Given the financial implications a network attack can have, failing to defend against serious network attack becomes a failure of fiduciary responsibility. The CEO, as the chief trust officer, must therefore be actively involved in securing the company's network.
Although the law is still developing, lawsuits over network security failures have started and the U.S. Department of Justice predicts that such shareholder lawsuits will only become more frequent.
One case involved intruders who hijacked the Web site of Nike, the athletic equipment company. The hackers redirected Nike.com's traffic through the Web servers of a U.K. company. The traffic bogged the company's servers, and the company threatened to sue Nike for failing to secure its own Web page sufficiently. Nike denied the charge, and one legal expert said it was unlikely that Nike or its Internet service provider (ISP) could be held liable under current case law. According to a Nike spokesperson, the lawsuit is still in its early stages.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=iUnfortunately, total network security is expensive. No company can afford the highest level of trusted network security at all times for all information. There is a risk/cost/performance trade-off at every point. CEOs and boards of directors - with help from their CIOs - need affordable and enforceable network security policies based on risk management. The key to such policies is to assess the following:
- The value of information to the company
- The risk to the company if the information is compromised
- Threats that can exploit the information.
Some information needs no security and other information needs maximum protection to a point where it might not be allowed on a network in the first place. Network security policies establish the level of secure network design, integration and operation a firm can afford. The policies, if correctly developed, also recognize that network security is dynamic and based on a balanced mix of disciplines adjusted to changing threats.
Network security is a continuous environment of attack identification and defense. No network is secure enough to withstand every attack. Defense includes monitoring, managing, predicting the source of the next attack, correlating suspicious events, understanding intruders and taking proactive steps to establish a secure network environment.
The criteria used for evaluating network security within one's company and among partner companies is critical. CEOs and CIOs are generals erecting active defenses in highly mobile warfare. To date, most of the publicized attacks on networks have been inconvenient, time-consuming and, in some cases, expensive pranks. It is a thin line, however, that separates adolescent stunts from criminal mischief. Some email viruses, such as the "911 Worm" can erase hard drives. The Winword/Wazzu virus changes clauses in documents. The Laroux "data diddler" virus alters numbers in spreadsheets.
Educating the board
A challenge CEOs face is how to educate the company's board of directors about the dimensions and seriousness of network security. Boards have an advisory role in helping CEOs formulate security policy that protects a company's reputation and ability to do business, and boards should review security policy implementations at least twice a year. Board members today are often aware of network security threats in general, but they might not be aware of specific threats to companies or of the seriousness of the problems they can cause.
CEOs should make available to board members relevant statistics on network security trends as a matter of course. For example, the annual Computer Security Institute (CSI)/FBI study is the authoritative study available on computer crime. Industry analysts also publish regular reports on network security issues that are useful in educating board members. The Gartner Group recently published a study titled "The Price of Information Security." It reports that, "American companies currently spend an average of 0.4% of their revenue on information security, but that figure will soar to 4% by 2011." Such information is useful to directors considering security policies.
One critical step that CEOs should take is to hire an independent network security firm to conduct a vulnerability assessment. The CEO and the board then have specific information that details precise areas of weakness and potential harm to the company if vulnerabilities are left unprotected.
A strong network security program
What boards, CEOs and CIOs should look for in a strong network security program are the implementation of simple procedures combined with technologies that are implemented at every level of the company - from the CEO to entry-level clerks. While sensitivity has increased since Sept. 11, it has traditionally been difficult to get employees to think about security, especially in Democratic societies that abhor secrecy and tend to trust the goodness of others.
Here are three elements that boards, CEOs and CIOs should look for to determine the security level of their networks:
1. Implemented security policies and procedures
Policies and procedures address what information assets and systems need protection, how much protection they need and how long protection must be continued. Implementation puts policies and procedures to work. Most policies fail because they are ignored or unenforceable. The much-discussed security failures at the Los Alamos National Laboratory stemmed partially from an unsuccessful effort to reform the U.S. Department of Energy's secrecy policy and from the psychology of scientists who dislike secrecy when it prevents them from collaborating with one another. Most network vulnerability comes from employee inattention, even when security policies are adequate.
