Real security risks come from within, researcher says

[InfoSec News <isn () C4I ORG>]

http://www.telekomnet.com/news/10-27-00_securityrisks_fromwithin.asp

Oct. 27, 2000

Forrester Research security analyst Frank Prince thinks companies will
waste billions of dollars on misdirected security measures in the next
three years.

Prince led a team of Forrester analysts in research that led to a new
report, "Sizing the Security Market."

Their findings: companies will triple security spending through 2004
because of fear that their systems will be hacked into by malicious
outsiders. But firms will miss the real challenge: they vulnerable
automated business processes that are ripe for manipulation by savvy,
greedy company insiders.

"Those kinds of people will cause significant losses to
organizations," Prince said in an interview.

"We're not talking about hacking here so much as we're talking about
the design of the business processes being subverted and not being
watched."

"Organizations have a tendency - especially when tied to the fear
argument - to believe that they can protect themselves in some
absolute sense: 'If you just put in the firewall, that's fine.' And
while security professionals know in their heart of hearts that's not
true, because this is infrastructure, they can't bridge that boundary
between the business owners who are the real risk owners in a business
and the security organization that has to implement policy."

He continued: "Nobody talks about the policy for the phone system.
Nobody talks about the policy for how you get water or power into your
business. But unfortunately for security, because you do have to
protect everything, you do have to have ... policy guidelines. And
that's broken in most organizations."

It's a situation that will lead to bad decision-making despite all the
extra spending on security, Prince said in his report. And as
businesses are forced to move to standardized, automated business
processes to link disconnected divisions of large corporations or
global business-to-business networks, the tendency to keep one eye out
for hackers at the gateway will leave the back door open to white
collar criminals who can play the system from within.

"Firms will continue to struggle with business security past 2005,"
the report says. And the struggle will be much more complicated than
ever before.

"In the past, a monthly report and a smart manager could figure out if
Mary in accounting was directing bogus deals to her mom," the report
says. "But with billions being funneled through automated purchasing
systems every month, by the time Mary's manager reads the end-of-month
report, Mary's made her money and retired to Aruba."

Prince elaborates: "So what happens is that the security managers are
doing what they can do, and they're spending bunches of money on it
because of this anxiety, this undifferentiated angst, in senior
management." But senior managers are more focused on the next business
deal than on protecting the last one, so they won't be spending the
time needed to detail the risk and allow security managers to focus on
the best places to spend their money. "That's a big disconnect," he
said.

It's misguided in a sense, too, Prince points out. While much of the
concern over security is based on fear of losing customers, in
reality, because most online purchases are made by credit card, US
consumers are indemnified against their losses anyway. But there is no
one, short of regulators and investors, with a direct interest in
making sure that businesses are protected from within.

That will change, Prince said, over time. Many years ago, when
business checks first appeared on the scene to replace cash
transactions, it didn't occur to companies that someone other than the
person who writes out checks should sign them, Prince said. But
through hard experience, companies learned, he said, as they will
again in a high-tech world.

And regulators, too, will jump into the picture. Already, the Federal
Trade Commission is looking into allegations that a Minnesota-based
meat industry B2B network might be engaged in price-fixing. Such
concerns will eventually lead the government to look deeper into the
picture, as well, the report says.

"Once real money starts being stolen over the Internet - and companies
can't ignore it - there will be a spurt of US legislation aimed at
making it illegal to use the Internet to facilitate some other crime,"
the report said. "But despite all the legal hoopla, Internet crime
will continue to grow."

Meanwhile, the same distractions companies experience from threats of
their online systems being attacked by outside hackers will remain,
and might even predominate as companies struggle to decide where to
throw their money at ongoing digital security.

"Each organization, depending on their ability to respond to a breadth
of threats, will respond to that differently," Prince said. "But in
general, the immediate, high-profile threat will take precedence over
the longer-term, more structurally oriented threats that happen in
time frames that don't have the same currency

Forrester predicts that security spending will balloon to $19.4
billion by 2004.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".