testing the defences facing up to the challenge of...

Testing the defencesFacing up to the challenge of corporate security

A report from

the Economist Intelligence Unit

sponsored by Nortel Networks

Foreword by Rudolph W. Giuliani

Acknowledgements

Testing the defences: Facing up to the challenge of

corporate security is a white paper written by the

Economist Intelligence Unit and sponsored by Nortel

Networks. The Economist Intelligence Unit bears sole

responsibility for the content of the report.

The main author was Terry Ernest-Jones and the

editor was Gareth Lofthouse. The findings and views

expressed in this white paper do not necessarily reflect

the views of Nortel Networks, which has sponsored this

publication in the interests of promoting informed

debate. The research effort for this report comprised

two key initiatives:

● The Economist Intelligence Unit conducted a

special online survey to test the attitudes of senior

executives worldwide to corporate security; 178

international executives participated. Full survey

results are available in an appendix to this report.

● A series of in-depth interviews were held with

leading corporate and regulatory figures in August and

September 2003. Executives at over 30 different

institutions worldwide were interviewed from a diverse

range of countries and industries.

Our deepest thanks go to all the interviewees and

survey respondents for sharing their insights on the

topic.

© The Economist Intelligence Unit 2003 1

Testing the defences Facing up to the challenge of corporate security

Businesses today face threats that would havebeen unimaginable 20 years ago. The events ofSeptember 11 alerted the world to a new kind ofterrorism—one that can claim countless lives andinstantly put companies out of business.Corporations also face dangers on the Internet.Where it was once enough to hire guards to protectbuildings and the information inside, companiesnow struggle to keep out electronic intruders.

Business leaders are more aware of thesedangers, but few are doing enough to prepare.Many organisations do not have the contingencyplans needed to manage the loss of a facility.Security professionals are often too junior, makingit likely that these issues won’t receive theattention and resources they deserve. And manycompanies continue to operate without testingand strengthening the defences around their ITsystems.

Addressing the risks we face requires foresight.$10 million spent on corporate security will hit thebottom line today and may not show its worth formany years. But when a security incident occurs,that investment will pay for itself many times over.

As mayor of New York, I remember thinking thatthe hundreds of millions of dollars we spentpreparing for Y2K (the year 2000 bug) might have

been wasted, because there was no systemscollapse at the turn of the millennium. On themorning of September 11, I realised that it wasn’t.Having thought our way through a completebreakdown of the city’s systems, we had thebackups that allowed us to get a new commandcentre partly operational within two hours, andfully operational two days later. Similarly, all ofthe work we did over the previous few years toprepare for a terror attack—including the drills,the tabletop exercises, and the creation of anemergency management centre—provedinvaluable.

As this report explains, business leaders have asimilar opportunity to provide urgently neededleadership for their companies. Companies shouldnot be deferring an issue like corporate securitymerely because the threats are hard to quantify.Instead, CEOs and boards should consider thefuture cost of failing to act today.

Rudolph W. GiulianiChairman and CEOGiuliani Partners LLC

Foreword

Rudolph W. Giuliani, CEO Giuliani Partners LLC and former mayor of New York City.

2 © The Economist Intelligence Unit 2003


It takes an experienced hacker 5-10 minutesto break into the average organisation’ssystems. Board directors rarely show thesame sense of urgency when it comes to

building their security defences. For years, securityhas languished at the bottom of the managementagenda.

That is changing however, as executives realisehow vulnerable their businesses have become. TheInternet alone has multiplied the frequency andimpact of security attacks many times over. Supplychains now extend across internationalboundaries, and companies routinely shareinformation with their customers and partners.

This leaves companies on the horns of adilemma: to compete in the knowledge economy,it seems they must expose their systems to anunprecedented range of abuses.

As part of the research for this white paper, theEconomist Intelligence Unit conducted a survey ofsenior executives around the world on their keysecurity concerns. The findings reveal someinteresting inconsistencies in managementthinking. The majority of executives, for example,believe computer viruses are the most frequentand damaging form of security incident. They areonly partly right: in reality theft of proprietaryinformation is a much more costly evil, accordingto US-based research conducted by the ComputerSecurity Institute and FBI. And despite fingeringhackers as the most prominent threat, 58% of ourrespondents also said most security incidents areaccidental rather than deliberate. Lack of goodquality information may be the source of this

apparent confusion: 62% of companies don’t evenattempt to quantify the security risks they face.

Understanding the threats is one challenge —developing the right strategy to meet them isanother. In addition to the survey, we conductedin-depth interviews with prominent securitystrategists and professionals, law enforcementagencies, and legal authorities as well as areformed hacker. Based on this research, the whitepaper highlights three key issues for the corporatestrategists:● Employees hold the key to corporatesecurity. Most executives in our survey believetheir organisations are more vulnerable to afailure of internal process than a failure oftechnology. In the narrower realm of computercrime, the 2003 CSI/FBI survey indicated afifty/fifty split between incidents originating frominside and outside the organisation. Employeestherefore need to be encouraged to take personalresponsibility for corporate security. Acombination of clear rules and policies, employeeeducation and motivational strategies are all keyto creating a more proactive, security-awareculture. Fortunately, many of these measures arerelatively inexpensive to implement.● Companies must deliver a co-ordinatedresponse to a wide range of threats. Fewcompanies currently have an enterprise-widestrategy that covers all the facets of corporatesecurity. IT is only one part of the problem:companies urgently need to address othervulnerabilities throughout the organisation. Thedifferent security functions—IT, physical security,

Executive Summary



1. Can your security people present their case in terms the board understands?More often than not, there is insufficient understanding onboth sides of the business/security divide.