It is the CEO's job to articulate a clear security policy and then enforce it day after day in reminders and by example. Sometimes employees understand how serious the issue is only after the first employee is dismissed for ignoring or thwarting the policy. Other parts of policy implementation include:
- Auditing/security practices that protect networks from outsiders and insiders: Insiders within network defenses often intrude networks, whether deliberately or not. Proper network defenses erect active barriers that keep both employees and outsiders at bay. Among practices that companies should have in place are privacy alert statements: employees should know they have no privacy using company systems. This is a contentious area, especially in relation to employee email, but companies are held responsible for how employees use email systems. Secondly, companies should employ statistical analyses of system logs to establish employee behavior and provide alerts when behavior varies from norms. Every network records an individual's time of entry and length of stay. Some record individual activities as well. From this mass of data, a company can determine typical employee work patterns and abnormalities. For example, if an employee works from 9 to 5, five days a week, then suddenly shows up at 2 a.m. on Sunday morning, there should be an alert and follow-up.
- Training and awareness programs: Programs should reach all levels, from executives to entry-level clerks, and should teach network safety, such as password protection, the dangers of bringing in software from home, the risk of opening executable files emailed from unknown sources and the perils of downloading Internet software without authentication.
- Data deletion and destruction policies. Companies don't need to save everything forever. Network security includes getting content off a network in a systematic, rational manner.
- Frequent security tests: These tests should include analyzing systems for vulnerabilities and mass dialing facilities to detect unauthorized modems; use of security-testing products; checks to ensure that the latest patches have been incorporated; and penetration tests to see how easily the network can be breached.
- Contingency plans for network attacks and rehearsals that assure network recovery can be quick.
2. Tactical security controls
There are several operation controls that should be standard in a well-protected and trustworthy network. These include:
- Password and access control: A quick way to determine the level of network security is to check if the company assigns passwords or lets employees create their own. Self-chosen passwords are inadequate. Even though employees dislike nonsense passwords of six or seven alphanumeric characters in upper and lower cases, such passwords are more difficult to penetrate. CEOs and CIOs should look for two other features as well - attempt reporting and lockout. If an attempted logon using your name is rebuffed, the system reports to you that the attempt was tried, in case it wasn't you making the attempt. If a person enters the wrong password more than two or three times in a row, the system locks that person out until a supervisor intervenes.
- Anti-viral software on all workstations that is updated frequently. Updating anti-viral software is a mechanical task that can get lost in the pressures of daily network maintenance, but failing to update leaves known doors wide open for hackers.
- Encryption of information in storage or in transit over the network. Surprisingly, this is getting more difficult as technology catches up with encryption schemes. Long keys to decryption are essential now because short keys can be broken in hours at only a modest cost.
- Firewalls that protect information as it enters and leaves the network. Firewalls range from unsophisticated filters to complex rule-based systems. The level chosen should be based on sound risk management. Firewalls should cover all network entry points. One quick way to check network vulnerability is to see if firewalls shield telephone modems. Often they do not. Many firms have erected strong firewalls to protect Internet connections but have left modem ports open and unguarded.
- Back-up systems and frequent backups with offsite storage.
3. Managed network security services
If network security has been outsourced to vendors that specialize in such services, it is more likely that network security is being addressed properly.
For today's interconnected organizations, failure to protect valuable information assets and systems is a clear failure of due diligence and fiduciary duty that puts a company and its reputation at risk. The foundation of capitalism is trust among consumers, investors and the public. The stock markets of the world reflect this trust. In fact, any price-earnings ratio greater than one is a statement of investor trust and confidence in not just the enterprise but also the underlying financial system. Without network security, public trust is lost, the same trust on which the economic system relies.
There is a lot more riding on network security than meets the eye. It has become a pillar of a system that, for the most part, we take for granted. Like it or not, boards and CEOs are betting their companies on network security.
Langstaff is CEO of Veridian, a 50-year-old provider of trusted enterprise networks and knowledge discovery services. Veridian operates at more than 50 locations in the United States and overseas and employs nearly 5,000 IT professionals. Langstaff is also chairman of Veridian subsidiary Veritect, a leading provider of managed security services to the commercial market. For additional information, visit www.veridian.com, or www.veritect.com.