can be anything from users leaving their PCs switched on in an empty office to contractors siphoning off software via e-mail. In particular, web-based knowledge management opens up a whole new opportunity for security breaches. Sharing knowledge adds value, but knowing who you're sharing it with adds even more.
Also there is a dangerous tendency for organisations to give their network managers an inadvisable degree of omnipotence. "He can bring down the organisation instantly," said one security specialist, "So he should be saintly, but not God."
Just having policies and procedures is important, and the information security management standard BS7799 is a good starting place. It is not all embracing, but it does get an organisation a long way down the road to robust security.
It is no use having security policies and procedures if staff don't know about them and don't have to care about them. Staff awareness of security is essential. Therefore, it is important to provide training to raise awareness of the dangers, and current thinking increasingly favours a contract of employment that makes laxness about security a potentially career-terminating offence.