Most Companies Waste Millions On Poor Security

By Ara C. Trembly

San Antonio

While millions of dollars are spent each year to keep critical business data secure, “in most companies, that money is being wasted; theres no ROI,” according to one consultant firm.

“Ten years ago, security was pretty good. We didnt have viruses like today, and computers werent connected much, but the world has changed,” said Chuck Porter, managing partner, technology infrastructure services, for New York-based Accenture. “Today, most businesses and employees are connected to the Internet. Viruses are something you just have to be there to catch.”

Porters remarks came in a presentation at the LOMA Systems Forum held here earlier this month.

Todays companies face many security challenges, both technical and organizational, Porter explained. “Some of the challenge is financial; companies are tired of investing in [security].”

Execution [of security programs] is also a challenge,” he added. “How many of us would honestly say we are executing our security operations with much diligence? I would suspect very few.”

Most companies, said Porter, dont keep their firewall or antivirus software up to date with the latest versions, updates and patches.

According to Porter, increasing connectivity and collaboration among workers via the Internet will require increased security for the insurance industry. Under federal regulations, he added, “you can go to jail if you fail on the accuracy and integrity of your information. For CIOs, the stakes just got higher.

“Security,” he continued, “is about preventing intruders from getting to your information assets.” Todays technology enables customers and business partners to gain access to our systems in a way that makes it easier to do business, he noted.

The problem, however, is that “increasingly, you have to grant access to people who are not your employees to do this,” said Porter. Thus, security becomes a balancing act between preventing something bad and enabling something good.

In 2000, Porter did an assessment of his own companys security programs and found them to be behind the curve. “The report card was not good,” he noted, with many areas of security receiving Cs, Ds and Fs. “If we didnt fix this, we were going to be on the front page of the Wall Street Journal with publicity we didnt want.

“Our security was good enough for 1997, but no good for 2000,” he said. “We had stood still while the rest of the world moved on.”

In response to the assessment, the company developed a security program that stressed:

strong authentication measures;
secure workstations;
addressing weaknesses and preventing further weaknesses from being introduced;
firewall monitoring and intrusion detection systems; and
security awareness.

In the area of authentication, the company decided that passwords and log-on IDs were not enough in themselves, said Porter. It changed to a system that uses authentication tokens. These are keychain-size devices that allow authorized users to access the network. The token may be read like a credit card, or it may display a number that is used as a password.

Overall, said Porter, the security program has significantly reduced the companys risk in many areas. “Anecdotal evidence is that our risk is much lower,” he stated. For example, he reported, the companys security systems were able to stop both Code Red and SQL Slammer virus attacks “within 30 seconds, and it didnt affect us or our ability to serve clients.”

For companies who seek to improve data security, Porter recommended using risk management techniques “in an intelligent way.

“Figure out what is important to you,” he said. “Investment in security is a business decision; it should have a rationale and an ROI.”

Porter also stressed the importance of keeping up with the industrys regulatory issues when it comes to security. “Be as good as or better than the industry so you can demonstrate that youre using reasonable measures,” he advised. “Holistic is the way to go with security. You need a comprehensive approach.”

Forensics, or the ability (after a security breach) to figure out what happened in order to prevent a recurrence, is also an important part of a security program, he noted. Forensic technology can help a company follow e-mail trails or spot violations of intellectual property.

Using such technology, Porter said his company could recover the information from a disk that has been formatted (wiped clean of data) up to seven times. “The CIA can go back 12 levels,” he added.

Porter said his firm also tests its security periodically by hiring outside companies to attempt to penetrate its systems “physically and electronically.”


Reproduced from National Underwriter Edition, March 31, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved. Copyright in this article as an independent work may be held by the author.