Even before the so-called SQL Slammer worm choked Internet traffic in mid-January, two organizations that gather reports of vulnerabilities (exploitable cracks in IT infrastructures) and intrusions (viruses, worms, hacker attacks) had released new figures that gave cause for concern. The CERT Coordination Center at Carnegie Mellon University showed reported vulnerabilities nearly doubling and actual incidents up by 56 percent. Symantec Corp., a computer-security products and services firm that not only tracks client reports but also gathers data from various computer-security groups, found a similar rise in vulnerabilities but a slight decline in cyber attacks — from 32 per company per week to a mere 30.
The financial losses are impossible to quantify, although that hasn’t stopped some organizations from trying. The Computer Security Institute puts the aggregate corporate losses during the past five years at $1 billion-plus, but differences in how companies arrive at their individual figures — not to mention the refusal of many to cite a figure at all — almost certainly mean the true cost is much higher.
Ever-present external threats aren’t the only issue affecting computer security: regulatory pressure continues to mount. Next month, final HIPAA (Health Insurance Portability and Accountability Act of 1996) regulations go into effect, forcing not only health-care providers but also insurance companies and employers that self-insure to adopt stringent measures for protecting client/employee data. Liability issues extend beyond health care, as Eli Lilly & Co. and Microsoft Corp. discovered last year when the Federal Trade Commission (FTC) found both at fault for mishandling consumer data. In January, concerns about privacy even trumped worries about terrorism, when the Senate voted to restrict the Pentagon’s Total Information Awareness program, which addresses in part how data can and can’t be shared among various government entities.
Computer security, therefore, is being driven not only by companies’ need to protect themselves from the explicit damage a hacking incident or other security violation may cause but also by potential liability — regulatory, contractual, or criminal. To some degree, of course, the solution is technological, and many efforts are under way to make computers more impenetrable and violations easier to track. In January, researchers at the University of Buffalo announced they were developing a new class of software that would profile network users and spot deviations in behavior that could signal ill intent. In the commercial sector, new products announced that same month ranged from Symantec’s ManHunt Smart Agent to an automated approach to patch management from Ecora Corp.
In fact, the Web sites of nearly every computer-security software or services firm tout recently unveiled products. But many experts say the explosion in security products is part of the problem, because it encourages ad hoc buying at the expense of a sensible strategy. Mark Doll, Americas director of security and technology solutions for Ernst & Young LLP and co-author of Defending the Digital Frontier, says that only 10 to 20 percent of the largest global companies have a stated strategy for computer security. “Many more have a sort of overarching technical theme,” he says, “but they fail to relate it to the overall risk posture of the organization.”