Building a web of defence

Wednesday, 6 November 2002 - MANY local companies still do not have proper security infrastructure in place, opening up doors of opportunities for hackers and intruders to come into corporate networks as freely as they want to. And when that happens, the "victims" are usually left with a trail of destruction like the lost of valuable information, malicious virus attacks, and worst of all, businesses come to a standstill.

Judging by recent market developments, IT security of late has become the most pressing concern in the local information and communications technology (ICT) trade - all bearing testimony that IT security is akin to a house of cards ready to collapse anytime.

Increased awareness
According to Beh Swan Swan, chief executive of Secure Tangent Sdn Bhd, its growing significance is such that the Government has published MyMIS (Malaysian Public Sector Management Of Information and Communications Technology Security Handbook), providing guidelines for security management and practices for the public sector.

The handbook outlines ways to assess an organisation's vulnerability, its strength and security policy, as well as security architecture deployed. From the industry's perspective, the mushrooming of security solutions vendors ranging from offering public key infrastructure, biometrics to single sign-ons, signifies the rampant growth of the industry, says Beh. This trend also means users may face difficulty understanding what to purchase for their security needs, she adds.

"IT security has also been given greater emphasis especially after Kuala Lumpur Stock Exchange came up with the corporate governance guidelines," says Beh. The guidelines require the board of directors of a public-listed company to analyse, among others, their business risks and assets, and how they go about protecting those elements using IT tools.

Meanwhile, Selinna Chin, country manager for Malaysia and Indonesia, IDC Market Research (M) Sdn Bhd, says the Sept 11 terrorist attacks had raised awareness of IT security throughout the world.

"Before the attacks, security was viewed as more like just insurance policies," Chin comments. Security solutions then were limited to point solutions like firewall, anti-virus, and implemented on an add-on basis when a company is hit, she says, adding that the local financial industry has higher implementation rate compared to other industries.

But after the attacks, the lackadaisical attitude has improved with more awareness, investments, and implementations taking place, she notes. Still, compared with other countries like Korea and Singapore, Malaysia seems to be taking more reactive measures and learning to understand security risks. "Over in Europe, companies there have bypassed the era of understanding threats and risks years ago, and they are now looking at the complexity of solutions," says Chin. Therefore, vendors need to further educate and provide the necessary information to their local clients.

Chin stresses that security should be viewed as a mainstream boardroom issue, not as a business unit-driven one. "Companies, especially those going into e-business, need to really look at security as a total holistic solution, in other words part of their IT investment. The reason is if security is breached, companies may lose customers and brand equity".

At the Government level, IT security awareness is unfortunately lacking, says Chin. "Even before 9/11, they only reacted to coming out with guidelines when some Government Web sites got hacked," she says, adding that the Government should have thought more seriously about security beforehand.

The growth of IT security was also compounded by the rapid growth of the Internet, says See Beng Keng, senior general manager, e-banking group, Alliance Bank Malaysia Berhad. "The transmission control protocol/Internet protocol (TCP/IP) technology of the Internet has a lot of weaknesses," says See. A lot of issues like authentication and encryption within that protocol are not being addressed, thus, people come up with ways to patch things, he adds.

The tools to do so were then made publicly available, and that led to an increase in hacking activities, says See. "What is important now is to convey the message to the less knowledgeable, give them some fundamental methodologies to help them set up a proper security infrastructure," he adds.

Security vendors should not be selling the fear and problems of security to users, but rather educate them on the solutions to address those problems, See stresses. Bank Negara's guidelines towards a sound security framework have also boosted the awareness level of IT security locally. Though not comprehensive enough, See says it is one of the better security frameworks around, an organised approach to educate banking and financial institutions the basic understanding of security issues. Dang Kok Heng, senior manager, MIS department, Allianz General Insurance Malaysia Berhad, felt that the Enron case has made IT security even more crucial among organisations.

"The focus now should be on internal security to avoid espionage, protecting information assets, in addition to external security," he points out. Overall, Dang sees CEOs are increasingly becoming more aware of IT security, though the mentality still stands that security is solely an IT department issue. This is inevitable as most CEOs are business-savvy, but technologically illiterate. "Hence, the knowledge sharing approach between CEOs and vendors is vital. Vendors have to be less technical," says Alliance Bank's See. "Perhaps, an Internet security for dummies book should be made available," he smiles.

Value in security investments
Major security threats facing local companies, according to Beh, are viruses, threats from Internet access points, and threats from internal information accessed and taken out from organisations. "Viruses are harder to control. Companies must be diligent enough to update anti-virus definition patterns, and educate staff not to simply open any applications," she says.

To set up a proper security architecture, the common challenge among businesses seems to be getting the return on investment on the thousands or million of ringgit poured into security solutions.

Getting the budget approved is perhaps the greatest hurdle for many IS managers because many CEOs still do not see security as an essential business investment to safeguard their interests. Sharing his own experience, See admits that his company previously had no idea what security was all about. "The management thought everything was taken care of once we had our IT infrastructure up."

Meanwhile, IDC's Chin says it is difficult to measure return on investment for security solutions because most people would only look at the initial investments, not the charges for maintenance and support. But all these have to be taken into profit and loss considerations, she explains.

Moreover, security investment is usually divided into hardware, software, and services, she adds. Globally, security services which include consulting and implementation services account for almost 50 per cent of total investment, while hardware is still the smallest portion.

In Asia, however, investment in security services is lower at about 30 per cent, Chin points out. This is due to many Asian companies expecting implementation cost to be part of the solutions purchased.

Businesses need to fully understand what their own requirements are. It is not advisable to get full-blown solutions which may even pose bigger risks if not properly assessed.

"Companies must spend time conducting research and evaluating the various products in the market before making any firm purchasing decision," Chin advises. For Dang, it took the Nimda virus attack to halt operations for a month in Allianz to finally get his management to speed up the budget approval for new security solutions. Nevertheless, he still finds it challenging to get the management to understand IT security.

A sound policy
Having a solid security infrastructure must also go hand-in-hand with a solid security policy that governs and monitors activities within and outside an organisation.

"There is no point if you throw in the best security technology but without a solid policy, things will still break," says See. A good security policy with compliance checks and audits calls for all employees to be aware what they are allowed or not allowed to do to safeguard their organisation, says Beh. Limited information access to authorised personnel is one of the important elements in the policy, she adds.

But dealing with human control is always a challenge for many organisation. Sometimes, employees while doing their own things may expose the weakest link of the organisation to risks.

No matter what, there is no guarantee that security breaches would not happen although a solid policy and infrastructure have been set up. But at least with a good infrastructure, there is a controlled risk environment where users can continuously maintain, Beh says.

Some multinational companies, according to her, would insist that their business partners have proper security measures in place before even connecting to their networks.

"If you want to compete in the global market, you have got to make sure your security infrastructure and policies are in line with industry standards, like the global ISO 17799 security practices," Beh says.

While large organisations would normally have security policies in place, most small and medium-sized enterprises (SMEs) and Government agencies do not, she continues.

In fact, many SMEs do not even have a proper IT system, lest a security policies, Beh says. "How do you expect them to be aware of the importance of maintenance and patches? The scariest part is what they do not know will hurt them most," she remarks.

As such, Beh suggests that SME associations and various agencies like Small and Medium Industries Development Corporation (Smidec) should come forward to educate their members about security. "Prioritise and highlight areas of importance so that SMEs have a basic understanding of what must be involved".

<< Back to SecureTangent Press Releases