TORONTO – Canadian companies are giving more thought to implementing security technology in their enterprise in the wake of 9/11, but a panel of experts at Comdex Canada 2002 said the processes around the technology are just as important.
A great deal has changed since September 11,
said Paul Wing, president of OECK Security. “Initially the reaction was, obviously, to build business continuity plans. . . . Budgets were diverted there.”
September 11 has been a wake-up call for many organizations, said Jack Sebag, Canadian general manager of Network Associates. Many were looking at security and devising plans prior to the event. Now they are doing security, not just looking at it, said Sebag.
Network Associates makes the popular anti-virus software McAfee, and while many enterprises have been using it for some time, said Sebag. “What a lot of companies weren’t doing was keeping it updated and having the infrastructure to recover quickly from a virus outbreak. I think a lot more companies are now aware that they need to have policies on how to deal with these outbreaks should something serious happen.”
The act of terrorism may have been a call to action, but that action hasn’t been sustained, said Wing.
“Since then there has be very little concerted effort around information security. People really don’t know where the next wave is going, and are frankly disappointed in the products that they’ve been trying to work with to secure the Web and properly identify and authenticate their customers.” The focus primarily has been on the disaster recovery side, he said.
It’s not enough to just implement the technology, said Neil Rerup, senior security consultant with EDS Canada. It’s about following through. “Security is a process, it’s not a technology. Just putting the products into place isn’t enough.”
Rerup said most companies are dedicating enough resources to make sure their enterprise is secure. “A lot of people are depending on the technology and not on the process that goes around it,” he said. “They’ll put the McAfee software on and expect it to do the job.” However, it won’t be effective if they’re keeping the software updated, said Rerup.
The profile of security has definitely been elevated since September 11, said Trevor Bain, senior vice-president of commercial applications for Kasten-Chase. Senior management is now looking to see if resources are being applied and policies being followed, or even devised, said Bain, because they now understand the issues at stake.
Bain said there are two main categories of threats. The one most relevant to 9/11 is the threat to infrastructure. “Organizations have to make sure that they have infrastructures that can be defended from attacks.”
The other threat is to privacy, said Bain, and organizations are realizing they must keep their data confidential as well as that of their customers.
Sebag said the threats are becoming more complex and more dangerous. “Last year, our anti-virus emergency response team received 10,000 samples a month, of which about 800 were real viruses,” he said. “We are now down to about an average of 300 real viruses, but these are a lot more dangerous, a lot more threatening.
“What we are seeing is that these are blended threats, what I would call a Molotov cocktail of previous threats all rolled up into one.” These combinations could include both the Nimda virus and Code Red worm, said Sebag.
Government legislation regarding privacy is forcing organizations to better pay attention to security-related issues, noted Rerup, and bringing it to the executive level.