2. Is there a board member clearly accountable for security?Overall responsibility should be assigned to a board memberwho can bring sufficient impetus and focus to the securityeffort.

3. Are you up to date with board members’ liability under new legislation?Top executives are increasingly liable in the event of lossesarising from a preventable breach.

4. Consider specialised insurance to cover network risks. Threats now posed by the Internet and complex corporatenetworks are not usually covered by traditional insurancepolicies.

5. Do you have an active security awareness and training programme for staff?Excellent technical security becomes nearly worthless

without an equally sound security culture in theorganisation.

6. Is your security technology properly targeted and updated?Money is wasted when companies install top-ratetechnology, but fail to ensure it is really offering protection.

7. Is there good communication between the different security units?Does physical security talk to IT security? They cannotoperate effectively in isolation.

8. HR must be involved in security. Security awareness should be built into employeerecruitment, induction, education and administration.

9. Do you have the information you need to understand risk?There is no such thing as complete security, so the boardhas to be briefed on the risks it faces, and prioritise them.

10.Business continuity plans for recovery after a major breach must be tested regularly. If not, they are practically useless.

Checklist

risk managers and human resources—need to worktogether to provide a more co-ordinated corporatedefence. Companies also need a strongerframework for risk analysis to help prioritise theirsecurity response. ● The buck stops with the board. Too muchresponsibility for security is delegated to relativelyjunior echelons of management. Boards need tolead from the top, setting priorities and drivingcultural change against a coherent business plan.Better communication channels must beestablished between senior management and thekey security functions; overcoming the ‘languagebarrier’ between business executives and technicalspecialists will also be crucial. Above all,

executives will need—and should demand—betterinformation to enable more informed decision-making on all matters of security.

Despite the growing list of threats faced bytheir companies, many executives blow hot andcold on corporate security. But in the future, boarddirectors will have a greater incentive to investmore time in these issues. A raft of new laws andregulations will make them directly accountablefor preventable security breaches. In the event ofmajor business losses, the board will need to showthat it has taken appropriate steps with security,or face fines, litigation and even imprisonment. Inthe end, self-interest may bring much neededurgency to the debate on corporate security.



What are the main threats to corporatesecurity? Where do they originate,and what measures are required toprevent them? These are perennial

questions for the security profession, yet theissues remain clouded by confusion.

A new survey of 178 senior executivesconducted by the Economist Intelligence Unitsheds light on the most prevalent types ofbusiness attack. Executives cited computer viruses

and worms as the most frequent type of incident,but companies are wrestling with a catalogue ofother evils. For example, the survey highlightsunauthorised network access and accidentalleaking of information as important issues, whilecorporate espionage and terrorism are seen as rarebut significant in their effect.

These answers provide some insight into thetypes of risks companies face, but the survey alsoreveals inconsistencies in how senior executives

Understanding the threat

Over the past three years, which of the following security risks have had the most significant direct impact on your business’s bottom line? Please rate each from 1 to 5, 1 being no impact and 5 being a very grave impact.

No impact Little impact Some impact Considerable Very grave impact impact

1 2 3 4 5

1. Threats to individual members of staff 51% 33% 14% 1% 0%

2. Theft of personal items of members of staff 43% 42% 14% 1% 1%

3. Theft of intellectual property/piracy 28% 41% 21% 10% 1%

4. Terrorist attacks or alerts 63% 18% 13% 5% 1%

5. Disease control measures 53% 23% 17% 6% 1%

6. Competitive espionage 38% 40% 16% 5% 1%

7. Unauthorised access to the network 34% 42% 17% 6% 1%

8. Viruses and worms 20% 36% 28% 15% 1%

9. Accidental leaking of information or data 42% 37% 16% 4% 2%

10. Deliberate leaking of information or data 44% 32% 16% 6% 3%

11. Deliberate damage to physical assets 57% 28% 11% 4% 1%(building/plant)



approach security. Over 70% of companies in oursurvey conduct a risk analysis of their securityenvironment once a year or more. Yet only aminority of the companies surveyed attempt toquantify the security risks they face. For most,security planning still involves a large amount ofguesswork.

Despite the uncertainties, one thing is clear:businesses pay dearly for their security failures. Asurvey conducted by the UK’s Department of Tradeand Industry suggests information securitybreaches cost British business billions of poundsevery year—a story no doubt repeated in anycountry where Internet usage is high. Even thismay be the tip of the iceberg, however: last year,theft of intellectual property was twice as costly toUS businesses as electronic viruses, according to

the CSI/FBI survey on computer crime. Given thecost of poor security, organisations have plenty ofincentives to put their defences in order.

The art of assessment"Security is about risk, and how to prioritise risk,"according to Nick Coleman, IBM’s head of securityservices. Most experts agree—but how companiesgo about doing this varies widely.

