Computerworld - The headlines dominate the press:
"Hackers gain access to 8 million credit card numbers"
"Slammer Worm Propagates Across the Globe"
Hackers, viruses and worms are wreaking havoc and causing significant monetary, competitive and psychological damage. For corporations, mitigating the potential loss involves timely detection, effective communication and a plan for resolution. Unfortunately, security teams are feeling the squeeze caused by reduced staffs who have to deal with larger enterprises, networks and systems.
Organizations are slowly realizing that merely purchasing or installing a firewall or intrusion-detection system will not secure their systems and critical data assets from external attack. They are realizing that enterprise security isn't plug and play, and those that continue to treat it that way will incur even larger and often catastrophic losses.
One answer is the employment of information security programs such as a security event management solution, an outsourced vulnerability scanning service or a managed security services provider. Centralized security management solutions are gaining popularity because of their ability to aggregate, standardize, analyze and report security event information in a succinct and real-time manner, all via one central console. They are proving valuable for managing and evaluating the data flow across all installed security devices and continuously auditing security controls.
The ramifications
The increased prevalence of cyberattacks has caused cyber-insurance rates to skyrocket. At the same time, insurance companies are receiving more hacking-related claims and are thoroughly investigating cyberattacks to ensure that a company has met all of its liability requirements by properly installing and maintaining its security infrastructure. Those that haven't met liability requirements won't be covered by insurance. Conversely, those who exceed requirements may soon enjoy a discount in their premiums.
Network risk insurance premiums range from $5,000 to $30,000 per year, per $1 million in coverage, and the hacker insurance market is expected to jump from $100 million in 2003 to $900 million by 2005, according to industry reports. Insurance premiums are going to whittle away at corporate profits unless companies can show that they have employed all possible network controls, procedures and audits to mitigate liability. Lacking security control auditing capabilities is equivalent to installing a steel door at your house with no deadbolt locks. Sure, an insurance inspection will confirm that the conditions were met for the premium, but with no lock, all the controls are wasted.
The solution
Information security organizations and audit organizations have the same goal: to see that mission-critical information is properly protected from unauthorized access and/or update. It is wise for security practitioners to bring audit guidance into a security project -- to include deploying firewalls and intrusion detection systems -- during the early planning stages. This will help to ensure that the resulting controls will be appropriately implemented, both technically and operationally, for protection as well as compliance with security policies that govern the overall security program.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
