Is your data secure?

Ninety-three percent of all new information is 'born digital' and therefore potentially at risk of attack by hackers. Nearly every day, we read yet another report stating attacks on commercial enterprises and government organisations continue unabated. Security lapses are never far from the media headlines and regular industry reports and statistics confirm the worst - that the number of Internet security breaches recorded worldwide is on the increase.

More alarmingly, various reports estimate that between two-thirds to three-quarters of all security breaches come from inside the company. And ironically, the majority of breaches will exploit security flaws for which a solution or fix is already available.

Every CIO or IT director will agree that security is a top priority. But how many can actually guarantee that their organisation is fully protected from a security breach? How many companies can hand-on-heart confirm their data is secure? There are several areas of weakness that leave a company's systems exposed, and the costs can be catastrophic.

The network's secure so we're fine, right?

The majority of enterprise security strategies have focused on the network, and IT directors have taken some comfort in protecting their organisation's systems behind firewalls or with intrusion detection systems and virus scanners. The truth is that only a tiny fraction of data is flowing through the network at any one time.

The database is at the centre of an organisation's information system and the lion's share of a company's data - arguably an organisation's most valuable asset - resides in databases. Lose your data and you could be out of business. Consequently, companies should ensure that this critical piece of infrastructure has the highest, appropriate level of security certification available to ensure security and integrity.

The need for database security has dramatically increased with the rise of the Internet. Because it is the applications that access the mission-critical database information that have proved the most vulnerable point of access. As organisations embrace e-business and adopt Internet-based applications, information stored in inadequately protected databases is potentially exposed to attack via bugs or poorly coded web-based applications that exist outside the firewall.

A secure, unbreakable database will withstand these potential intrusions. The single, central database model simplifies access control by applying security policies directly to data, no matter which application or tool is used, and enables the speedy identification of misuse of data. Security only needs to be built once into the database, rather than into each application, resulting in a lower cost of ownership.

The more vendors, the more vulnerable
It would be rare indeed to find a company that operated only one vendor's software. Most companies run a mix of database, applications and networking infrastructure. And the more varieties of software a company installs, the more security holes there are for potential hackers to exploit. The increasing complexity of applications and computing systems provides a cornucopia of opportunities for would-be hackers.

Additionally, the trend towards information sharing among vendors, suppliers, customers and partners has created a very complicated pattern of business flows. To facilitate collaboration with these communities, it has become necessary to allow access to the corporate database. As a consequence, more areas of vulnerability are available for exploitation by both external and internal parties.

Internal attacks
Computer security experts confirm that most security attacks occur from inside a company, rendering defensive technologies such as firewalls useless. According to a study by the Computer Security Institute (CSI) and the Federal Bureau of Investigation (FBI) released in 2000, insiders were responsible for 71% of security breaches. Organisations focus their attention on the possible high-profile external security breach, yet statistics such as those from the CSI highlight that equal attention should be paid to monitoring employee access.

Most companies use passwords to grant network access, but passwords can also represent a major security threat, as they are often easy to break. According to analyst firm Gartner Group, password management is one of the most laborious and risk-prone functions of IT. Access based on biometrics, such as retina scanning or fingerprint identification, are reported to be the security controls of the future, but at present they are beyond the reach of most mainstream organisations. To protect data against attacks from within, companies should consider implementing as a minimum, rigorous security policies to determine who has access and to what level of data, in conjunction with the identification of network vulnerabilities.

The costs - downtime, theft, reputation
Security-related downtime is a costly business. Companies worldwide lose billions of euros annually as a result of security-related issues and data held by public service organisations is also at risk. According to recent estimates, a retail brokerage firm stands to lose 10 million euros, a credit card authorisation site 4.2 million euros and a package delivery company 48,000 euros for every hour their data is not available. InformationWeek research concluded that the cost of security-related downtime cost businesses worldwide $1.39 trillion over a twelve-month period. Companies often find it difficult to balance the need for continuous service with the cost of building back-up systems, but these figures build a strong case.

Theft of proprietary information and financial fraud represent the most serious financial losses. A company has a duty to its stockholders to protect its assets - both intellectual and monetary - and direct theft via the Internet is a growing threat to business stability. Today, billions of dollars of revenues are now transacted online, and companies need to ensure that these transactions are secure.

Additionally, security breaches can have far reaching implications that go beyond immediate financial losses. One obvious implication is on reputation. In the UK, for example, it was recently revealed that users of an online bank could access the financial details of other account holders. It would be difficult to estimate the considerable financial impact that such a security violation would have on consumer confidence and the ability to attract new customers. Security solutions should be treated as long-term investments that build credibility and trust between an organisation, its partners, suppliers and customers.

How much is your data worth?
Despite so much at risk from security flaws, companies persist in spending only a fraction of their IT budgets on security measures. One reason for this is that such measures do not contribute directly to the bottom line. A CEO of a computer security firm was reported as saying, 'Organisations usually spend more on coffee supplies than computer security' for this very reason. And when IT budgets are cut, security is usually one of the first in the firing line. Such complacency is foolish, and bred from the 'it will never happen to us' attitude.

However, recent reports show that companies appear to be sitting up and taking notice. Heightened awareness of security threats are predicted to drive IT security spending by US companies from $5.67 billion in 2000 to $19.7 billion in 2004, according to Forrester Research. However, the same report stated that the average IT budget for internal security would drop in the period 2000 - 2002, illustrating the fact that internal breaches are still considered less of a threat despite research to the contrary.

We are at the very dawn of the information age. More information will be created in the next two years than in all previous history1, as we move into such staggering volumes of data as petabytes, and eventually exabytes - one billion gigabytes - of digital information. These incredible mountains of data will be at risk if not stored and managed securely, and security is too important to be an afterthought or treated as an optional extra. Fixing security problems after they've been discovered can be a costly business. Security should be at the centre of any software purchasing decision and protecting an organisation's data should be considered a core business strategy in the new world of 'born-digital' information.