As everyone knows, the wall that once separated the IT group from security management is a relic of another era. Professionals recognize that an effective security system not only protects infrastructure from intrusions from the outside but also from incidents caused by employees and others on the inside, particularly in cyberspace. In other words, IT security is about more than firewalls.
The Insider Threat
Dan Verton, author of Black Ice, a chilling and highly recommended account of our electronic vulnerabilities, outlines situations that have thoughtful managers worried.
"Companies need to know at all times who is on the premises and who has got access to the company infrastructure," he said after a recent Secret Service briefing for the private sector. He asked what can happen when someone enters a company's office in Asia or Europe at 3:00 in the morning, accesses a weakly protected area of the IT network and does damage to files tucked "safely" on a server in New York. Or when a workman is ignored in the local garage where he has tapped into the fiber network and is busy removing data, all with equipment bought at Radio Shack.
Verton is not alone. One CEO of a prominent Fortune 100 firm says it is "especially the potential vulnerability of an insider gone bad" that scares him more than any other threat to his firm and its worldwide operations. A recent study by the Secret Service and the CERT Coordination Center reported that insiders "pose a substantial threat by virtue of their knowledge of and access to their employers' systems and/or databases, and their ability to bypass existing physical and electronic security measures through legitimate means." More than 70 percent of insider threat cases studied occurred during normal working hours from a physical location inside the organization. Most of the incidents involve people using legitimate commands, people authorized with active computer access. In one study, nearly half the perpetrators used their own names or passwords to initiate the incident. Less than a fifth were people with technical positions or system administration access. Even more startling, the CERT report found that perpetrators shared their intentions with others, including with those both in the firm and with those outside, sometimes even with competitors.
The Costs of Denial
The effects of adverse incidents (everything from hiding illegal trades in a large financial institution to changing authorization and access rules for any firm's database) can be substantial. One study has the average loss to Fortune 1000 firms from successful IT attacks at nearly $1,750,000. The CERT study reports a high of $691 million for insider events at financial institutions. But the damage includes more than immediate dollars; it also includes disruption of operations and harm to reputation.
Indeed, the negative impact on brand could be the most harmful over the long term. When one considers that companies as diverse as Nokia, McDonald's, GE and Microsoft assess the 2004 value of their brands in the billions of dollars ($24 billion, $25 billion, $44 billion and $61 billion respectively, according to Interbrand Corp.), it is easy to see that the financial risk of inadequate protections from insider harm is huge.
The insurance industry hasn't been out of the loop on this issue. John Bugalla, managing director of Aon Risk Services, acknowledges that his firm is developing brand impairment products to protect against sharp declines in brand value caused by catastrophic events. "Look," said Bugalla, "reputation can take a hit when a large public firm violates Sarbanes-Oxley or when a smaller private firm is sloppy in protecting its customer or personnel information. Either way, perception will drive down shareholder value and upend all the other benefits that come with a strong brand."