Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Electronic security threats come from outside and within

Reprints
Electronic security threats come from outside and within

Besieged companies are facing both internal and external threats to their Internet security, and the danger is growing, say observers.

Most attacks are inspired by a wide variety of nonpecuniary motives that range from the desire to learn a colleague's salary to the possibility of earning bragging rights over fellow hackers. But a growing number of attacks, both internal and external, are launched to make money, and these can cause companies serious financial and reputational harm, as well as expose them to potential liability.

But enhanced Internet security measures can make it harder to use the Internet, forcing companies into a delicate balancing act between online security and ease of use.

Companies should also conduct cost/benefit analyses to determine whether the benefits of particular security measures, such as encryption, justify their cost and trouble (see story, page 18).

Because there is no limit to criminal creativity-or nefariousness-there will never be a 100% guarantee of Internet security.

But vigilance can help address the problem, according to Jim Bollman, corporate risk officer for Omaha, Neb.-based Ameritrade Inc., an online stock brokerage. "You've got to recognize the problem exists," then examine your system and see what policies, procedures and tests are in place "to continuously make sure the bad guys can't get to you, whether inside or outside your system," Mr. Bollman said. "And if you're doing that, then you don't have headaches."

"It's just like any other threat," said Pushpendu Pal, vp and chief technology officer for Indianapolis-based WellPoint Inc. "You have to constantly scan the market...to see that we are ahead of them."

Internet security has attracted increasing attention in recent weeks due to several well-publicized security breaches. Alpharetta, Ga.-based ChoicePoint Inc., a national provider of identification and credential verification services, was recently forced to tell 145,000 consumers that their personal data may be been accessed.

Dayton, Ohio-based legal information provider LexisNexis USA sent similar letters to 280,000 individuals. And in March, DSW Shoe Warehouse, a subsidiary of Columbus, Ohio-based Retail Ventures, Inc., reported that data on transaction information involving 1.4 million credit cards had been stolen.

According to Deloitte Touche Tohmatsu's 2004 Global Security Survey, 83% of respondents acknowledged that their systems had been compromised in some way in the previous year.

The problem is "huge," said Earle S. Humphreys, senior marketing officer at Omaha, Neb.-based Solutionary Inc., an Internet security company. "It went from being hackers to, now, organized criminals," with the criminal element "growing and becoming more sophisticated," he said.

Furthermore, all the publicity surrounding the release of confidential information is beginning to erode consumer confidence in using the Internet, said Mr. Humphreys.

Also spurring companies' responses are federal and state laws. The Sarbanes Oxley Act, for instance, mandates that public organizations demonstrate due diligence in the disclosure of financial information. Because of Sarbanes-Oxley, "suddenly, executives are asking questions security persons never heard before, like 'Are we monitoring applications?' " noted Mr. Humphreys.

And privacy provisions in the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley law, which affect the health care and financial services industries, respectively, also call for companies to turn their attention to this issue.

To date, California is the only state that requires consumer notification of identity theft, but proposed legislation modeled on the California law has been introduced in Congress.

The most vulnerable firms are high-profile organizations such as financial companies that capture identity-related information that includes Social Security numbers, salary and credit card information, said Peter Foster, Boston-based senior vp and information risk adviser for Marsh Inc. "Anyone that is a collector of information in the aggregate" is a target, he said.

Charlotte, N.C.-based Wachovia Corp., for instance, is focusing more attention on "phishing," in which consumers are lead to false Web sites that are designed to mimic legitimate sites and lure them into revealing personal financial information.

Julie Hoffman, the bank's senior vp and director of implementation and transition management for e-commerce, said that although these sites have not lead to any significant losses to date, their volume has increased since Wachovia's acquisition last year of Birmingham, Ala.-based SouthTrust Corp., as criminals try to take advantage of any confusion caused by the deal to gain financial information.

Wachovia is addressing this issue through measures including consumer and employee education, as well as with external tools that are used to detect the use of its name or trademark in order to pre-empt any attacks that may occur, Ms. Hoffman said. She added, though, that "these attempts are getting more sophisticated, and now we're having to look at a broader range of technical, educational and other tools" to address the issue.

But while external attacks can have a devastating impact from both a public relations and a reputational perspective, many believe companies are particularly vulnerable to internal attack. The commonly cited analogy is that of an M&M candy-a hard shell, but a soft inside. These observers contend that while companies have made major strides in protecting their perimeters through tools that include firewalls and anti-virus software, they may have left their internal systems relatively unprotected.

Companies "don't take nearly as much time or caution about defending the inside from the inside," noted Marty Lindner, team leader for incident handling at Carnegie Mellon University Software Engineering Institute's CERT Coordination Center in Pittsburgh.

"Outside attacks probably far outweigh the number of insider attacks," he said. "The insider attack, though, can be much more devastating." Mr. Lindner noted that an insider does not need to find a system's weaknesses. "I don't need to break into a machine that I already have access to," he said.

There are also cases in which employees with malicious intent link up with outsiders to work together, said Rick Fleming, chief technology officer for San Antonio-based Digital Defense Inc. "Those types of internally based attacks definitely are becoming more prevalent, because the monies are getting huge," he said.

One issue companies face is that security and ease of use are not necessarily compatible. The use of smart cards-cards that contain an embedded microprocessor for the storage and processing of information-and similar approaches are appealing in terms of making sure the environment is secure, but "few consumers are going to deal with that level of intrusion" of having to carry another card around, said Ted DeZabala, a principal with Deloitte & Touche L.L.P. in New York.

Systems have been "designed for ease of use and functionality, not security," said Mr. Humphreys. "We all wanted functionality," but "it doesn't come free. It comes at a security risk. Now we're starting to compromise" in an effort to balance the two factors, he said.