Stephanie Daman, head of informationassurance at the banking group HSBC, says riskassessment has to start with the question: "Whatwould stop my business?" Out of this companiescan develop a natural list of priorities.

Paul Dorey, director of digital security at BP,divides risk assessment into three areas: thethreats themselves, their impact on the

As far as you know, does your organisation have specific security policies in place to protect against and cope with the following eventualities?

Yes No Don't know1 2 3

1. Threats to individual members of staff 59% 34% 7%

2. Theft of personal items of members of staff 65% 30% 5%

3. Theft of intellectual property 71% 21% 8%

4. Terrorist attacks or alerts 50% 35% 15%

5. Disease control measures 48% 36% 16%

6. Competitive espionage 46% 38% 16%

7. Unauthorised access to the network 84% 12% 4%

8. Viruses and worms 89% 8% 3%

9. Accidental leaking of information or data 57% 32% 12%

10. Deliberate leaking of information or data 70% 21% 9%

11. Deliberate damage to physical assets (building/plant) 69% 23% 9%



organisation, and vulnerabilities. He believes theassessment of threats is best carried out centrally,whereas the review of vulnerabilities, and theirimpact, should be carried out at the business unitlevel. These should be aggregated and reportedback at the group level, enabling the board toidentify concentrations of risk and act accordingly.

Unfortunately many companies, likeindividuals, are blind to their own weakness. Forthis reason, Malcolm Collins, Nortel Networkspresident for global enterprise networks, saysorganisations should bring in third partyspecialists to perform risk assessment "in thesame way you’d employ external auditors forcompany finances". Standard risk assessmentmethods also need to be adapted to the industryand environment. For example, pharmaceuticalcompanies’ systems are regularly hacked by animalrights protesters, while financial institutions areespecially prone to fraud.

Not everyone believes in the merits of riskassessment. Donn Parker, a California-basedmanagement consultant who has reviewedsecurity in 250 organisations, says: "Risk is underthe control of unknown enemies. Risk can’t bemeasured. You don’t know who your enemies areand what their plans are." Mr Parker believescompanies should dispense with risk assessmentand management and replace it with duediligence. Using this approach, the organisation'ssecurity is simply benchmarked against othercompanies, and adjusted accordingly.

The enemy withinLack of reliable information and the difficultyassociated with quantifying risk can lead todangerous misconceptions. In particular, securityattacks are popularly seen as the work of outsiderswith no relationship to the business they are

targeting. Yet ‘employee disgruntlement’ and‘personal financial gain’ are the two most likelymotives for a deliberate attack on corporatesecurity, according to our survey.

Our survey also suggests organisations aremore vulnerable to a failure of process than afailure of technology. Even in the narrower realmof computer crime, the CSI/FBI survey indicates aroughly fifty-fifty split between incidentsoriginating from inside and outside theorganisation. Only a small fraction of employeesare likely to be dishonest, but the potential for afew ‘bad eggs’ to cause havoc is extremely high.

Despite the risk posed by insiders, manycompanies fail to take basic steps to protectthemselves. Password management provides aclassic example. A single employee can haveaccess to as many as 20 different networks. Whenthey leave, their password authorisation shouldbe removed from each of the networks, but inpractice only a minority of companies have clearpolicies governing this procedure. Many ex-employees can walk out of the door but straightback into the system, if they are inclined to causetrouble.

In other instances, hackers actively exploit anemployee’s lack of savvy on security issues. "Mostof the time organisations overlook the humanelement," says Kevin Mitnick, an American ex-hacker who successfully infiltrated countless largecorporations (and paid for it by spending a five-year stretch in jail). Mitnick describes a tacticcalled ‘social engineering’, where the hackermight pose as an internal system administratorchecking passwords. In most cases the staffmember will readily give out their password, ratherthan stall the process. "It’s relatively simple forbad guys to persuade others to comply with theirrequests," he says.



Some security incidents are accidental ratherthan malicious. Half of the executives in the oursurvey felt that security incidents are more likelyto be caused by accident than deliberate intent—for example employees having inappropriateaccess to sensitive data and deleting or corruptingvaluable files.

Securing the frontierWith one fifth of the US workforce reportedlyworking one day or more per week at home, andthe numbers escalating elsewhere, remoteworking adds another dimension to the securitychallenge. Again, the human factor is at least asimportant as the issues of technical security. Onesalutary tale involved CIA Director John Deutch,who was found to be using (non-secure) home PCsto process secret reports with highly classifiedinformation. The US Senate IntelligenceCommittee took a particularly dim view of the factthat the PCs were connected to the Internet andwere therefore vulnerable to attack.

So far as home-working security instances go,that is about as extreme they come. But importantcompany information is routinely put in danger.Remote workers seldom have a personal firewalland are highly prone to virus attacks. A possibleexplanation for the home workers’ blasé approachto security is simply that they feel safer in theirhomes, and are off-guard. In fact, as PeterHouppermans, a security specialist with the PAConsulting Group points out, remote workers are"at the fringe of IT management and are thereforeat risk".

Mobile working may sound like the securityprofessional’s worst nightmare, but there aresome cases where remote working has helpedcompanies avert a catastrophe. During the recentelectricity black-out in North America, 9,000research and development staff at Nortel Networkswere able to work securely from home. Mobileworking also enabled much of corporate Asia tocontinue operating during the SARS epidemic.

