Security: Just Do It

Hancock says that while security is complex, customers require a lot of help and Cable & Wireless with its “extensive global reach and deep expertise” is able to provide a myriad of needs. For those not totally convinced, Hancock alludes to the fact that C & W is its own largest customer, in that it manages more than 2,000 firewalls internally.

Having one of the world’s largest and fastest data networks, available in approximately 80 countries worldwide, speaks volumes as well. Also, Cable & Wireless by virtue of acquiring Digital Island in July 2001, PSINet Japan in January 2002 and the business assets of Exodus in February 2002, is now the largest hosting provider in the world. And the company’s managed hosting operation, which includes a strong security component, is poised for further growth.

Customers need to outsource because they don’t have the internal capabilities to perform what is needed. “Not everyone can do this,” says Hancock. “You need the proper credentials, training, constant upgrades (to keep up to ongoing legislations)…security changes daily. To survive in today’s environment requires that you clearly understand the security burdens and threats associated with it.”
Quite to the point, Hancock says, “There are a lot of sophisticated attacks and the Internet becomes an interesting vehicle to distribute the attacks and attack tools. It doesn’t take a lot of knowledge to download these tools and run a sophisticated attack. What this means is that sites are under threat right now (because) a very few people can write some ugly tools and make it widely available to a lot of people with no ethics and social conscience whatsoever (who) don’t think twice about sending them off.”

Statistics clearly back this up. A Riptech survey found that that in the first half of 2002 there was a 28 per cent increase in attack activity and that general Internet attack trends are showing a 64 per cent annual rate of growth worldwide.

In the UK, PricewaterhouseCoopers and the UK DTI recently found, 78 per cent of companies surveyed had experienced at least one malicious security incident, with 44 per cent experiencing them within the last year.
Similarly, the 2002 Australian Computer Crime and Security Survey found the level of cybercrime in Australia has doubled since 1999 with 67 per cent of the 300 Australian organizations surveyed reporting incidents of crime including fraud, data sabotage, trojan infection and laptop theft. More alarming is the fact that 35 per cent of these organizations were hit with six or more incidents.

And what about the dollar value? It is estimated that the worldwide impact of malicious code alone was US$ 3.2 billion dollars in the year 2001, with the largest contributors being SirCam at $1.15 billion, Code Red (all variants) at $2.62 billion, and NIMDA at $635 million.

One would think that numbers like these would push those in charge of security to clamp down on measures and put the right solutions in place straight away.

Various surveys show that as a result of the economic downturn, about one third of companies had placed a freeze on security-related spending in 2001. In the PWC/ UK DTI study, 56 per cent of those surveyed were not covered by cyber insurance; 27 per cent had no contingency plans for IT breaches; and only 27 per cent had a documented security policy.

As in most businesses, ROI concerns are at the forefront. Security is no exception, notes Hancock.

“A lot of companies are looking for the holy grail in ROI on security. I haven’t seen a good one yet. But it comes down to basic business practice. Ask yourself: What am I trying to do? What risks am I trying to mitigate? How much is it going to cost me to do it in house versus out of house? How does this work in terms of my ability to execute and continue to drive the business?”

Perhaps more importantly, the question to be grappled with should be ‘could my business survive a security breach?’ With average costs from a serious incident at US$ 50,000 - with reports ranging to the $825,000 mark - business owners had better ask this question pronto.