Security News > 2000 > October > Real security risks come from within, researcher says

Real security risks come from within, researcher says
2000-10-29 02:10

http://www.telekomnet.com/news/10-27-00_securityrisks_fromwithin.asp Oct. 27, 2000 Forrester Research security analyst Frank Prince thinks companies will waste billions of dollars on misdirected security measures in the next three years. Prince led a team of Forrester analysts in research that led to a new report, "Sizing the Security Market." Their findings: companies will triple security spending through 2004 because of fear that their systems will be hacked into by malicious outsiders. But firms will miss the real challenge: they vulnerable automated business processes that are ripe for manipulation by savvy, greedy company insiders. "Those kinds of people will cause significant losses to organizations," Prince said in an interview. "We're not talking about hacking here so much as we're talking about the design of the business processes being subverted and not being watched." "Organizations have a tendency - especially when tied to the fear argument - to believe that they can protect themselves in some absolute sense: 'If you just put in the firewall, that's fine.' And while security professionals know in their heart of hearts that's not true, because this is infrastructure, they can't bridge that boundary between the business owners who are the real risk owners in a business and the security organization that has to implement policy." He continued: "Nobody talks about the policy for the phone system. Nobody talks about the policy for how you get water or power into your business. But unfortunately for security, because you do have to protect everything, you do have to have ... policy guidelines. And that's broken in most organizations." It's a situation that will lead to bad decision-making despite all the extra spending on security, Prince said in his report. And as businesses are forced to move to standardized, automated business processes to link disconnected divisions of large corporations or global business-to-business networks, the tendency to keep one eye out for hackers at the gateway will leave the back door open to white collar criminals who can play the system from within. "Firms will continue to struggle with business security past 2005," the report says. And the struggle will be much more complicated than ever before. "In the past, a monthly report and a smart manager could figure out if Mary in accounting was directing bogus deals to her mom," the report says. "But with billions being funneled through automated purchasing systems every month, by the time Mary's manager reads the end-of-month report, Mary's made her money and retired to Aruba." Prince elaborates: "So what happens is that the security managers are doing what they can do, and they're spending bunches of money on it because of this anxiety, this undifferentiated angst, in senior management." But senior managers are more focused on the next business deal than on protecting the last one, so they won't be spending the time needed to detail the risk and allow security managers to focus on the best places to spend their money. "That's a big disconnect," he said. It's misguided in a sense, too, Prince points out. While much of the concern over security is based on fear of losing customers, in reality, because most online purchases are made by credit card, US consumers are indemnified against their losses anyway. But there is no one, short of regulators and investors, with a direct interest in making sure that businesses are protected from within. That will change, Prince said, over time. Many years ago, when business checks first appeared on the scene to replace cash transactions, it didn't occur to companies that someone other than the person who writes out checks should sign them, Prince said. But through hard experience, companies learned, he said, as they will again in a high-tech world. And regulators, too, will jump into the picture. Already, the Federal Trade Commission is looking into allegations that a Minnesota-based meat industry B2B network might be engaged in price-fixing. Such concerns will eventually lead the government to look deeper into the picture, as well, the report says. "Once real money starts being stolen over the Internet - and companies can't ignore it - there will be a spurt of US legislation aimed at making it illegal to use the Internet to facilitate some other crime," the report said. "But despite all the legal hoopla, Internet crime will continue to grow." Meanwhile, the same distractions companies experience from threats of their online systems being attacked by outside hackers will remain, and might even predominate as companies struggle to decide where to throw their money at ongoing digital security. "Each organization, depending on their ability to respond to a breadth of threats, will respond to that differently," Prince said. "But in general, the immediate, high-profile threat will take precedence over the longer-term, more structurally oriented threats that happen in time frames that don't have the same currency Forrester predicts that security spending will balloon to $19.4 billion by 2004. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".


News URL

http://www.telekomnet.com/news/10-27-00_securityrisks_fromwithin.asp