Lock it or you’ll lose it

It is an ugly word, but “de-perimeterisation” should be jangling the nerves of the business world in ways that have nothing to do with its discordant phonetics.

Essentially, it spells the end of the world as we have known it.

The harbingers of this particular digital doom are e-mail, the internet, the laptop computer, the mobile camera phone, the BlackBerry, Wi-Fi, the iPod, the USB key ring and any other way in which information, both valuable and malicious, can enter or leave an organisation unhindered by the traditional electronic defences, the firewall and the scanners for viruses and spam.

The security stormtroopers are already reaching for their guns. The Jericho Forum, set up only two years ago, is an international lobby whose members include ICI, Procter & Gamble, Qantas and Dresdener Kleinwort Wasserstein.

It emphasises the need for a proactive approach, warning: “Over the next few years, as technology and business continue to align closer to an open, internet-driven world, the current security mechanisms that protect business information will not match the increasing demands for protection of business transactions and data.”

Paul Simmonds, global information security director for the chemicals giant ICI, a co-founder of the Forum, explains its rationale: “We are reasonably content with the tools to counter today’s threats. We are less content with where we need to be tomorrow. Within a few years, we will have to work without hardened borders [firewalls and the like].

“Two years ago, the tools and technologies to manage this were not even being discussed! So a group of global information officers got together to form Jericho. What you buy tomorrow is in the research and development laboratories today. Our aim is collectively to influence developments to get the tools and products we need.”

The beginnings of the end of the electronic equivalent of drawing the waggons into a circle are already becoming apparent. This year, the energy behemoth BP shifted 18,000 of its 85,000 laptop computer users from its firewall-protected local area network to the public internet. Its logic is that the controls to keep out the ill-intentioned will have to reside in the individual machines, closer to the critical data, rather than at the perimeter.

But if Jericho is looking to tomorrow’s threats, those of today are keeping security officers on their toes. Last year was the worst so far for breaches of computer security in the US, with well known companies including Marriott International, Ford Motor and AMN Amro Mortgage Group admitting the loss or theft of employee and customer information that could have led to “identity theft” – a technique popular with digital criminals for making off with funds using purloined bank details.

In the UK, the Department of Trade and Industry’s latest information security breaches survey, carried out by PwC, concludes that the cost to UK industry overall has risen by 50 per cent since 2004 and is now about £10bn a year.

Education and corporate awareness is having a positive effect, the survey says: “Three times as many companies have a security policy in place as did six years ago and 98 per cent of businesses have anti-virus software in place.”

But still the hackers get through. Peter Tippett, technology whizz with the security group Cybertrust, says companies are spending more each year on firewalls and intrusion detection, yet attacks are more and more successful.

He links this to a change in the nature of cybercrime: “The motivation has shifted from kids trying to figure in the folklore of their peers to people doing it to get cash.”

It is, of course, one thing for Mr Tippett, a vendor, to make such self-serving claims, quite another to learn the scale of the challenge from business itself.

Scott Larsen manages information systems for Groople Inc, a 50-strong, Denver-based travel agent whose business partners include the internet travel group Travelocity. He says: “We see script kiddies [inexperienced hackers] running scripts [hacking programs] against our site all the time. A conservative estimate would be one attack a minute, looking for vulnerabilities. There are a lot of psuedo-hackers out there. Whether they know what to do once they get access to a site is a different story.”

Mr Larsen is not losing sleep. He protects his site and his data with a layered approach using software developed by Trend Micro, a Tokyo-based security vendor.

He points out that he is responsible for storing customers’ credit card data and the relationship with the much bigger Travelocity means information is held and transmitted in common: “In the travel industry, a lot of systems talk to each other, so communications have had to become much more secure. We use dedicated links, virtual private networks and encryption.”

But it is an astonishing statistic – an attack every minute against one small company in middle America. Scale that up globally and you begin to understand the reason senior executives always tick the security box these days when canvassed about their concerns for the business. “We are seeing 300-400 new viruses every day,” says Cybertrust’s Mr Tippett. “It’s continuous erosion. These attacks are more pervasive and they are coming from more angles.”

Communication between machines is, of course, the antithesis of perimeterisation. Steve Quane, Trend Micro’s Munich-based small and medium sized business expert, argues that security has to be built into the network: “The perimeter concept has probably gone.”

At Dresdner Kleinwort Wasserstein, the investment bank, its former chief information officer and now head of alternative market modelling, JP Rangaswami preaches a gospel of openness: “There is no fundamental difference between information security and knowledge management,” he says. “That is the ethos that drives what we do.

“We start with the principle that information is open. If you seek to prevent something digitally, you tend to drive the behaviour underground. It is smarter, given that we have more monitoring capacity than ever before, to record everything.”

Rangaswami is concerned about information walking out of the door on people’s iPods and USB drives: “What are you going to do? Scan people’s personal digital assistants, search their briefcases as they walk out the door? We have software running on all our machines that tracks what is being passed across to any USB drive. That is smarter than banning it altogether.”

Lenny Goodman, director of desktop management for the Baptist Memorial Health Care Corporation in Memphis, Tennessee, has adopted a similar approach to safeguard information held on the health group’s 6,000 personal computers: “The USB drive means a huge amount of information can be hidden in the palm of your hand.”

Driven by the demands of the US Health Information Portability and Accountability Act (HIPAA), he has a four-pronged approach: first, a written corporate policy to raise awareness; second, the installation of technology to audit and detect unauthorised devices; third, technology from an Israeli company, Safend, to prevent their use; and fourth, where data must legally to stored on removeable media, it must be password-protected and encrypted.

Complying with regulations such as Sarbanes-Oxley is an additional cost: some companies are not sure how much they are actually spending to ensure they are meeting their obligations. With jail as the alternative, they argue: “This is something that has to be done so we’ll do it and work out what it cost later.”

It would seem from all this that keeping business data safe and secure from the cybercriminals who are relentlessly devising new ways to attack the corporate database must be a manager’s first concern.

Well, no actually. There is a far greater threat.

The Information Security Forum, a self-help organisation that includes many Fortune 100 companies, compiled a list of the top information problems which cost companies money last year and discovered that of the top 10 incidents, the top nine were all the result of a mistake: human error, systems malfunctioning, a failure to understand the effect of adding a new piece of software to the rest of the system.

The biggest incident, which cost the unnamed company $30m, was caused simply by a loss of power, according to Andy Jones, the Forum’s senior research consultant: “People do lose money from viruses, social engineering, spam and phishing but their losses are not in the $10m range,” Mr Jones says.

Cybercrime is real and growing and requires constant vigilance but the issue lends itself to hyperbole. It is as important to ensure your stand-by generator is tested regularly as it is to ensure your anti-virus software works when that is tested – even more regularly – by hackers.