Instances of security breaches of corporate IT systems are increasing dramatically. A recent PwC report* for the DTI found that 78% of large businesses suffered some form of breach in 2002, whether they were targeted by hackers, had files corrupted by viruses, data stolen by employees or systems brought to a standstill by denial of service attacks. Only 24% of companies admitted to such breaches in 2000.
Whether the stigma attached to reporting security failures has lessened, or an explosion in criminal activity accounts for the rise in reported instances of cyber crime is debatable. But what is certain, according to some IT analysts, is that, although companies are getting better at buying IT security kit, board-level executives aren’t being smart enough when they sign the cheques and implement strategy.
Graham Titterington, senior analyst at Ovum thinks security could be tightened if board members stopped claiming to be involved in security issues and started to take ownership of the issue. “Security is an amalgam of a lot of different approaches and technologies and buying decisions come from different areas of the organisations. So, while putting anti-virus software on a machine is pure, simple procurement, user authentication is a line of business issue, and security at the server and gateway is an issue for the IT department,” he says.
“That fragmentation of decision making is a prohibitor and I would like to see much more buy-in from board level to drive a unified procurement process. There seems to have been an increase in concern at board level – but their input is still quite woolly.”
Pan Pantziarka, technical architect at Compass Management Consulting, thinks the all-pervasive nature of IT security is partly to blame. There is just too much for an FD to take on board. “Security is not about trying to secure a fortress, it is more like securing a building site – the perimeter is changing all the time,” he says. “It is imperative that organisations view security as a continuous process that never reaches a steady state.
Security has to be inherent in every area – from site development (particularly with respect to object-based software and web services), server and network configuration and management, to detection and monitoring.”
Businesses often get hung up on one aspect of IT security, such as securing websites for credit card transactions. Titterington says that is wasted effort. “There are few examples of hackers stealing credit card-details as transactions take place over the web. In most attacks, people hack into the databases of offline retailers and rip off thousands of credit-card details,” he says.
But FDs and other board members shouldn’t just sit back and accept the fact that their businesses will be hacked. After all, they wouldn’t leave their car door unlocked if there were joyriders in the area. If they do nothing else, FDs should provide the risk analysis for a comprehensive security policy for their business. As Titterington says: “The IT department can demonstrate the potential pitfalls, but those directors that know the business risks and can calculate the impact of security breaches in financial terms should be involved.”
FDs can’t look after the nuts and bolts of IT security, but they can drive a unified strategic approach to managing the risks and preparing a financial structure that can withstand the worst a hacker can do.
*PwC/DTI Information Security Breaches Survey 2002.