MONTREAL – Fear of security breaches is causing some organizations to unplug their internal networks from the Internet altogether, according to an expert who spoke this week at the 17th annual World Computer Congress.
In
a struggling economy, where every dollar spent on technology has to be justified, finding the return on investment for security is often a tough proposition, said Charles Wordsworth, president of the Canadian Information Processing Society, or CIPS.
“”We’re seeing this happen more often,”” said Wordsworth, “”and it’s not too surprising”” because instead of paying the price for not making an adequate investment, they mitigate risk by disconnecting their own IT systems from the public network.
The price for insecure computer systems is high. Cyber attacks cost some 500 U.S.-based organizations more than US$450 million last year, according to a survey by San Francisco-based Security Institute.
One of the obstacles enterprises face in determining how much of their budgets to allocate to IT security is the lack of a solid business case outlining the return-on-investment analysis.
Few IT consultants and service providers have been able to offer concrete answers in this pressing question, but there is one area in which ROI can be easily measured, said Eric Hebert, principal consultant at Fujitsu Consulting (formerly DMR) in Montreal.
If security is built into an application during the development phase, Hebert told an audience of academics and IT professionals, there is a guaranteed return on that investment of 21 per cent.
“”Most attacks come through the application, so building security into the application is extremely valuable,”” he said.
Experts suggest ROI has been difficult to quantify because many organizations have not even thought about the cost associated with a slowdown or stoppage in their businesses.
“”And beyond that, they often can’t even identify which business processes are critical,”” said Hebert.
A lack of information around reporting of incidents is another stumbling block in the adoption of a security framework. According to Wordsworth, only a handful of people in law enforcement agencies across the country have a real understanding of computer security. That might explain why only a small percentage of incidents are actually reported to the police.
Government is not helping the problem, said Wordsworth.
“”We don’t have a huge amount of legislation in Canada compared to the U.S.,”” he said. “”There’s no significant financial contribution from the Canadian government for cyber protection.””
But companies that expect technology alone to solve their IT security problem are in for a shock, because technology is just one weapon in the security arsenal, said Hebert. Even biometric products — which was once heralded as the crown jewel of security — have been successfully penetrated by hackers.
“”You can bypass, pretty easily biometric defences,”” said Hebert. “”A latent image stays on the scanner once you’ve pressed it. By reviving the ridges of someone’s finger, you can authenticate the user a second time.””
Both Hebert and Wordsworth agreed there are actions companies can take to properly defend themselves against cyber attacks. One defence that doesn’t require a huge investment is organizing discussions by sector on best practices within that community, said Hebert.
“”There’s a lot of expertise within these sectors and by getting together and sharing that information, all members of the community would be better informed,”” said Hebert. “”People are getting tired of hearing scary stories; they know they’re insecure. What they want is a recipe to tell them how to minimize their vulnerability.””
Most companies recognize that good IT security is a never-ending cycle. Just as the next generation of hackers is engineering new threats, companies need to be vigilant in updating their defence strategies, he added.
“”Any company that hasn’t the whole security picture in mind will fail miserably at handling these threats,”” said Hebert.
Almost 500 academics and IT professionals from around the world are participating in IFIP’s World Computer Congress, which continues until Friday. IFIP is a non-profit organization, established in 1959 to foster international cooperation on IT issues.
Comment: [email protected]
