Even after the Code Red and Nimda worms and the September 11 terrorist attacks, it's still difficult for Bryce Hoverman to get anyone in his organization to take information security seriously.
Security is not a big concern to his managers at the South Carolina Department of Consumer Affairs, said Hoverman, a programmer and analyst. There is no budget for IT security and no talk of creating one. In fact, the department didn't install its first firewall until this spring, when an irate call from a business in Atlanta told the state agency its systems had been used to launch an attack, Hoverman said.
Last fall's terror attacks spurred talk about improving physical security, but such awareness "lasted for about a month or so, and then it fell back into the status quo," said Hoverman.
Even relatively simple suggestions such as strengthening the agency's password policies gets the brush-off, Hoverman said. "I can talk about it until I'm blue in the face, but until management decides to put their foot down and do something about it, I'm just spinning my wheels."
Hoverman isn't alone, according to a SearchSecurity.com survey of 500 corporate security and IT personnel. More than half -- 55% -- said they've seen no improvement in their organization's security since last fall's attacks, with another 35% describing their security as "somewhat more effective" and 8% reporting a dramatic improvement (see chart at left). Nor have the attacks changed behavior at most companies. Fifty-seven percent of respondents reported no change in their information security budgets as a result of the September 11 attacks, and 84% report their security staffs have no more clout to enforce security rules than they did before last fall (see chart below, right).
"Americans are so sheltered that they have a tendency to forget things very quickly," said Darin Remington, a systems administrator with eLutions Inc. in Tampa, Fla., an international organization that provides Web-based monitoring and utility management for large corporations. "They don't take the threat of terrorism, whether it be physical terrorism or electronic terrorism, as seriously as other countries do."
"There have been some tactical changes here and there, but no big impacts as of yet," said Gary Dickhart, a security consultant in Houston. September 11 made business managers more aware of security risks, but unless their counterparts in security make concrete proposals for improving security, which also deliver a clear benefit to the business, "it will be a short-lived interest."
Except for high-risk areas like financial services and the military, many organizations are slow to change their attitude that security can, and should be, ignored until it is essential to spend money on it. Changing these attitudes is like turning a huge ship, said Giga Information Group analyst Michael Rasmussen. "The ship has started to change course since September 11," but how long lasting the effects will be is hard to tell."
For some organizations, September 11 didn't have a big impact on security because improvements were already under way due to the growing threat of cyberattacks. The federal Department of Transportation (DOT) was "getting their program together" to meet tougher federal security regulations, but "management became more aware of the program and started supporting it more strongly after September 11," said Denielle Connelly, a telecom and network security specialist with San Diego-based Titan Systems Corp. which provides IT services for DOT. The department has since stepped up security training for users, grown the IT security staff from three to five and updated and strengthened contingency plans for coping with a disaster, she said.
One common area of improvement has been the timely application of security patches to applications and operating systems. "As soon as notifications come in now, we spend a little bit extra time and try to apply those patches as soon as we can," says Anthony Horber, vice president and CIO of Telebyte Inc., an Internet Service Provider in Silverdale, Wash. "We've got a lab set up to actually test the patches in production scenarios with a limited number of clients" before rolling them out companywide, said Darren Shepherd, a systems engineer for Hewlett-Packard Co.'s Services business unit working at a large financial services firm.
Several respondents did wish, though, for better tools to track patches and to make sense of the many alerts generated by various security tools. "I'd love to make my life easier by getting software (that will) notify me when a patch is needed, or even apply the patch," said Horber. He also wants tools that make it easier to spot suspicious traffic through his servers, but in both cases cost is a barrier. "There's a lot of software out there you can use to do monitoring of Web sites, but we're talking $40,000-50,000," he says. "For a small company, we just can't afford it." Budget woes were a big concern for many security managers, as an overwhelming 75% said their companies need to spend more on security (see chart at bottom).
Security managers are also realizing that firewalls alone can't protect every part of the corporate infrastructure, said Giga's Rasmussen. However, "integrating your firewall, your networks and your applications is much more difficult and requires a lot of coordination, a lot of thought" than just installing those individual tools, said Dickhart. He said it's not clear when tools will be available to provide this overall view.
But even without global security management tools, some companies are centralizing security functions to improve coordination and improve enforcement. At the major financial services company, September 11 strengthened the role of a companywide security team that "works hand-in-hand with the LAN administrators to keep up with the patches," and holds weekly meetings to ensure that the most critical patches have been applied, said Shepherd. At D.O.T., network engineers and the security staff now have the authority to take a hacked system offline immediately or to immediately disable the account of a user who isn't following proper security policies, said Connelly.
And 42% of respondents to the SearchSecurity.com survey reported that their users and the users' managers have always paid attention to security policies, or that user compliance has always been strong and has increased since September 11 (see chart above left). Users at the Naval Surface Warfare Center at Indian Head, Md., no longer expose their PCs to hackers by playing card games on Web sites, and "I get no static, or very little, coming by to ask if I can check their computer for a security issues," said Computer Specialist Penny Gold. But too few managers take advantage of this new level of cooperativeness to tell users how to be "watchdogs" looking out for suspicious behavior, said Dickhart.
As a sign of how much work still needs to be done, 29% of the respondents said their users and managers have always had and still have problems adhering to security policies, and 11% reported users and managers didn't even know what those policies are.
One hopeful sign is that 61% of respondents said they've either always had strong support, or are now getting stronger support than in the past, from management for implementing security measures. The increased backing is "wonderful," said Gold, coming in the form of "e-mails to the employees (and) comments at staff meetings" stressing the need for security.
The center's users now also realize the potential threats they're running every time they click on an icon or browse a Web site, she said. That awareness may not mark a sea change in security attitudes to match a newly threatening world, but it's at least a start.
See these other exclusive news stories based on the SearchSecurity.com survey:
About the author: Robert L. Scheier writes frequently about security from Boylston, Mass. He can be reached at firstname.lastname@example.org.