While many organizations still only spend small amounts of money on information security – and then only grudgingly – the evidence is mounting that a change of attitude is on the way.
The internet is becoming a more dangerous place. The constant increase in system vulnerabilities and incidents poses a real threat to companies just as they are becoming heavily dependent on the web to do their business. At the same time, new rules and regulations are forcing a wide range of organizations to adopt tighter infosec procedures. More stringent auditing rules in the wake of last year's corporate scandals will also drive companies to take more care of their systems.
Add to this the greater emphasis on disaster recovery in the wake of the September 11 attacks, and it is easy to see why many people now call information security "the next Y2K."
Changing corporate cultures
But how appropriate is the comparison? After all, the Y2K problem was totally predictable and had an immovable and one-time deadline. Information security still struggles to gain top-management attention.
According to Jon Bogen, managing principal of HealthCIO, a consulting firm supplying IT systems to the U.S. health care industry, which is in the final stages of preparing for the Health Insurance Portability and Accountability Act (HIPAA) of 1996, there are some definite parallels between the Act and the Y2K issue.
"HIPAA, like Y2K, is about a culture change in an industry. Just as the Y2K issue required people to look more seriously at a given set of issues that had been known about for some time, so HIPAA has required many organizations to look at different aspects of their IT systems," he says.
Bogen, whose Duxbury, Massachusetts-based company has published The HIPAA IT Handbook: Strategies to Protect Health Information, also chairs the North-Eastern HIPAA educational subcommittee.
Although the first draft of HIPAA was published in 1996, the first draft of the IT security standard did not arrive until August of 1998. This standard, a compendium of IT security requirements, mandates a number of contingency planning and disaster recovery processes upon providers in the U.S. health care industry.
Bogen says that, as with the Y2K issue, the HIPAA security standard, along with its allied privacy rules, which must be implemented by April of this year, found people falling into two camps. "The first group is the 'I'm not going to worry about it until I have to,'" he said, adding that, with the Y2K issue, this camp did not really start to tackle the Y2K issue until December of 1999. "The second group took the issue much more seriously and started planning as soon as they got to know about the problem."
Under the HIPAA security standard, U.S. providers must meet a number of basic IT security requirements, including a defined data backup plan, an emergency mode operation plan and exacting details of how their organization will operate in emergency mode. Equally important, the HIPAA security rules also require affected organizations to implement regular testing of their emergency plans, and revise their plans if required.
Bogen points to the security problems of the TriWest Healthcare Alliance in the run up to last Christmas, as a classic reason for companies to take their IT security issues much more seriously. In the TriWest incident, a computer system that was stolen contained the names and social security numbers of more than 500,000 people in the U.S. military. Such was the seriousness of the incident that it prompted the health care contractor, which provides managed health care to 1.1 million people in the U.S. military, to offer a $100,000 reward for information leading to the arrest and prosecution of those responsible.
Bogen says that the TriWest saga served to remind companies in the health care sector why the HIPAA security and privacy rules were needed. "It served as a reminder that we need to have security systems of many different types in place."
Bogen points to his experience at Harvard in the late 1990s, when he was able to walk right into its IT buildings without being challenged. "Even though they had highly sophisticated IT security systems in place, including a firewall, to stop people gaining unauthorized access, their physical security let things down," he says.
The U.S. health care sector is not the only industry preparing for the major changes that HIPAA (and the U.S. Patriot Act) engenders. A recent study from LOMA, the international association of more than 1,250 insurance and financial services companies from over 60 countries, suggests that financial services companies around the world are paying too little attention to IT security. The report from the Atlanta-based group says that, although insurers have scrutinized IT security more closely in the post-9/11 environment, they still have a long way to go.
The report, entitled Data Privacy, IT Security and Disaster Recovery in Financial Services, concludes that many financial services organizations still need to address a variety of data privacy, disaster recovery and IT security issues. The 55-page study, authored by Steve Forbes, LOMA's senior vice president of research, says the increasing complexity and interconnectivity of IT systems mean that the number of vulnerabilities is steadily increasing. To reduce these vulnerabilities, Forbes advises that insurers should use virtual private networks (VPNs) with heavy data encryption to deliver data to customers over the internet.
In addition, to reduce the chance that the encryption codes can be broken, Forbes recommends that IT managers change their encryption keys on a regular basis, as well as use keys of at least 128 bits in length. Forbes' report also recommends that an organization's vulnerability to security breaches can be prevented at the staff hiring stage, where managers should always take up references and check the backgrounds of applicants before offering them any position.
Look at the problem holistically
The LOMA study says IT duties should be spread among staff so that one person cannot access the whole of another member of staff's data. It also recommends that internal firewalls be built into IT systems to enforce this policy and, if staff transgress these rules, Forbes says the remedy should be swift – rapid dismissal.
Like HealthCIO's Bogen, Forbes argues that organizations must take a holistic approach to security. And while there is no guarantee of complete security for an organization's databases and other technology resources, he says, there is now an expanding array of IT tools and business processes that can be used to increase the probability of proper protection.
Matt Stevens, vice president of technology with Boston-based Network Intelligence Corp., is another industry expert who agrees with the need for a wide-ranging approach to security to prevent a Y2K-type situation causing havoc with a company's IT systems. According to Stevens, his experience in dealing with the Y2K saga led him to realize that people's perceptions of a problem can change.
The irony about the Y2K issue, he said, is that, when it proved to be defeatable, the public's perception quickly moved to suggest that the threat was a minimal one – effectively suggesting that the industry's efforts to beat the problem had been unnecessary and over-hyped. Three years down the line, he says, the industry faces the same scenario with IT security. "All seems quiet on the security front, with the result that company boards are now questioning the need for their firm's constant expenditure on IT security," he says.
Don't audit without feedback
The best approach to preventing a recurrence of a Y2K problem, says Stevens, is to create feedback loops in the security auditing and risk analyses that major organizations have adopted as part of their security strategy in recent years.
When Network Intelligence carries out security audits for clients, Stevens said, it is amazing to see how large organizations have been auditing their systems.
"We had one client who employed an audit team of four people that worked full-time on scanning system logs for problems," he said. Even with four people working on the team, they were only able to scan around 15 percent of the logs, or, to put it another way, they were missing out on scanning 85 percent of their logs for trouble.
When the firm installed, on Network Intelligence's recommendation, a computer auditing system to scan their logs, they were able to audit a much higher percentage of system logs, making them a lot more efficient. Stevens describes this as a classic result of an audit feedback loop. "In this situation, the IT security manager could have told his bosses that, with the new systems in place, they could be X percent more efficient," he said.
Feedback loops, he said, are now an essential part of the IT security picture, since they allow organizations to justify the expenditure needed on systems to protect against future threats, whether known or unknown.
Not everyone agrees that IT security has the potential to become the next Y2K. Roy Hills, technical director of NTA Monitor, still views the Y2K situation at the end of the 1990s as a one-off.
"Apart from the pedantic answer that there can only ever be one Y2K, there is the big difference that Y2K was a single event with a fixed and immovable deadline which no one had ever experienced before," he said, adding that, because of this, it was impossible to predict what would happen.
IT security, he argues, is a different issue. "It's an ongoing problem with an unknown deadline – you only know the deadline when it's too late and the worst has happened," he said, adding that people have experienced both successful attacks, together with their consequences, and successful defenses.
Despite his feelings about the Y2K issue, the British IT industry veteran still views IT security as being of paramount importance, mainly because its importance is often overlooked.
Steve Gold is news editor for SC Magazine.