Deploying wireless networks without reviewing

What are the likeliest motives for a security event that is deliberately targeted at your organisation, in your view? % of respondents

Disgruntlement on part of employees or ex-employees

Personal financial gain

Intelligence–seeking by competitors

Kudos-seeking (on part of hackers, etc)

Politically motivated protests against Western interests

Politically motivated protests against globalisation

Other (please specify)1

9

16

5

32

31

6



The crisis caused by SARS exposedserious flaws in many organisations’contingency plans. It seems that whilemany had measures in place to recoverfrom an attack on their data or physicalassets, few were prepared to deal with adirect threat to their employees.

"Most companies’ business continuityplanners developed their plans from ascenario of denial of access to theirpremises," says Goh Moh Heng,executive director of the DisasterRecovery Institute Asia. "SARS created anew scenario that most planners wouldnot have thought of: denial of access topeople."

SARS put companies to the test in

other ways too. Unlike an earthquake orfire, it affected multiple countries. And itwas clouded by uncertainty about thetransmission method and incubationperiod. All of this caught corporate Asiaoff-guard.

Many companies sought to minimisethe risk of infection by segregating staffor sending them to work at home. Theexplosion in home working posedsignificant problems for manycompanies, however. "There was a madscramble to get virtual private networksconnected. Just the technical supporteffort of teaching hundreds of peoplehow to use the VPN client was an issue,"says Dion Wiggins, research director at

Gartner Research (for the uninitiatedvirtual private networks, or VPNs, providesecure point-to-point Internetconnections). Other companies didn’thave enough laptops to equip a hugelyexpanded mobile workforce.

Some business functions could not betransferred to home workers. Datacentres performing critical tasks posed aparticular problem. JP Morgan was sointent on keeping its data centre runningeven if an employee caught the virus itimported protective ‘space suits’, similarto those used by the hospital workerstreating SARS.

Battling employee fear and panic,especially in the early stages of the

SARS—testing times for corporate resilience

the risks in detail also leaves companies wide opento attack. It is easy for hackers to park outside anoffice, and break into the corporate network viathe wireless LAN. With the right equipment, thiscan be done from 10 miles away.

Handheld computers pose a newer risk.Software is now available which enables passwordsand other information to be stolen from popularhandheld devices. It is rare to find them equippedwith security protection to stop ‘identity theft’—for example, stealing personal information to poseas a bank account holder.

There are huge benefits to be had fromextending corporate data out to mobile workers,but greater transparency of information comes at a

price. Like e-business before it, mobile workingbrings extra complexity and risk for organisationsalready struggling to shore up their defences.

Building security into the cultureFor most organisations, the focus of corporatesecurity has been on building barriers to keep outthe bad guys. As we have seen, however, many ofthe most damaging security breaches involveemployees, albeit unwittingly in most cases. Inthese circumstances firewalls alone are not theanswer. "Security has to become part of theorganisation’s DNA," says Mr Collins of NortelNetworks.

With 140,000 users on its network, BP came to



outbreak, was another challenge. Firmsfound it critical to communicate with staffabout what management was doing toprotect them against the disease. "We sawhow some governments lost credibilitybecause they weren’t open," says RobertPride, Deutsche Bank’s chief operatingofficer in Asia. The bank circulated regularemail updates and hosted presentationsby medical experts to help clear upmisconceptions about SARS.

Travel restrictions were standard forcompanies throughout the region, andstringent safeguards were applied wheretravel was unavoidable. JP Morganquarantined its workers for seven daysafter a trip to an affected area.

Enterprises across the region alsotightened up building security. At Intel,for example, visitors from SARS-affectedareas had their temperatures taken,while Motorola eventually installedthermal imaging equipment.

The crisis is over for now, but expertswarn there could be another outbreakthis winter. If so, some executives saythey’ll be prepared. Deutsche Bank hasworking groups exploring key issueslearned from the crisis, including how tosecure more bandwidth between regionaloffices and enable more employees towork from home. But observers say manycompanies have not learned from thisexperience. "Once the crisis was over

there was very little done toinstitutionalise learning and get readyfor the next crisis," says Hugh Bucknall,the head of Mercer Human ResourcesConsulting in Asia. "Companies need tolook at a broader range of threats andhave mechanisms to deal with them."

Predicting those threats is the hardpart. "SARS demonstrated that you can’tenvision every situation that will everarise," says Intel’s Mr McKean. "So youhave to rely on the vision of youremployees and your customers." Thatmay be an uncomfortable situation forbusiness continuity planners, but for thetime being it may be the best earlywarning system they can get.

the conclusion that protecting the perimeter is alosing battle. BP is looking at a strategy of ‘lockinghouses rather than relying on the city walls’—inother words, making individual users accountablefor security. This is the kind of approach Mr Collinswould approve of. "Security has to be multi-layered," he says. "Organisations got caught upwith securing the network and didn’t look at thewider picture. They can all too easily focus oninstalling expensive security systems, but ignorebasic HR checks."

Developing a proactive, security-aware cultureis a much more challenging, though lessexpensive, proposition than throwing money atthe latest IT fix. Changing people’s behaviour from

the top to the bottom of an organisation is hard—particularly if the board treats security as a lowpriority.

