Security Awareness is Rising while Security Protections are Falling

More Awareness - Less Action

Attacks against personal and corporate data are on the rise - more companies and individuals suffered serious losses from these attacks in 1996 than ever before. Our information and other systems are more vulnerable today than yesterday, and will be even more vulnerable tomorrow. Fortunately, corporate senior management is becoming more aware of the need to boost security. Unfortunately, they are doing less to protect us now than one year ago.

A recent survey of over 1,300 IS professionals involved in security has revealed that awareness is rising dramatically, organizations are not willing to invest the resources required to develop and implement a security strategy. These same people also indicated that 78% - almost four out of five - of their companies have suffered a major loss due to a security breach. More than 25% of these companies suffered losses in excess of $250,000 from viruses and from malicious acts by employees and outsiders. Yet, these organizations are doing less today than a year ago.

Not Me

In recent months, many successful intrusions have made big news. The Web Sites of the Department of Justice was compromised and the home page was significantly altered to include pornography and vulgar language. Soon thereafter, the CIA home page was similarly altered. A regional Internet Service Provider in New York suffered a denial of service attack that prevented authorized users from accessing their Internet and email. Many other lower profile attacks were equally successful with equal embarrassment to the victims. Yet, one fifth of companies had nobody dedicated to security, and three quarters had only a few employees with security responsibility.

One possible explanation is the Not Me Syndrome that drives so much of what we humans do. We drive fast, yet we are surprised when a patrol officer gives us a speeding ticket. We drink and are surprised when we have hangovers. We even leave our cars unlocked and are surprised when the cars are stolen. The Not Me Syndrome is, in this writer's opinion, an important factor in the decline of efforts toward increased security. The IS professionals understand the need, and provide for security needs in their operating budgets. Upper management slashes the budget, eliminating line items for security in favor of increasing technology. The result is greater reliance on technology coupled with greater vulnerability to attacks. After all, it won't happen to me, right?

Uncovering the Vulnerabilities

As a practicing computer security consultant, this writer has had occasion to test the security of a variety of organizations. One very well known company took pride in the fact that they possessed one of the largest data bases of information about a certain topic. That data base was considered a major competitive edge. They believed their systems were secure, but asked me to perform a security assessment "Just to be sure."

On the first day of the assessment, I walked into the lobby and announced I was there to see Jack (name changed, for obvious reasons). The guard doubled as the receptionist. He phoned Jack to announce my presence and ask Jack to come get me. They did not let visitors in unattended. Before entering the lobby, I had driven around the building. I noticed that the parking lot encircled the building completely, and that the loading bays in the rear of the building were quite busy. I told the guard I had forgotten something in my car, and would return shortly.

I walked to the loading bays, walked up the stairs, and proceeded to give everybody and everything the once-over. Dressed in a suit, I was on an inspection tour. I made a few comments: here complimenting somebody on a job well done and there criticizing somebody for something. I then walked through the warehouse to what was an obvious entrance into the office. I walked purposefully, yet not too quickly. As soon as somebody entered the warehouse, I made a forward motion. The entering employee politely held the door for me. After all, it is rude to slam the door in front of somebody, isn't it?

I know where computers live - they are relegated to basements. I took the elevator down. There was the computer room, with cipher locks and access cards guarding its every entrance. As I jerked toward the door, another polite employee held the door for me. I nodded appreciatively and entered. I went straight to the tape racks. There, I studied the racks, as if looking for specific information. I grabbed a tape with an identified that looked something like ACCT95QTR1. That looked promising.

I took the tape under my arm, exited the room, and took the elevator to the second floor. There, looking lost and confused, I asked someone where Jack's office was. They said his office was exactly where I was, but one floor up. I went there, sat in his office, and waited. A few minuets later, he walked into his office and saw me. We had never met, but he knew who I was.

The entire escapade lasted no more than 15 minutes. In that time, I had breached their physical security by entering the building and taking a tape. I also could have used the Jack's computer to browse their internal network since he had left the computer logged in with no screen saver. The tape I had in my hand was obviously an accounting tape containing information for the first quarter of 1995. Not all evaluations begin this way, but most organizations have vulnerabilities as obvious as this one. If it isn't a physical security problem, it is a logical one or a security management problem.

Fixing the Problems

Once the vulnerabilities are revealed, the next step is to evaluate the risks and institute countermeasures to reduce those risks. Some of those countermeasures are high technology solutions, others are decidedly low tech. Many center around awareness training and security management. Developing security policies that are clear and concise (3 inch thick binders are forbidden here) helps focus users on the need for security and on allowable actions, while helping train them that the polite thing to do is often not the secure thing to do.

The solutions require planning and management. They require time and effort on the part of IS professionals, HR departments, and employees throughout the company. In short, the costs are significant in time and capital costs. Though the benefits may be important, they are seldom directly traceable to the proverbial bottom line. Therefore, the security function is usually considered a support or overhead function. Unlike janitorial services, whose absence is quickly noticed, inadequate security doesn't leave an obvious mess - it only leaves a large hole with a welcome sign inviting hackers and others with less than honorable intentions into your corporate home.