Halcyon Days

Like it or not, cybercrime is here to stay . . .

Many moons ago, shortly after swaying off the boat in Sydney to become a new immigrant, I would be regaled by tales of the old Australia in which everyone in their street knew each other and you could leave the back door unlocked for years. The only possessions that needed a padlock were your daughters.

Times had changed, lamented my reminiscing Aussies. It was an era they fondly remembered yet could never retrieve. Just how lost those halcyon days of the 50s, 60s and 70s are was struck home in the past few weeks, with yet another round of cybercrime confessions about the theft of personal and banking card details.

Leaving the back door unlocked is becoming the least of our problems.

The planet has become a complicated place, and so have those who live on it. Who would have thought, for example, that our credit card transactions at the local mall might go through a clearing house in the United States? Not me, that's for sure.

The truth of this situation leaked out when more than a million credit card details were stolen by so-called cyber-criminals from an American clearing house, including those of 50,000 Australians. All our major banks warned their customers to double-check their bills. There have even been a series of ads - some with finance know-it-all David Koch - urging us go through our credit card transactions with a fine-tooth comb.

All this corporate sincerity and concern for our financial welfare is very touching. Executives won't admit to it, but these actions are needed because their security cannot be trusted. That's the bottom line.

In fact, they'd say nothing at all and leave you in blissful ignorance if they had the choice. (And don't deny it.) However, in the latest large-scale theft, we all have a California law, called SB1386, to thank for some honesty, if not total security, in the system. Before Arnie the Terminator took control as governor, the state legislature made it an obligation of any California company to confess their sins if they lost personal or financial data.

At first, when the occasion arose, only affected California residents were informed of lost data. Such security mea culpa extended beyond state borders when attorneys-general around America began demanding their citizens also be informed of security breaches. Now there are moves across the US for state laws similar to those in California.

Coming Clean

Other governments, including our own, are going to have to consider legislating for honesty from the so-called "good guys" in their fight against cybercrime. It's another sad indictment on corporate behaviour but the only reason why we now hear regularly about online break-ins. Recent ones include the notification of Citibank in the United States that it lost a back-up tape somewhere, while other organizations such as PayPal, ChoicePoint, Lexus-Nexus and Axiom have all had to tell their customers about the mysterious loss of personal details.

Whether we like it or not, we have to get used to an acceptable level of crime when it comes to the security of our privacy. The zero-tolerance view, no matter how desirable, simply isn't practical. We will always have online financial crime, just as we've had armed robberies since Robin Hood was firing arrows. It is a new and constant, if unwanted, feature of our lives.

Across our economy, the standard of security implementations is patchy to say the least. I know of at least two major multinational companies who are about to spend some 25 percent of their IT project budget on security in this new financial year. I nearly fell off my chair when told how much work they had to do.

On average, local organizations will spend between 6 and 8 percent of their IT budget on security. As a rule, CIOs who have not been hit by a security breach find it harder to get business empathy and money to improve security. The smarter technology managers are using ever-tightening regulation as a weapon to demand money to lock down systems as best they can. Our local privacy principles, as well as government and financial institution requirements to protect stockholder value, have combined to help free up cash. There's nothing like the threat of jail - as articulated in America's Sarbanes-Oxley Act and Health Insurance Portability and Accountability Act (HIPAA) - to get the chief executive's attention.

Page Break

The New Arms Race

The conundrum that plagues many CIOs is: what is good enough security? For public companies, that can be decided by an auditor. And so long as an IT team works closely with the auditor, then there should not be too much problem with their ruling. Unfortunately, though, the question of articulating sufficient security for data protection has no specific answer.

Legal firm Baker McKenzie recently put out a paper that identified three trends for security: recognition that this is a legal corporate obligation; emergence of legal standards against which companies are measured domestically and internationally; and an emphasis on their duty to declare a breach when it has occurred.

An initial consideration for any IT team in these circumstances is to audit the security technology that already exists and measure it against what is known to be needed. Those who undertake an evaluation must look at the coverage of point-solutions as well as the effectiveness of the overall security framework.

Ultimately, emphasis should be placed in managing a portfolio of security assets, rather than buying technology ad hoc to cover specific challenges. This portfolio aspect is important because the technology is now being designed to reduce the time to manage it: ignore this trend and you risk spending millions of dollars in avoidable man-hours to maintain a host of security gizmos.

Another sound approach to this challenge is to understand that you are in a battle between tools and technology. You have the tools and the cyber criminals are the ones who are exploiting the flaws in the technology.

This is an escalating arms race. The bad guys get smarter every day and are winning the war to this point. A simple example is the new viruses that now have different versions, which means that instead of battling against one form of attack, such as the infamous I Love You virus, there are now different versions of the same threat coming from a variety of sources.

The relative lack of security vendors in Australia makes the challenge even harder. While it is fair to say the banks are in line with world best practice, most of the local enterprises are not. My colleagues in Gartner are convinced that the small size of our domestic market is restricting the number and variety of security solutions available.

In Europe and the US, goes their argument, there are many more security solutions available and supported. This gives IT teams much greater flexibility and coverage. I never thought I would hear a convincing argument for more vendors in this industry, but security analyst Rich Mogull firmly believes local companies are lagging behind most other mature economies.

Maybe. But at least we've learned to lock the back door.

Mark Hollands is an Asia-Pacific vice-president at the research and consulting organization Gartner. He can be reached at mark.hollands@gartner.com

Copyright © 2005 IDG Communications, Inc.

7 secrets of successful remote IT teams