A wake up call for the boardIn the past, company directors showed a limitedinterest in security matters. Even now, securityexperts say it can take a major incident to sparkaction and investment from the board. "By andlarge, organisations are lurching from incident toincident, shutting the stable door after the horsehas bolted," says BP’s Mr Dorey.

Any lack of commitment in the boardroom isusually reflected by complacency lower down thechain. "Unless there is board level focus on



security, it floats down the stack in terms ofpriorities," says Mr Coleman of IBM. This messageis now beginning to be heard by directors, judgingfrom our survey. Even so, corporate leadersfrequently fail to translate an increased interest insecurity into effective risk management andcontrols, according to the Information AssuranceAdvisory Council (a policy advisory group).

Company directors will need to activelychampion corporate security if real progress is tobe made. Yet many company boards continue todelegate key security decisions to middlemanagers who are inadequately equipped to makethe right judgements or to enforce the requiredpolicies. Furthermore, "Boards of largeorganisations aren’t defining who’s accountablefor what," says Charles Cresson Wood, anindependent security consultant and author."They can’t hope to have an effective informationsecurity team if they’re unclear about what eachperson is meant to be doing."

These laissez-faire habits are likely to change,however, thanks to new corporate governancelaws and regulations making corporate directorspersonally liable for preventable security failures.Barrister Enrique Batalla, a director of theinternational Computer Law Association, believesthere is widespread ignorance amongst boardmembers of how much they are personallyimplicated in the event of a damaging securityfailure. "The increasing trend is towards handingresponsibility to the board of directors," he warns.Directors will become subject to fines fromregulatory bodies, and in extreme cases evenimprisonment will not be out of the question.

Most of the pressure on boards is driven fromthe USA. For instance, the US Sarbanes-Oxley Actrequires companies to perform a self-assessmentof risks for business processes that affect financial

reporting. More recently, California Senate BillNo.1386 came into operation in July 2003, forcingcompanies conducting business in California tonotify their customers of any breach of security totheir records. They also have to demonstrate duediligence in protecting customer databases frominternal and external threats and unauthorisedaccess. Outside America, international regulatorybodies are also beginning to take a renewedinterest in corporate security. "It’s got veryserious, very quickly," says Bill Hancock, VP ofsecurity at Cable and Wireless.

Board directors are far less likely to fall foul ofthe new laws if they can demonstrate they have atleast drawn up a coherent security policy and canshow they have taken appropriate steps tosafeguard the organisation. "Only a smallpercentage have this in place. There is a lack ofunderstanding about how vulnerable [boarddirectors] are," says Mr Batalla.

Boards also need to build bettercommunication links with the people that holdday-to-day responsibility for security within thebusiness. At the moment, security professionalsand the board rarely work well together. ChrisPotter, e-business security partner withPricewaterhouseCoopers, sums up a typicalsituation: "A lot of security professionals are verytechnical. In relatively few cases is securityexpenditure couched in terms of ROI. Boards areeither in the position of having to place absolutetrust, or challenge, which is interpreted by thetechnical person as inappropriate criticism." Aftera meeting, neither side is any the wiser.Frustration sets in and poor decisions are made asa consequence.

Failures of communication between the boardand the functional security heads are one of thebiggest obstacles to delivering a coherent



response to business threats. Worse still, theycreate a climate where risks and errors remainhidden. Bad news never travels to the top, goes anold saying. Board directors need to demand betterinformation on all aspects of security, and installthe reporting structures to ensure they receive it.

Who’s in charge here?Crucial though the board’s role may be, the day-to-day aspects of security planning andmanagement will need to be handled elsewhere.So who are the key participants in corporatesecurity?

Our survey suggests security is still primarilyseen as a job for the IT department, while physicalsecurity is handled (often in isolation) by anotherbusiness unit. Very few organisations successfully

co-ordinate these different elements of corporatesecurity. In addition, cultural barriers often widenthe divide: for example, IT people come from atechnical background, whereas physical securitystaff are often ex-service personnel. Sometimesthe heads of the units have never even met. This isa serious issue, given that hackers often exploitweaknesses in physical security to gain access tocorporate networks.

The over-reliance on IT to make securitydecisions can also lead to expensive mistakes. "ITstaff are tempted into buying increasinglyexpensive technology solutions for increasinglyirrelevant technical problems—at the expense ofensuring that security counter-measures areproperly implemented and executed by staff,"warns Martin Smith, managing director The

Despite the limitations of traditionalinsurance products in protecting againstcyber crime, just 8% of Britishcompanies have specific IT insuranceaccording to a recent survey by the UKgovernment. More than half either hadno coverage at all for damage arisingfrom IT security breaches, or had no ideawhether they were covered. The rest ofthe world lags behind the USA when itcomes to buying specialist insurancecover, according to David Powell of Aon,a Chicago-based insurance broker andrisk management specialist.

Unpleasant surprises awaitcorporations relying on traditional

insurance cover when they want to claimfor damage caused by network securitybreaches. Insurers have started to put inexclusions for ‘intangibles’ which includebreak-ins via the Internet, says Mr Powell.As a result corporations are left exposed.An executive at a large internationalinvestment bank says insurers "wriggle"each time there’s a security crime, andthat their policies have "too manycaveats to make it worthwhile".

