A Business Guide to Information Security
192 pages; $33.37
In Chapter 1 of A Business Guide to Information Security, author Alan Calder identifies six future risks to information security and explains how they will affect individuals and organizations.
There are a number of trends that lie behind these increases in threats to information security, which, when taken together, suggest that things will continue to get worse, not better:
The use of distributed computing is increasing. Computing power has migrated from centralized mainframe computers and data processing centres to a distributed network of desktop, laptop and micro-computers, and this makes information security much more difficult.
There is a strong trend towards mobile computing. The use of laptop computers, Personal Digital Assistants (PDAs), mobile phones, digital cameras, portable projectors and MP3 players has made working from home or on the road relatively straightforward, with the result that network perimeters have become increasingly porous. There are many more remote access points to networks, and the number of easily accessible endpoint devices has increased dramatically, increasing the opportunities to break into networks and steal or corrupt information.
- There has been a dramatic growth in the use of the internet for business communication, and the development of wireless, VoIP and broadband technologies will drive this even further. The internet provides an effective, immediate and powerful method for organizations to communicate on all sorts of issues. This exposes all these organizations to the security risks that go with connection to the internet:
Better hacker tools are available every day, on hacker websites that, themselves, proliferate. These tools are improved regularly and, increasingly technologically proficient criminals – and computer literate terrorists – are thus enabled to cause more and more damage to target networks and systems.
- Increasingly, hackers, virus writers and spam operators are cooperating to find ways of spreading more spam: not just because it's fun, but because direct e-mail marketing of dodgy products is lucrative. Phishing and other internet fraud activity will continue evolving and will become an ever bigger problem. This will lead, inevitably, to an increase in blended threats that can only be countered with a combination of technologies and processes.
Widespread computer literacy. While most people today have computer skills, the next generation is growing up with a level of familiarity with computers that will enable them to develop and deploy an entirely new range of threats. Instant messaging is an example of a new technology that is better than e-mail, because it is faster and more immediate, but which has many more security vulnerabilities than e-mail. We will see many more such technologies emerging.
Wireless technology -- whether WiFi or Bluetooth -- makes information and the internet available cheaply and easily from virtually anywhere, thereby potentially reducing the perceived value and importance of information and, certainly, exposing confidential and sensitive information more and more to casual access.
- The falling price of computers has brought computing within most people's reach. The result is that most people now have enough computer experience to pose a threat to an organization, if they are prepared to apply themselves just a little to take advantage of the opportunities identified above.
What does this all mean, in real terms, to individuals and to individual organizations?
No organization is immune. Every organization, at some time, will suffer one or more of the abuses or attacks identified in these pages.
- Individual and business activity will be disrupted. Downtime in business critical systems (such as ERP, enterprise resource planning, systems) can be catastrophic for an organization. However quickly service is restored, there will be an unwanted and unnecessary cost in doing so. At other times, lost data may have to be painstakingly reconstructed and, sometimes, it will be lost forever.
- Privacy will be violated. Organizations have to protect the personal information of employees and customers. If this privacy is violated, there may – under data protection and privacy legislation -- be legal action and penalties, including against directors individually.
- Organizations and individuals will suffer direct financial loss. Protection in particular of commercial information and customers' credit card details is essential. Loss or theft of commercial information, ranging from business plans and customer contracts, to intellectual property and product designs, and industrial know-how, can all cause long-term financial damage to the victim organization. Computer fraud, conducted by staff with or without third-party involvement, has an immediate direct financial impact.
- Reputations will be damaged. Organizations that are unable to protect the privacy of information about staff and customers, and which consequently attract penalties and fines, will find their corporate credibility and business relationships severely damaged and their expensively developed brand and brand image dented.
The statistics are compelling. The threats are evident. No one can afford to ignore the need for information security. The fact that the threats are so widespread and the sources of danger so diverse means that it is insufficient simply to implement an anti-virus policy, or a business continuity policy, or any other standalone solution. A conclusion of the CBI Cybercrime Survey 2001 was that 'deployment of technologies such as firewalls may provide false levels of comfort unless organizations have performed a formal risk analysis and configured firewalls and security mechanisms to reflect their overall risk strategy'. Nothing has changed.