As a result of these high-profile attacks, the security issue finally moved from the confines of the IT department to the top of the boardroom agenda. But, network attacks have been a growing threat for a number of years. So, what were the key factors last year that caused such a mind shift in the corporate attitude towards security?
Firstly, it was due to the fact that senior level executives became aware of the implications of e-business and realized that this could genuinely deliver new revenue streams and business efficiencies. However, hand in hand with the growth of the electronic channel came the growth of electronic security breaches. The Internet, while a cost-effective and ubiquitous WAN transport infrastructure, is an open door for attackers to steal intellectual property, cause malicious breakdowns and affect company image with customers and investors if it is used in an open manner. A top priority is to ensure that companies utilizing this infrastructure do not compromise the position of suppliers, customers or business partners, which is ultimately the responsibility of the most senior level management.
Destructive External and Internal Hacks
In 2001, the nature of external and internal attacks was more malicious. Companies were bombarded with 'next generation' denial-of-service attacks, viruses and email worms. The Code Red and Nimda worms were just two of the many that, within a matter of minutes, caused serious damage to businesses worldwide and cost billions of dollars to clear up. With the growing importance of e-business, companies simply feel they cannot afford to take such risks any longer.
What's more, it's pretty obvious that nowadays you don't have to be an expert to infiltrate an IT network. Hacker knowledge has been disseminated far and wide and is easily accessible via the Internet. It could be a disgruntled ex-employee, a professional hacker or just a teenage prankster. With threats from all sides companies have had to start seriously investing in protecting their assets.
Learning From Failure
2001 was also a year of knee-jerk reactions whereby companies were relying on learning from the mistakes of others in order to implement security measures. This in itself is not a bad thing; however, when you consider that the vast majority of security breaches are not publicized, it is clear that it's not the best strategy. In a bid to ensure that they were fully equipped with the widest possible knowledge, companies started to approach expert managed security service providers (MSSPs) for guidance.
Research conducted during 2001 consistently showed that security was a business priority. In the latter part of last year, a survey conducted by Frost & Sullivan on behalf of Genuity found that the top decision making factors when choosing a managed hosting provider were availability and security. But despite the fact that companies claimed that security was top of the agenda, it was not necessarily being practiced at grassroots levels. In 2002, I expect that there will be a much more rigorous approach as senior executives become aware of the security issues that they face. These issues include:
- the need to acquire, retain and constantly train staff;
- the need to be responsive to changes in technology;
- the need to manage changes in business; and
- the need to be constantly vigilant of security risks and breaches.
Trends for 2002
So, assuming we've learned our security lessons from 2001, what will this year's preoccupations and challenges be?
One of the biggest influencing factors on IT security during 2002 will be the growth of mobile and wireless computing. On February 4, 2002, Gartner released preliminary research results indicating that mobile PC unit shipments grew 7 percent worldwide in 2001, while desktop PC shipments dropped 6 percent. The Gartner research reveals that mobile PCs had their biggest single quarter ever during the fourth quarter of 2001, with Western Europe being the second biggest region in the mobile PC market in 2001 with 14 percent growth over 2000.
Several factors will fuel this growth, including the arrival of 2.5G networks, programmable handsets and next-generation PDAs. One of the key issues to arise out of this is how security and privacy can be assured in the 'anytime' Internet world.
Growth of IP VPN
With the growth of mobile, home and remote office working we are going to see a surge in demand for virtual private networks (VPNs) and, in particular, for IP VPNs. During 2001, IP VPNs emerged as the hottest solution for secure communications across the Internet, and this market will mature during the coming years.
IP VPN brings with it value-added facilities and services, such as strong encryption, digital certification or 'shared secret' security access, and a fully managed service with performance service level agreements to cover latency, packet loss and availability of the VPN service. Digital certification is a highly secure method of authorization and non-repudiation whereby user access is assessed via the exchange of certificates with the target platform. Managed services that can be made available with an IP VPN cover all the problem-solving elements for the client.
An IP VPN service can be established on server-to-server, remote user-to-server or servers-to-servers (point-to-point, partially or fully meshed) architectures. Furthermore, a fully managed service ensures that the availability of critical connections, such as that between branch office and headquarters, or traveling executives and HQ, is constantly maintained. An IP VPN service can encompass everything from supply of the device, remote software and connectivity, to management and monitoring, incident escalation, change management, digital certification service, usage and performance statistics.
A key preoccupation during this year will be how to cut costs without affecting service quality. This is most likely to result in a growing trend towards outsourcing security service requirements. Companies will certainly be investing in building and broadening their IT infrastructure. While budgets are tight, I expect that for the majority of these it will be a case of enhancing and modifying legacy systems to meet the needs of the Internet marketplace. This calls for specialist knowledge, which again indicates a growth in demand for outsourced services.
Security should be the number one priority for CEOs during 2002. It's now recognized as a fundamental business issue and executives at board level are taking responsibility to resolve it.
Ultimately, security is not just about firewalls, VPNs and intrusion detection, though. It is also about remaining vigilant to the changing business requirements that can lead to security vulnerabilities. Business requirements are not static, they are evolving on a daily basis and security solutions should be flexible enough to do likewise. During 2002, companies must ensure that they have the expertise, experience and knowledge to cater for such rapid and unexpected changes.
The key lesson to be learned from 2001 is that constant assessment and analysis is vital for robust and secure use of the Internet infrastructure. Outsourcing to a third-party managed security service provider, delivering 24/7 management and monitoring services, is one of many highly effective means of meeting these requirements.
Errol Rhoden is U.K. sales director at Genuity (www.genuity-europe.com), a leading provider of Internet infrastructure services.