Brought to you by: Capital Computer Solutions, Inc.
"It Doesn't Pay to Pinch Pennies for Cyber Security" by Stan Crock (BusinessWeek)
If companies spend wisely, they'll save themselves major headaches -- and serious money -- later
For companies dabbling in e-commerce -- and that's just about every corporation these days -- here's a simple truth to remember about Internet security: You'll have to pay now or pay later. In the wake of cyber attacks on some popular Web sites, it's already clear that companies can spend a little now for safeguards to thwart incursions -- or fork over far more down the road if their businesses are sabotaged.
Sure, harried systems administrators are more worried about computers crashing every day than about electronic vandals hurting a company in the future. But money spent on protection is a wise investment. And some players in the private sector should use their leverage to make sure companies pony up. For example, insurers should demand higher premiums from companies that don't take cyber security seriously. Accountants should play a role, too, by setting computer-security standards. The loss of trade secrets or customer lists, or an inability to conduct transactions on the Net for an extended period, could have a material impact on a company. If a client is at risk for any of these things, perhaps its auditor should qualify its opinion.
Any company that balks at adopting state-of-the-art security doesn't understand what's at stake. Says a top Clinton Administration official: "The trade-off is really 'Should I spend $15 to improve my security, or am I willing to take the risk of basically shutting the company down at some point in the future because my systems have been compromised, or my data have been lost?'"
REVERSE ROLE MODEL. As part of a broad security program, companies need to join in industrywide groups to share information about vulnerabilities and threats. The banking industry already does this, and other businesses should follow its lead. The federal government also is linking agencies together to coordinate the efforts of the law enforcement and intelligence communities.
Ultimately, the Clinton Administration would like to see a voluntary government-industry partnership where information and technology tips would be swapped. This scheme might require a change in the law so that the information that industry provides to government agencies won't be subject to Freedom of Information Act requests. That's reasonable.
The government can't and shouln't do anything by fiat. But it can make sure its servers and routers aren't misused -- an area with plenty of room for improvement. "We're a model right now," says one government official. "We're a model of what you don't want to do."
In a 1998 Pentagon war game called "Eligible Receiver," for example, some National Security Agency computer geeks were given just two weeks to try to penetrate the Pacific Command. Under the ground rules, they couldn't violate U.S. law and had to use off-the-shelf equipment. They made some pretty screen savers with trap doors, which Pacific Command computer operators loaded on to their screens. Then the screen savers went to work. They didn't cripple the command, but they did severely degrade its ability to respond. White House officials believe such attacks are likely, as adversaries, unable to defeat the U.S. by conventional means, treat cyberspace as another theater of conflict.
CLOGS IN THE PIPELINE. Civilian government agencies must act, too. They often handle information, such as the consumer price index, that can be valuable to stock and bond traders if they get a whiff of the data early.
Many of the safeguards that companies and the government must adopt are mundane, from frequent changes of passwords to properly training employees to buying the up-to-date security software. But computer overseers also must broaden their outlook. Most of the focus in the past has been on monitoring incoming traffic to make sure no viruses or thieves penetrate a network. The recent cyber attacks suggest that companies must look at another dimension: what's going out from the network. In the recent rash of cybercrime, some servers were unwittingly used to send out huge packets of data to clog up Web sites. If those systems had monitored outgoing messages, they would have seen the anomalies and stopped them.
Clearly, an immense amount of work must be done. And it'll cost money. But companies must realize they have little choice. They can have short-term savings or a long-term increase in risk. Whatever the cost of security, it will be far cheaper than seeing e-commerce and one business after another go down the tubes.