The potential risks of intrusion, theft, sabotage or downtime to your company's network may be larger than you think, despite attempts to keep your system secure. An astonishing number of companies have experienced some sort of unauthorised access to their networks and, despite a deluge of information on network security, the number of incidents is increasing.
According to the 2000 Computer Crime and Security Survey1, a study conducted in March this year by the Computer Security Institute (CSI), in association with the Federal Bureau of Investigation (FBI), 90% of the 273 organisations surveyed (mostly large organisations and government) detected computer security breaches within the last 12 months. Of those companies, 74% acknowledged financial losses due to computer breaches, totalling $265.5 million, an increase of $145.5 million from a similar 1997 survey. Results also indicated an increase over the previous year in financial losses in almost every category.
These are frightening statistics to the world of reinsurance, where not only the reinsurance company is at risk of losing valuable information, but data on the company's clients is also at risk with the potential for millions of dollars in losses and legal implications.
Many larger reinsurance companies are proactive when it comes to network security - some organisations even have a dedicated security person on staff. However, there are still a number of companies that do not dedicate the necessary resources to security, or are not concentrating on the real issues.
In many cases, senior management is not prepared to spend a lot of money on network security because it does not understand all the risks, leaving IT managers to make decisions based on limited resources. In cases in which available funds are not an issue, many security expenditures attempt to solve the wrong problem. While a lot of time is spent worrying about attacks from outside the organisation, including the internet, the CSI/FBI survey indicates that 71% of respondents detected unauthorised access by insiders compared with 25% from outside penetration. Other abuses include denial of service attacks at 27%, employee abuse of internet access privileges at 79% and computer viruses at 85%.
What steps should you take?
Reinsurance companies concerned with security need to ask themselves two questions: How much is the company's data worth; and how long can the company afford to have its IT infrastructure unavailable due to unauthorised access? This will determine the extent to which the IT manager will want to implement security measures.
While it is difficult to protect against all threats, there are a number of practices that should be used in providing better security. Dwayne Trott, security consultant at the CCS Group in Bermuda, explains that having a sound security practice in place must involve having the proper detective, corrective and preventative controls.
He lists a number of considerations:
1. As a company policy, consider security as a fundamental component of system setup and design.
2. Attempt to prohibit the transmission of plain text passwords over networks.
3. Remember the human factor - if security measures are difficult to remember or time consuming, users will circumvent them for convenience.
4. Use security tools to scan critical servers for any operating system and application vulnerabilities when there are any infrastructure changes. This should be done quarterly.
5. Maintain software that is free of known security holes by doing regular updates.
6. Keep track of security developments and be proactive in taking preventative action.
7. Keep good logging and auditing practices.
8. Keep thorough backup practices and procedures.
9. Provide effective network and system monitoring via the use of Intrusion Detection Systems.
10. Conduct regularly scheduled audits, at least once a year and preferably by an outside consultant.
11. Clearly define policies and procedures to include topics such as disaster recovery, security breach recovery etc.
12. Implement a tiered security strategy - do not depend on one single point of failure.
Audit your system and practices
If you need to take a detailed look at your security system to determine how well protected your company is from intrusion, an audit by an outside consultant is recommended. Even companies with an in-house security resource should consider an audit by a consultant. An in-house person may tend to focus on equipment, and not implement the necessary practices - an outside consultant can take an objective look at an organisation's network and find holes which an insider may overlook.
A number of networking companies are beginning to offer audit services to analyse the system and determine what types of risks exist, and what assets are most vulnerable in the event of a network intrusion.
Practices, policies and procedures
A corporate policies and procedures manual should be developed and adhered to by all employees. This manual should include a list of standards including, but not limited to, passwords, vendor access to network, breach of network security, backup procedures and virus protection. The manual must be endorsed by the company's executive and understood by all to be a valuable tool in ensuring the safety of the company. Again, a number of networking service providers now offer this type of service.
Enterprise security products
Proper policies and procedures are only one aspect in protecting your enterprise. Many people consider a firewall to be the extent of protection necessary to effectively protect a network. While the firewall plays an important role as a main line of defence, your security should not stop there. You may also need to invest in additional equipment and software that will assist in protecting your network - these needs should be identified during a network audit.
The software, hardware and internal security measures you take will depend on a number of factors unique to your organisation. You may need only a few of the above products, or a full suite of security measures. Remember, however, that regardless of the size of your organisation, there is always a danger of intrusion, theft, downtime or other risks to your network if your infrastructure is not sufficiently protected. In the age of the computer, investing in effective security measures is good insurance for your network.
1 The CSI/FBI survey is available on www.gocsi.com/prelea_000321.htm