A Business Guide to Information Security: Threats and Compliance |
 |
| 16 Jan 2006 | Kogan Page |
|
|
In this excerpt from Chapter 1 of A Business Guide to Information Security, author Alan Calder identifies six future risks to information security and explains how they will affect individuals and organizations.
There are a number of trends that lie behind these increases in threats to information security, which, when taken together, suggest that things will continue to get worse, not better:
The use of distributed computing is increasing. Computing power has migrated from centralized mainframe computers and data processing centres to a distributed network of desktop, laptop and micro-computers, and this makes information security much more difficult.
There is a strong trend towards mobile computing. The use of laptop computers, Personal Digital Assistants (PDAs), mobile phones, digital cameras, portable projectors and MP3 players has made working from home or on the road relatively straightforward, with the result that network perimeters have become increasingly porous. There are many more remote access points to networks, and the number of easily accessible endpoint devices has increased dramatically, increasing the opportunities to break into networks and steal or corrupt information.
There has been a dramatic growth in the use of the internet for business communication, and the development of wireless, VoIP and broadband technologies will drive this even further. The internet provides an effective, immediate and powerful method for organizations to communicate on all sorts of issues. This exposes all these organizations to the security risks that go with connection to the internet:
Better hacker tools are available every day, on hacker websites that, themselves, proliferate. These tools are improved regularly and, increasingly technologically proficient criminals – and computer literate terrorists – are thus enabled to cause more and more damage to target networks and systems.
Increasingly, hackers, virus writers and spam operators are cooperating to find ways of spreading more spam: not just because it's fun, but because direct e-mail marketing of dodgy products is lucrative. Phishing and other internet fraud activity will continue
evolving and will become an ever bigger problem. This will lead,
inevitably, to an increase in blended threats that can only be countered
with a combination of technologies and processes.
Increasingly sophisticated technology defences, particularly around
user authorization and authentication, will drive an increase in
social engineering-derived hacker attacks.
- Widespread computer literacy. While most people today have
computer skills, the next generation is growing up with a level of
familiarity with computers that will enable them to develop and
deploy an entirely new range of threats. Instant messaging is an
example of a new technology that is better than e-mail, because it
is faster and more immediate, but which has many more security
vulnerabilities than e-mail. We will see many more such technologies
emerging.
- Wireless technology -- whether WiFi or Bluetooth -- makes information and the internet available cheaply and easily from virtually anywhere, thereby potentially reducing the perceived value and importance of information and, certainly, exposing confidential and sensitive information more and more to casual access.
- The falling price of computers has brought computing within most people's reach. The result is that most people now have enough computer experience to pose a threat to an organization, if they are prepared to apply themselves just a little to take advantage of the opportunities identified above.
What does this all mean, in real terms, to individuals and to individual
organizations?
- No organization is immune.
- Every organization, at some time, will suffer one or more of the abuses
or attacks identified in these pages.
- Individual and business activity will be disrupted. Downtime in business
critical systems (such as ERP, enterprise resource planning, systems)
can be catastrophic for an organization. However quickly service
is restored, there will be an unwanted and unnecessary cost in doing
so. At other times, lost data may have to be painstakingly reconstructed
and, sometimes, it will be lost forever.
- Privacy will be violated. Organizations have to protect the personal
information of employees and customers. If this privacy is violated,
there may – under data protection and privacy legislation -- be legal
action and penalties, including against directors individually.
- Organizations and individuals will suffer direct financial loss. Protection
in particular of commercial information and customers' credit
card details is essential. Loss or theft of commercial information,
ranging from business plans and customer contracts, to intellectual
property and product designs, and industrial know-how, can all cause
long-term financial damage to the victim organization. Computer
fraud, conducted by staff with or without third-party involvement,
has an immediate direct financial impact.
- Reputations will be damaged. Organizations that are unable to protect
the privacy of information about staff and customers, and which
consequently attract penalties and fines, will find their corporate
credibility and business relationships severely damaged and their
expensively developed brand and brand image dented.
The statistics are compelling. The threats are evident. No one can afford
to ignore the need for information security. The fact that the threats are
so widespread and the sources of danger so diverse means that it is
insufficient simply to implement an anti-virus policy, or a business continuity
policy, or any other standalone solution. A conclusion of the CBI
Cybercrime Survey 2001 was that 'deployment of technologies such as
firewalls may provide false levels of comfort unless organizations have
performed a formal risk analysis and configured firewalls and security
mechanisms to reflect their overall risk strategy'. Nothing has changed.
Read the rest of Chapter 1 from A Business Guide to Information Security.
|
|
|
|
