Generating Maximum Value from your IT Security Spend – An Analyst’s Perspective

Written By:
Content Copyright © 2009 Bloor. All Rights Reserved.

Of course times are tough and budgets are under increasing scrutiny. Even politicians, after months of denial, have admitted that public expenditure is under threat. There is no escaping the situation we are in, but how real is it for information security professionals?

Logic would dictate that when times are hard crime tends to rise. 

Apparently whistleblower hotlines operated by The Network, a US group that provides compliance services to companies such as the insurer Aviva, Cisco and Yahoo, have received many more tip-offs about fraud in recent months.

Apparently reports of fraudulent activity including theft, corruption and insider trading made up 21 per cent of all calls to the hotline in the first quarter, compared with around 16 per cent last year and 11 per cent three years ago. The data, drawn from all levels of management, provide a snapshot of the extent of fraud in companies. Maybe it also shows a greater tendency for staff to bubble up those deemed to be acting dishonestly.

The findings mirror a trend in recession-struck countries, in which more physical crimes, for want of a better description, such as shoplifting and robbery, are on the rise. In fact the UK government acknowledged that our crime problem will grow when a document was leaked last year forecasting that theft and violence would increase sharply as the economy contracted.

No industry is immune and the retail and financial services sectors seem to be more at risk than any other, probably due to the nature of their trading style and their associated culture.

According to another survey, this time of 507 fraud examiners, more than half had seen a rise in fraud in the past year. Almost 90 per cent expected a rise in scams in the coming months with employee theft being the most common type of crime

Complaints of internet fraud received by a US watchdog last year rose by 33% from 2007, its latest report shows. The Internet Crime Complaint Center (IC3), which includes the FBI, received over 275,000 complaints in 2008, which amounted to losses of about £185m.

The most common complaint was non-delivery of goods followed by internet auction fraud and credit card fraud. The IC3 warned that figures would probably rise through 2009 as the global economic downturn deepens. There is a spectrum of computer crime, and a lot of low level abuse is simply ignored. Typical incidents include the theft of customer contact details, the damaging of company records and the theft of intellectual property. Often businesses will be slow in realising they have been compromised and, by then, the damage has been done.

Unfortunately this comes at a time when the authorities are very much on the back foot when it comes to investigating computer crime. I am in the process of conducting some research for a government agency on the reporting of computer crime and the ease at which end users, be they companies or individuals, can simply report the fact they have been had.

It is really scary to find out how unprepared police forces are to investigate computer crime and the slow time it is taking them to adapt from the world of physical criminal investigation to that of computer crime. One perception of computer crime is that it is victimless or, worse still, that the victims were somehow negligent and got what was coming to them. This is an unfair view. Computer systems can be complex and criminals will always see a way to take advantage of users.

So what am I hearing about budgets whilst I am out and about?

IT budgets are, of course, under pressure but so are all other pots of money in the current economic climate. In the past IT may have gained budgets by confusing the management board with technical mumbo jumbo. Now they no longer have the advantage, and boards are aggressively demanding value for money. If it can’t add value to the bottom line then it won’t happen.

As a consequence of this, implementation decisions are taking longer and are being escalated further up the executive tree to receive a signature. Those that sign are expecting more data in support of their decision, knowing that they will need to justify each and every Pound, Dollar or Euro being spent. 

This, in turn, is putting pressure on IT security teams to demonstrate even more tangible business benefit of any proposed systems.

In addition, as companies continue to look for ways to cut costs, they may increase their dependence on short-term staff, contractors, consultants, and other third-parties. Organisations will be wise to implement additional security policies regarding these resources and be particularly vigilant about the level and term of their access to sensitive data.

In a recent case from the US a disgruntled contract software engineer who had worked for Fannie Mae, the mortgage association, for three years and had access to 4000 of the company’s servers was indicted in early 2009 for allegedly planting a “logic bomb” in the mortgage lender’s computer network.

In light of budget pressures organisations are looking at alternative solutions to help them reduce their IT costs. Unfortunately some may find themselves diving from the frying pan into the fire…

The embedded code was discovered by another engineer before it caused any damage, which would have been monumental, as the malicious script was designed to wipe out all data across Fannie Mae’s network on a certain day.

In an economic downturn cloud computing oozes sexiness. The thoughts of off loading your data to a third party gets financial types excited as they start to see how much money can be saved.

IT types start to get nervous as they see their jobs going the same way as the data – to another company – and start to consider their vested interests. Hey, maybe a successful cloud computing transition would do their career some good and look cool on their CV, so let’s get behind the initiative sooner rather than later.

At least then they can claim most of the credit for “their” initiative.

But cloud computing can get a business in hot water if they have not thought through the many consequences, including data security

Without assurances that organisational data will be totally secure in a remote site the whole concept of cloud computing is dead in the water. Despite cravings for more flexible and responsive IT no organisation with any sense will risk any of their intellectual property unless they can be totally convinced that their cloud security provider is able to fully secure their data.

