Security Leaders Give IT a C+ Grade
Corporate America has made some significant strides in information security, but it's not enough. IT will have to up its game to battle better organized and more sophisticated cyber criminals.
It's not good enough, however.
Corporate IT managers will have to pick up the pace and implement far better security to combat cyber criminals who are far more organized, well-funded and sophisticated than ever before, say industry observers. The threat to corporate networks is escalating at a dramatic rate and IT professionals have a daunting job in front of them to beat it back.
''In the last few years, there were some fairly easy things to do to improve security -- keep patches up-to-date, system monitoring, install firewalls and anti-virus software,'' says James Lewis, a senior fellow at the Center for Strategic and International Studies, a non-partisan research center based in Washington, D.C. ''Now, we have much more sophisticated threats and cyber criminals. Just doing the basic stuff won't do it anymore. You have some sophisticated opponents out there who just won't be deterred by a firewall.''
The most dangerous threat today, by far, is cyber crime.
''We haven't had an electronic Pearl Harbor and I don't think we will,'' says Lewis, who adds that terrorists want an attack that will look terrifying on TV, and knocking out networks, however costly, doesn't provide that visual. ''People are changing their perspective. It may not be cyber terrorism that bothers them anymore. They're more worried about cyber crime. And they should be.''
IT professionals and corporate executives should be concerned because cyber criminals simply are far more capable of causing damage than ever before. And the type of damage they're causing is changing, as well. Long gone are the days when a teenager would hack into a site to crash it or leave digital graffiti. Viruses are generally no longer aimed at crashing computers or taking down servers.
Today, it's all about making money. Criminals are using stealthy and highly targeted Trojans at a greater rate to steal personal, financial and sensitive company information. They're purposefully not crashing the computers. They want the machines up and running, enabling them to steal greater amounts of information.
Hackers, spammers and virus writers have turned professional, and they're teaming up, selling or sharing botnets and lists of stolen email addresses. And organized crime now is in on the game, putting more financial backing behind it and expanding the criminal network.
''Just a few years ago, it was some teenager in a garage,'' says Lewis. ''Now, it's professionals. They have their own websites, tools and their own industry. There are people who sit around and dream up new hacking tools and they offer them up for sale or rent on these hacking websites... You can rent botnets. You can rent email addresses. There's freeware hacking tools. There's been a great growth in this criminal sub-culture.''
IT Earns a C+ Average
Howard Schmidt, former White House security advisor and now president and CEO of R&H Security Consulting LLC., says companies have really stepped up to the plate and dug in behind greater security efforts. And it's made a difference.
''We are making progress,'' he told Datamation in a one-on-one interview. ''It's like a really good football game. We may not be scoring a touch down every quarter but we are moving the ball forward. There's been a national movement on cyber security that is making this better.''
Schmidt, who gave corporate IT a C+ grade, says there have been several incidents that shook corporate executives up enough to loosen the purse strings and dole out cash and IT staff to upgrade their security. While Y2K didn't shut down anyone's bank account or send people scurrying to their well-stocked bunkers, it did make CEOs start thinking about all the information sitting on their networks. Add to that fear factor the distributed denial-of-service attack that hit well-known websites like CNN back in 2000, and then the arrival of malware like Code Red and Nimda that hit networks around the world. It all added up to what amounted to a wake-up call for information security.
''We've been better about making security part of our operations,'' says Schmidt. ''Many companies have moved the security function to an executive level position. It's a highly visible and valuable position now. And the more visibility you get, the more attention will be paid to it.''
During a panel discussion on national cyber security at the conference, Schmidt told the audience that it has been a year since he's had a phishing email in his inbox. And he also noted that it has been two years since the industry has had to deal with a major cyber incident. ''We're not just dumb lucky,'' he says. ''We've worked hard for this.''
But Paul Kurtz, executive director of the Cyber Security Industry Alliance, a security advocacy group based in Arlington, Va., isn't quite as upbeat about the industry's position.
''Businesses are starting to understand that information is an asset and they need to protect it,'' says Kurtz, who also gave corporate IT a C+ grade. ''In many cases, they're coming to it a little late and a little grudgingly. They've really learned the hard way... Giving them an A or a B would be a huge mistake.''
Read on to find out which sectors stand out in IT security, and how the government's performance was graded.