An Executive's Information Security Challenge
Four CEOs were taking a break during a recent American Banking Association (ABA) meeting and struck up a conversation about recent challenges they were facing. Howard related a recent incident caused by the Slammer Worm that made his bank's 13,000 automated teller machines (ATMs) unavailable to their customers for approximately 24 hours. This worm spread so quickly that his information technology (IT) organization could not react in time. A worm is a self-replicating malicious program that doesn't require user interaction to spread between computers and across networks. Fast-replicating worms can consume resources, slowing computers and networks to a crawl or crashing them altogether.
Sam could relate to Howard's woes because someone stole a laptop computer that contained private financial information for thousands of customers from one of his bank's offices. Sam's business was lucky and recovered the laptop a few days later; however, his customer service organization spent considerable time contacting these customers and continues to monitor their accounts for possible fraud.
Roger was not so lucky. An eastern European hacker tricked his company's systems into transferring an estimated $10 million into the hacker's account. His bank was able to recover the majority of these funds, but the incident did considerable damage to his company's brand. Charles lamented the damage to his credit card business when hackers sent phony but official-looking emails (a process called “phishing”) to his unsuspecting customers to trick them into disclosing confidential information. These hackers then made illegal charges to the accounts of customers who fell for the scam.
The preceding anecdotes are based upon actual recent security incidents that have occurred in the financial services industry. Information security incidents are not limited to this industry, however. All organizations that conduct portions of their business electronically are potential targets. In April 2003, the Slammer Worm disabled a safety monitoring system at a nuclear power plant for nearly five hours and affected the performance of the plant's corporate network. A major U.S. computer networking company sued a Chinese rival for theft of intellectual property in January 2003. The company claimed that its rival copied its source code, documentation, and other copyrighted information. Both parties settled 20 months later when the Chinese rival agreed to discontinue selling all products named in the lawsuit.
In December 1999, an online music distributor refused to hand over a $100,000 blackmail payment when a hacker stole the confidential personal information, including credit card numbers, of 350,000 of their customers. The hacker posted the information on the Internet, and the resulting brand damage was severe. Finally, two software companies in the Silicon Valley have been embroiled in a billion dollar lawsuit over the theft of intellectual property that allegedly resulted when executives from one of the companies left to form a competitive company.
A lack of knowledge about information security contributed to these incidents and left these companies vulnerable to exploitation. This book explains how you can avoid the same trap and provides you with the resources and best practices necessary to put the information to good use.
Information security is a significant boardroom issue. In today's world, companies rely on their internal computer systems and the Internet to conduct business and cannot afford to have disruptions to their operations. A security incident can have a wide-ranging negative impact on a company's revenue streams, customer confidence, and public relations. This dilemma makes information security an essential component to an effective overall business strategy. Establishing an information security program that addresses the risks that your business faces should be a high priority.
This chapter starts with a historical view of the Internet that provides important and relevant background information for understanding information security. It goes on to describe some of the major information security challenges that you're likely to face and how they can affect your business. These challenges are important to consider when developing your information security program, and you can turn them into competitive advantages.