Sending your kids to a summer camp, your cat to a cattery or your dog to kennels whilst you go away for a summer break can be stressful as you hand your nearest and dearest to another person to be looked after.

You will only do this if you completely trust the carers, have carried out your due diligence and have complete confidence that your children or pets will be looked after. Any slight concern and you simply won’t trust that care provider. And so it is with cloud computing.

Sending your data to a third party is a big step for many organisations as the transfer of data highlights many issues including politics, data regulations, data security, cost benefits and lack of direct control of the data.

Bundling off your data, without giving the third party the same treatment you would for bundling off your children or pets, will be a recipe for disaster. The recent incident involving an employee at Twitter has been headlined as a proof in case by some that cloud security is left for wanting. In this case an employee’s personal email account was hacked, following an alleged  targeted attack, which resulted in access to the company’s online Google Apps. Company documents were then, apparently, stolen and distributed around the web.

Rather than displaying a particular flaw in cloud security it just goes to show that if we take our eye off the ball and away from security basics no matter where the data is stored it will be compromised. The problem is that a local system that has been compromised may be a lot less visible than a cloud computing solution used by thousands of people across the world.

My favourite inside threat vector of the incompetent and non-malicious user keeps coming back to haunt us no matter where the data is stored. An issue that some companies find is that rogue departments are instigating their own cloud computing solution by simply signing up for a service without gaining approval from that organisation’s IT department. No doubt seduced by the ease of buying extra computing resources very quickly and cheaply these initiatives are being slammed down by those in authority for obvious reasons – and in some cases the instigators are being dismissed for gross misconduct. Maybe this type of initiative reveals a bigger frustration with the provision of IT in an organisation but, even so, it is career suicide to ship company data off site without appropriate approvals. With pressure on all budgets a cloud computing solution may be very appealing but organisations must tread carefully.

One objection to additional security spend I do hear from businesses is that they are fully compliant, as proved by external auditors, and therefore don’t need much, or any, more investment in their IT security systems.

Some business managers are then astonished when they realise that security has been breached, especially after they had spent considerable sums on establishing a compliant business environment. Indeed, the fact that the business is compliant, whatever that means, has induced a level of complacency as regards information security.

IT security managers have a need to help educate business managers in the differences between compliance and security. That way a business can make investment decisions based on accurate information rather than assumptions.

Inevitably, many organisations will look at the IT security budget with a view to making cuts. Any cuts must be made in the context of likely business risk and InfoSec managers need to articulate these risks in measured terms without becoming too sensationalist or excited.

We can only do our best, but the final budget decision is not always ours.

An aspect often overlooked by organisations is that failing to implement good information security can make a big dent in an organisation’s reputation as well as their bottom line.

Few organisations would relish headlines such as these…

In October 2008 it was reported that T-Mobile admitted losing 17 million German customer records including names, addresses, phone numbers, dates of birth and email addresses.

The records of German customers were stolen in 2006 and included secret addresses of politicians, an ex-federal president, celebrities and others likely to be at risk from having their contact details released. No bank details were included in the stolen data.

The company said a storage device containing the files “is in the hands of unknown parties”. T Mobile’s parent, Deutsche Telekom, said it had no evidence that the records had been used since 2006. Although the records had been offered for sale online, no one had bought them.

How much would an encryption solution have cost and would it have successfully prevented this bad headline? Imagine making the decision to save money by not implementing an encryption solution and then waking up to this story.

In another case, in September 2008, The Home Office terminated a £1.5m contract with PA Consulting after it lost the personal details of the entire UK prison population. In August 2008 the firm admitted to officials that it had downloaded the prisons database to an unencrypted memory stick, against the security terms of its contract. The data included names, addresses and dates of birth. Following an inquiry into the error PA Consulting’s £8m of other Home Office contracts were also reviewed.

The inquiry found the Home Office had transferred the data to PA Consulting securely, but that the firm then dumped it to an unlabelled USB memory to transfer it between computers at its premises. To date the stick hasn’t been found.

Politics played a significant part in this issue, but even so we have another example of unencrypted data going missing and the costs that result. How much would an encryption solution have cost and would it have successfully prevented this bad headline?

We have seen that there is a measurable increase in computer crime when times are tough. This presents a two headed demon – more crime but with less money to fight it with. Therefore the temptation to follow cheaper solutions can become difficult to resist, resulting in poor decisions that will come back and bite organisations at a later time.

Underpinning a lot of this is the compliance safety net. As many are quickly finding out this safety net is no where near as robust as some may have thought, resulting in compliant businesses suffering from computer crime.

It is our role, as security professionals, to educate our business colleagues and set their expectations appropriately. Working as part of the business team we can show how information security can add value to the business that will place us all in a better position for when the IT budgets start to grow again.