Meet The Experts

Safeguarding Information Technology:
Vulnerabilities and Protective Measures

In a post-9/11 world, security has become a core issue for businesses around the globe. According to a 2003 survey conducted by the U.S. Business Roundtable, Fortune 500 companies have increased spending on security by an average of 10 percent since the attacks on September 11, and more than half of them have made security a board-level issue.

While corporate spending on physical security is increasing at a significant rate, information technology (IT) security spending has historically not kept pace. As a result, many companies are failing to adequately protect those assets which can have the greatest impact on their operations. The fact is that numerous internal and external threats could compromise or even destroy an organization's technology infrastructure, the backbone of business in a globally interconnected world.

The recent multitude of virus and worm attacks, which resulted in billions of dollars in damages, exemplifies the lack of preparedness by many companies. For example, the MyDoom virus infected approximately a quarter-million computers in one day. The Slammer, Blaster, and Sobig worms reportedly caused $12-13 billion in damages. The impact of these attacks was so great because they affected large companies across their lines of business, their extended chain of supply, and their customer base.

Cyber threats and attacks are increasing in volume, complexity, and severity. A 2004 survey conducted by CSO magazine, the U.S. Secret Service, and the CERT cybersecurity center indicated that more than 40 percent of the 500 executives polled reported that the number of computer crime incidents affecting their organizations had increased from 2002 to 2003.

And while external threats are a reality and have a significant impact, the majority of IT security risks are internal to an organization and its operations.

Though the benefits of recent IT advancements are widespread, and most companies could not operate without them, like virtually all aspects of business, IT is not risk-free.

<>Increasing technology uses and dependency
In the past decade, an unprecedented stream of valuable information technologies has been developed that provides companies with innovative solutions and enterprise-level applications. Today's leading IT solutions leverage the Internet, database tools, and high-end technologies, helping businesses to be more competitive and operate on a global scale. Such high-value assets include business-to-business, e-commerce, shared knowledge-bases for research and development, customer and employee self-service applications, and real-time design and engineering of products. Though the benefits of recent IT advancements are widespread, and most companies could not operate without them, like virtually all aspects of business, IT is not risk-free.

<>Making companies more interconnected and interdependent
Enterprise-wide and worldwide information technology usage can be a double-edged sword. On the one hand, there is no question that it has created entirely new industries, dramatically improved corporate efficiencies, and generally made the world a smaller, more interconnected place. On the other hand, greater interconnectivety means increasing interdependence. As never before, companies need to worry not just about their own systems and operations, but those of their suppliers, vendors, employees, and customers in a range of locations around the world. IT resources of one form or another connect all of them. This means that a risk affecting anyone along that chain has the potential to influence the entire chain, all the way to the top, causing significant damage to company operations.

With one in four companies expected to experience a significant Internet security incident by 2005, according to a recent Gartner Group report, now is the time for organizations to prepare for IT risks enterprise-wide.

<>How to prepare for attacks on IT
A world-class information security program requires a balanced framework of people, process, and technology, enabled with strong policies and standards. This foundation provides the catalyst for the integration of security into the enterprise business strategy; helps manage security investment planning; and builds confidence with customers, employees, and others. Within this framework, the organization can define the best approach toward mitigating the threats to the information systems and the business processes they support.

Testing various infrastructure components and taking subsequent steps to mitigate and reduce identified IT risks will help safeguard IT assets. However, focusing on IT issues exclusively will not ensure that a business's operations will continue in the event of a cyber attack.

Instead of analyzing the impact of a cyber attack in silos, organizations should consider the effects of an IT security breach across the extended enterprise and implement integrated solutions to address them. Organizations need to assess the technology infrastructure, including servers, network monitors, and firewalls, but they also need to consider how IT security threats will impact their operations, supply chains, property, and people.

Companies have invested heavily in the creation and implementation of IT business solutions, yet their investments to protect those high-value assets have not kept pace.

Since IT security can significantly impact the ability to operate a business, it should be considered in the context of business continuity and supply chain planning. Business continuity planning is an effective way for organizations to prepare for various risks before they occur. Business continuity planning identifies critical business processes and subsequently builds a strategy to ensure the viability of crucial roles and responsibilities when IT resources are threatened or disabled. Supply chain analysis and planning identifies the risks and vulnerabilities in the extended enterprise and develops strategies and solutions to address them. Supply chains are networks of suppliers, manufacturers, distributors, retailers, and customers that contribute to the flow of business operations. In the event of a cyber attack or other breach of IT security, an organization could face a sustained interruption of information flow. Consequently, operations could be delayed or even temporarily halted, significantly affecting an organization. By addressing IT and supply chain risks as part of overall business continuity planning, a more encompassing and effective business continuity plan can be developed and implemented.