Specialist insurers now cater for thethreat posed by worms, hacking, andother electronic attacks, however. Forexample, a ‘cyber-liability’ policy fromthe Lloyd’s of London syndicate Hiscox

will cover incidents such as defamationvia e-mail. "Most policies wouldn’t coverthat type of cyber-liability," claims NeilBolton, an underwriter with Hiscox. Inaddition, their hacker policy coversdamage to data, network information, orthe period of ‘downtime’ when acompany can’t trade following an attackon its network.

The research group Gartner reckonsthat by 2005, $900m worth of insurancewill be sold annually for revenue lostfrom hacking. Presently the premium is$4,000 for every $1m loss. The jury isstill out, however, on how effectivethese new policies really are.

Insuring against cyber crime



Security Company, a corporate security specialistin the UK.

Jacqueline Kuhn, head of HR systems at a largeUS retailer, and a director of the global HRassociation, IHRIM, believes Human Resources hasa key role to play in educating staff on securityissues. Security needs to be a key part of HRprocesses from recruitment right through to whenthe employee leaves, Ms Kuhn argues.

As an example, HR plays an essential role in thevetting process for prospective employees. Thevetting process is key to sound security, since oneof the most effective ways to really cause damageto a company is to join as a member of staff.Following recruitment, the company’s securityrules and policies should be fully explained as partof the induction process. Employees can also beasked to sign a form of acceptance for these rules -this enables companies to take disciplinary action

when rules are abused. The interaction between HR and IT is essential

to ensure that each employee has the appropriatelevel of access to corporate data. In particular, HRneeds to liaise with IT to cancel passwords as soonas employees leave the organisation.Unfortunately this process is often haphazard,leaving company networks exposed to attacks fromdisgruntled employees.

The rise of the CSOThere remains the question of who should overseesecurity as a whole on a day-to-day basis.Recognising the need for a more co-ordinatedapproach to security, a growing number oforganisations (including 40 in our survey) haveappointed a chief security officer (CSO).

The goal is to create a central point ofmanagement for all aspects of security, including

Which of the following functions have direct responsibility for security in your organisation? Please check as many as apply. % of respondents

IT department

CEO

Facilities management

Risk management function

Chief security officer

HR department

Security services provider

Compliance department

Other, Please Specify

9

21

23

26

29

64

24

9

28



information technology, human resources,communications, legal, facilities management andother security stakeholders. The right CSO canbring energy and focus to the wider security effort,not least by providing a much-needed bridgebetween the board, IT and business divisions. Thisfunction is therefore key to ensuring that securitystrategy is closely linked to business objectives.The CSO also often acts as an importantfigurehead, representing the organisation onsecurity matters to the outside world.

Do CSOs make a difference in practice? Thatdepends. To be effective, the CSO must befurnished with the budget, power, and staffing toprotect the interests of the enterprise. Without the

right level of support from the board, the CSOappointment is little more than an exercise inpublic relations.

Bill Boni, chief information security officer atMotorola, is quoted on CSOonline as saying a goodCSO needs to "understand the business,understand what makes it successful, identify thefactors that can put that success at risk, and thenfind ways of managing that risk through technical,operational or procedural safeguards."

That means it’s not always an easy position tofill. CSOs need to be able to communicateeffectively with senior management, but also becomfortable tackling nitty-gritty IT with thetechnologists. Nevertheless, a good CSO with the

Outsourcing to managed security serviceproviders (MSSPs) is becoming a popularway for companies to transfer risk andreduce their security overheads. Whatthe providers offer covers anything frommanaged services for firewalls, intrusiondetection systems, and securitymonitoring, down to anti-virus andcontent filtering services. IT marketanalysts see managed security servicesas one of the fastest growing segmentsof the security industry.

Generally, the cost of using anoutsourced security service is less thanusing internal security experts, becausethe supplier can share its resources andskills around several clients. In someinstances the savings can be dramatic,and the constant burden of finding and

training security staff is lifted. Otherbenefits include the ability to tap intothe experience and facilities of theprovider. They are far more likely too tohave their ear to the ground aboutfuture threats and countermeasures, andto be in touch with the wider securitycommunity.

There are potential disadvantageshowever. While an MSSP may have morecompetent staff to manage securityservices, they may not be as effective inapplying remedies that meet the specificneeds of the client. There is also thedanger of becoming over-dependent onthe provider, and the risk that an ‘out ofsight, out of mind’ mentality may takeroot.

Outsourcing can turn sour unless

partners enter the relationship withtheir eyes open. Before embarking onany outsourcing initiative, companiesneed to carefully structure the contractand consider the legal issues that couldarise during a security incident. BP’s MrDorey warns that security policy itselfcannot be outsourced, nor can riskdecisions. In addition, it pays to have aninformed ‘buyer’ of MSSP services withinthe company.

Ultimately, outsourcing addressessome kinds of vulnerability better thanothers. A third party may be able to pointout your organisational weakness, butthey cannot give you a more security-aware culture. As such, outsourcing canoffer only limited help towardsaddressing the threat from within.

Outsourcing: the best of all worlds?



right level of support can help companies developa much more coherent strategy to address securityin all its dimensions.

