White PapersInternet Security and Business - Part Two
Security is important
While the development of information system security was initiated by the desire to protect sensitive military and scientific information, the arrival of the Internet has brought about a number of changes.
Indeed, one of the promises of the Internet is to offer a genuine mirror of society. Users using the Internet to do a large number of things that they do in real life: have private conversations, store personal documents, sign letters or contracts, talk anonymously, play, vote, publish electronic documents etc. All these actions rely on the concept of security. For this reason, data security is a fundamental factor in the development of Internet technologies, making it possible to transform the Internet into a genuine tool enabling a business to develop. The limits of security correspond to the limits of the Internet. All businesses and users have security-related needs.
The risks are real. Most security-related problems currently stem from direct risks associated with hacking such as the theft of commercial secrets, customer information, etc. In parallel, productivity losses related to data security problems are the subject of discussion. What are the business's losses if the e-mail system is down for two days? Or, if several people are assigned to restarting the information system after an intrusion?
For example, these global losses are estimated at billions of dollars for viral attacks such as "I LOVE YOU", with a large proportion attributable to productivity losses.
In addition to direct risks, risks of indirect losses are even more important: loss of customers, damage to company image or theft of customer credit card numbers. In parallel, other indirect risks are developing: European countries in general and the UK in particular have very strict legislation on personal data protection. Businesses may be held responsible if they do not have procedures to protect their customers' private data.
Despite all the risks it may represent, businesses have no other choice but to be present on the Internet. The attraction of new markets, new customers, new sources of income and new business models is so strong that businesses will move to the Internet, irrespective of the risks. There are no other alternatives at the present time. For this reason, data security is of paramount importance.
The inadequacy of conventional security solutions
A few years ago, network security was relatively simple. No-one had heard of DoS (Denial of Services) attacks resulting in Web server failures, security faults in CGI scripts and the latest vulnerabilities in Microsoft Outlook Express.
Gradually, Intrusion Detection Systems (IDS), public key infrastructures (PKI), smart cards, VPNs and biometric protection solutions emerged. The new services set up on corporate networks, mobile terminals or other types of hardware regularly put network security to the test. Today, the product offering on the security market is made up of over one hundred references and all these offerings promise total security. These promises are regularly not kept, but it is still possible to hear company directors state: "of course my network is secure, we have installed a firewall".
If the Internet has taught security professionals anything, it is that the concept of security is relative. Nothing is invincible. What is secure today may well not be secure tomorrow. In view of this observation, even large corporations can be attacked by hackers.
Inside attacks should not be forgotten. However, while attacks initiated and carried out exclusively inside the business do not represent the strongest threat; over half of attacks involve a person inside the business under attack and an outside accomplice.
The direction in which the security market is moving is no longer towards new products but towards innovative processes.
Security and risk management
When network administrators are asked about the reasons for their security needs, they describe the threats to their information system such as modifications to the appearance of a website, data corruption or loss, denial of service (DoS) attacks, viruses and Trojan horses, etc. This list seems to be without end and new events relating to information system attacks prove that these threats are more real than ever.
If the same administrators are asked about the assistance offered by security technologies, they will mention how to prevent attacks. This represents the conventional idea of data security stemming from mentalities in the IT sector: define existing threats and set up technologies to prevent them, including simple and somewhat obvious online data backup so that data recovery is possible after attack.
Businesses manage the risks involved according to their own activity. Data security is part of the process implemented. Several methods exist, depending on the business's specific context.
Take for example the case of a house. When the plans are being drawn up, the customer and the architect can call on a specialist to advise them on the choice of the types of windows, shutters, armoured doors, or alarms according to the assets to be protected. All this equipment provides protection against theft. This approach helps reduce the risk of burglaries with the aid of technologies.