However, a December 2003 survey conducted by the Information Systems Security Association (ISSA) and the Business Software Alliance among ISSA members found only 43 percent of 1,719 ISSA members even have a business continuity plan in the event of a cyber attack. And of the companies who actually do conduct planning for business continuity, supply chain, and IT risks, it is normally done in silos of activities.

Most security specialists consider this to be a very startling number. Companies have invested heavily in the creation and implementation of IT business solutions, yet their investments to protect those high-value assets have not kept pace.

<>The expanding scope of IT security
Creating and implementing an integrated solution is critical to effectively mitigating IT security risks. However, in doing so, a company must look beyond its own internal borders to effectively protect itself. That means not just preparing for supply chain disruptions, but ensuring that IT risks are mitigated along the way.

Vital to almost all enterprises, nevertheless, many businesses underestimate the extent and complexity of risks associated with supply chains. Supply chain disruptions can arise from many different sources, with IT risks becoming a major contributor, as increasingly more organizations experience interruptions resulting from IT malfunctions or attacks. By identifying and preparing for vulnerabilities throughout its supply chain, an organization can reduce the likelihood that its operations will be affected when its supply chain is exposed to a cyber attack or other IT risk.

Recognizing that IT risks can permeate any business sector, industries are increasingly self-regulating the use of information assets. As a reaction to and in preparation for future IT security breaches, industry-specific standards have been implemented. The North American Electric Reliability Council (NERC), for example, urges all members to proactively reduce risks to critical cyber assets that could compromise the reliability of the electric systems throughout the continent.

An integrated approach to planning and developing solutions for business continuity, supply chain, and IT security will address the critical vulnerabilities across the enterprise.

The Health Insurance Portability & Accountability Act of 1996 affects virtually all healthcare organizations to ensure that all electronic data that contains "individually identifiable health information" is stored securely to maintain confidentiality. Financial institutions are required to disclose the sharing of personal information to affiliates and third parties and to offer an opportunity to "opt-out" of sharing personal information, according to the Gramm-Leach-Bliley standard. Sarbanes Oxley regulations require secure ways of electronically storing data to ensure the integrity of financial reporting and disclosure. State laws such as California's SB1386 declare that all public and private enterprises which conduct business with Californian residents and fail to disclose computer security breaches will become liable for civil damages or class action suits.

<>Conclusion
The business benefits that are derived from the strategic use of technology are significant, but they are accompanied by risks that must be addressed. The failure to address IT vulnerabilities within their own organizations and throughout the supply chain can have devastating consequences for business operations.

However, these risks can be managed. An integrated approach to planning and developing solutions for business continuity, supply chain, and IT security will address the critical vulnerabilities across the enterprise. Taking such steps to address vulnerabilities and enact protective safeguards can help to strengthen a company's competitive position and ensure it remains a player in an increasingly advanced and interconnected world.

About the Authors

Rich Lowery is the Risk-Adjusted Supply Chain Management Practice Leader at Marsh’s Risk Consulting Practice. With over 14 years of consulting experience Mr. Lowery has assisted in the development and implementation of new business processes, system applications and change management in over 70 companies worldwide. Mr. Lowery is a board member on the Carlson School (University of Minnesota) of Management Executive Advisory Board for the management Information Systems Research Center and is a frequent speaker on supply chain management. Visit http://www.marshriskconsulting.com/ for more information. Contact Rich Lowery at Richard.M.Lowery@marsh.com or (612)692-7886.

Troy Smith is the Information Technology Security Consulting Practice Leader at Marsh’s Risk Consulting Practice, where he is responsible for developing and deploying solutions to help organizations secure data, mitigate corporate and personal liability, and minimize abuse of computing resources. He has over 20 years of experience in technology and management consulting and has worked in numerous industries including CPG, manufacturing, aerospace and defense, and transportation – including airlines. For more information visit http://www.marshriskconsulting.com/. Contact Troy Smith at Troy.D.Smith@marsh.com or (312)683-7659.