People—the key to the secure organisationIn the end, a security policy is just a piece of paperunless it is actively applied by employees on theground. The Security Company’s Mr Smith believeschanging staff behaviour is the key tostrengthening corporate security. "You eitherhave 55,000 people in the organisation who don’tunderstand security rules and needs, or a policeforce of 55,000," he says.

If he’s right, companies have a long way to go.It is a basic rule that employees should not openattachments contained in emails sent bystrangers, but the damage caused by the recentSoBig.F virus suggests large numbers of end-usersdid exactly that. It seems employees either hadnot been trained about the risks, or they wereconfident they would not be monitored anddisciplined if they broke the rules.

"A strong policy is essential across theorganisation," says John Handby, chief executiveof CIO-Connect, a UK-based organisation for topsenior IT executives. "You’ve got to be tough.You’ve got to educate. Only then can you crackdown [on security breaches]." However he warnsthat it is easy for staff to see these policies asbureaucratic. Security training has to be handledskilfully to avoid inevitable complaints fromemployees that they are working ‘in adictatorship’, or that they are being mistrusted.

From the law enforcement angle, Colin Blake ofLondon’s Metropolitan Police often sees thesituation where an organisation has good securitypolicies, but these are not integrated properly withpersonnel policies. "Often employees are not

aware of the security policy," he says. Companiesregularly face the frustration of knowing that anemployee has overstepped the mark, but can’tprove it.

How can companies make security a part ofevery employee’s routine? A whole range of mediacan be used for security training, awareness andreminders. As well as straightforward trainingsessions, policies can be explained on thecompany intranet, and regular warnings can beissued on-screen. Even beer mats have been usedto carry the message.

These awareness raising initiatives can only goso far however. Mr Parker, a managementconsultant specialising in security issues, arguesthat employee motivation is the key to success,and that rewards and penalties should be used toencourage the adoption of corporate securitypolicies. In addition, an employee’s record onprotecting data in their charge should be factoredinto their annual pay awards. "It’s about makingeveryone responsible for security," Mr Parker says.

ConclusionAfter years of neglect, corporate security hasbecome a priority issue for many business leaders.As our survey shows, most companies nowregularly review their security arrangements. Manycompanies are taking the first steps to a morecomprehensive security strategy, often by creatinga centralised security function under the directionof a chief security officer. A few companies havegone further by making personnel from the boarddownwards assume personal responsibility for keyaspects of security.

Even so, many specialists remain unimpressedby the corporate world’s response to the growingsecurity challenge. “We’re waiting for the PearlHarbour of information security to wake up top



Over the past two years UBS Warburg has beenrolling out a scheme to raise security awarenessin its day-to-day business. The focus is on peoplerather than technology.

"The only way to make sure the culture ismobilised is with the board’s support," says PaulWood, chief security officer (both IT andphysical) for the investment banking division.The company started a major awarenesscampaign in March 2003. As part of this, thechief executive has sent out a desktop videocovering security aspects to each individual.

Security training is not necessarily seen byemployees as an imposition. Wood says the impacton staff of the training in company security policyhas been very positive. Security awareness is alsobuilt into the induction session for newcomers.Each new recruit is given a handbook in which ITand network security are included. Key securityissues are outlined and then signed off bynewcomers—especially important as Mr Wood saysthat 85% of the risk is internal.

As part of the scheme, screen savers have

been launched which give security messages.Also employees are shown what measures to takewith the whole life cycle of a document—does itneed password protection, or to be encrypted?—down to eventual distribution or destruction. MrWood says there is now an initiative to buildsecurity into management training.

Some of the basic security measures UBSWarburg has implemented for all employeesinclude compulsory virus checking, no disclosureof passwords, and locking screens when leavingdesks (the latter counters the age-old securitywheeze of sending in spies via the officecleaners). "You have to remind them of the valueof information," Mr Wood says.

Potential new partners for UBS Warburg haveto undergo independent risk assessment, and atechnical team reviews all new business projects.Currently, around 130 risk assessments arecarried out there each month on new projects orexisting infrastructure. Security has to be built inat the start of each project: it is always far morecostly to add it in towards the end.

Putting policy into practice at UBS Warburg

management,” says Mr Cresson Wood. A dramaticcomment maybe, but many commentators agreethat companies remain backward looking in theirsecurity planning.

As with most business issues, there are no easyfixes. Security is as much about changing attitudesand behaviour as it is about installing the latest hi-

tech countermeasures. Many companies face along haul, from re-evaluating risk assessment andsetting clear policies, through to enforcing bestpractice on the ground. No doubt security willcontinue to be a chore in the eyes of manybusiness leaders: but increasingly, it’s one theycan ill afford to ignore.


Executive survey results

A total of 178 senior executives participated in ouronline survey on corporate security. The surveywas conducted in July and August 2003, and ourthanks are due to all those who shared their timeand insights.

1. Which of the following functions have direct responsibility for security in your organisation? Please check as many as apply. % of respondents

IT department

CEO

Facilities management

Risk management function

Chief security officer

HR department

Security services provider

Compliance department

Other, Please Specify

9

21

23

26

29

64

24

9

28

2. Does your organisation attempt to quantify the security risks it faces? % of respondents

Yes 38

No 62



3. How often does your organisation conduct a risk analysis of the security environment? % of respondents

Every year

More than once a year

Less than once every three years

Every three years

Never

9

32

39

9

10

Below $10m

Don’t know

We had no security incidents

Don’t want to say

Nothing

Between $10m and $50m

More than $50m

5

32

36

4

2

1

21

4. What was the cost of security incidents that directly impacted upon your company last year? % of respondents



5. Over the past three years, how often have the following security risks directly affected your business? Please rate from 1 to 5, 1 being never and 5 being very often.

Never Rarely Occasionally Often Very often1 2 3 4 5

1. Threats to physical safety of individual 36% 38% 21% 4% 1%members of staff in the course of business













6. Over the past three years, which of the following security risks have had the most significant direct impact on yourbusiness’s bottom line? Please rate each from 1 to 5, 1 being no impact and 5 being a very grave impact.

No impact Little impact Some impact Considerable Very grave impact impact

1 2 3 4 5

1. Threats to individual members of staff 51% 33% 14% 1% 0%













8. Do you agree with the following statement? % of respondents

From a security perspective, our organisation is more vulnerable to a failure of process than a failure of technology.

Yes 78

No 22

9. Do you agree with the following statement? % of respondents

Security incidents are more likely to be the result of accident than deliberate intent.

Yes 57

No 43

7. As far as you know, does your organisation have specific security policies in place to protect against and cope with the following eventualities?

Yes No Don't know1 2 3

1. Threats to individual members of staff 59% 34% 7%

2. Theft of personal items of members of staff 65% 30% 5%

3. Theft of intellectual property 71% 21% 8%

4. Terrorist attacks or alerts 50% 35% 15%

5. Disease control measures 48% 36% 16%

6. Competitive espionage 46% 38% 16%

7. Unauthorised access to the network 84% 12% 4%

8. Viruses and worms 89% 8% 3%

9. Accidental leaking of information or data 57% 32% 12%

10. Deliberate leaking of information or data 70% 21% 9%

11. Deliberate damage to physical assets (building/plant) 69% 23% 9%



11. In which region of the world is security risk highest for each of these types of risk, in your view? Please choose one region only.

Risks are North Latin Eastern same

America America EU Europe Asia everywhere1 2 3 4 5 6

1. Threats to individual members of staff 6% 42% 2% 13% 13% 24%

2. Theft of personal items of members of staff 6% 20% 2% 15% 14% 42%

3. Theft of intellectual property 21% 2% 7% 5% 34% 31%

4. Terrorist attacks or alerts 40% 5% 6% 2% 17% 31%

5. Disease control measures 7% 4% 2% 3% 55% 29%

6. Competitive espionage 30% 1% 11% 3% 13% 42%

7. Unauthorised access to the network 34% 1% 2% 7% 5% 51%

8. Viruses and worms 29% 1% 2% 3% 9% 56%

9. Accidental leaking of information or data 20% 3% 5% 4% 9% 60%

10. Deliberate leaking of information or data 27% 2% 4% 6% 6% 55%

11. Deliberate damage to physical assets 18% 8% 2% 8% 11% 53%(building/plant)

10. What are the likeliest motives for a security event that is deliberately targeted at your organisation, in your view? % of respondents

Disgruntlement on part of employees or ex-employees

Personal financial gain

Intelligence–seeking by competitors

Kudos-seeking (on part of hackers, etc)

Politically motivated protests against Western interests

Politically motivated protests against globalisation

Other (please specify)1

9

16

5

32

31

6



12. What industry are you in? % of respondents

Professional services

Telecoms, software and computer services

Other (please specify)

Financial services

Mining, oil and gas

Chemicals and textiles

Electronic and electrical equipment, household goods and products

Healthcare, pharmaceuticals and biotechnology

Food, beverages and tobacco

Construction and real estate

Engineering and machinery

Government and public services

Automotive

Leisure, entertainment, media and publishing

Retailing

Travel, tourism and transport

Aerospace and defence

Agriculture

Utilities

4

4

4

14

16.5

17

5

3

2.5

2.5

2

1.5

1.5

1.5

1

1

0

2.5

15



13. What were your company’s revenues in US dollars in 2002? % of respondents

Less than $500 million

More than $8 billion

$500 million to $1 billion

$1 billion to $3 billion

$3 billion to $8 billion

Not applicable

9

10

4

57

14

6

14. Would you like to receive a copy of the survey results and analysis, when they are published? % of respondents

Yes 95

No 5

15. Would you like to be kept informed of future Economist Intelligence Unit surveys? % of respondents

Yes 98

No 2


Whilst every effort has been taken to verify theaccuracy of this information, neither TheEconomist Intelligence Unit Ltd., Nortel Networksnor their affiliates can accept any responsibility orliability for reliance by any person on this whitepaper or any of the information, opinions orconclusions set out in the white paper.

LONDON

15 Regent Street

London

SW1Y 4LR

United Kingdom

Tel: (44.20) 7830 1000

Fax: (44.20) 7499 9767

E-mail: [email protected]

NEW YORK

111 West 57th Street

New York

NY 10019

United States

Tel: (1.212) 554 0600

Fax: (1.212) 586 1181/2


HONG KONG

60/F, Central Plaza

18 Harbour Road

Wanchai

Hong Kong

Tel: (852) 2585 3888

Fax: (852) 2802 7638


testing the defences facing up to the challenge of...

Documents