THE OUTSIDERS
Companies must upgrade their defenses against external attack...
By Adam Lincoln

Visiting Asia on business trips, Robert Clyde used to find computer systems security to be a tough sell. While the rest of the corporate world accepted that the greatest threat to corporate information systems lay within - among disgruntled and dishonest employees - this region's business leaders were convinced it wouldn't happen to them. "They felt that cultural mores would prevent employees from harming their employer," he recalls, adding: "To an extent, they were probably right."

These days, that's a dangerous attitude. "No geographies are immune to Internet attacks because you don't have to be in a particular geography to launch one," says Clyde, who last year took over as chief technology officer at US-based Symantec, the world's largest security software provider. Clyde's new role places him at the vanguard of information security at a precipitous moment. In 2001, the number of intrusions perpetrated on companies by outsiders overtook those committed by people on the payroll. At the same time, the incidence of cybercrime grew exponentially, not just in line with the growth of Internet usage generally. The proliferation of viruses such as Code Red and Nimba is evidence of that.

Apart from being the source of viruses that have wreaked havoc on a global scale, Asia has its own set of problems. A 2001 survey into security threats and management issues in Asia undertaken by Pinkerton, a US-based consultancy, found business espionage and threats to intellectual property to be of particular concern in this region. What's more, the survey found employee fraud and theft at all levels was indeed a growing problem. "This can reach epidemic proportions in countries where cultural differences often result in views on ethics and standards that vary from those held in the West," the report said.

And if hackers have always been a part of the high-tech milieu, the days of the gentleman hacker are well and truly over. "The idea of the original hacker was look, but don't touch," says Clyde. "They would break in, look around, didn't do any damage but maybe sent a message to the system administrator.

Nowadays, people are definitely interested in taking down the network," he says. What's more, just about anyone with time and a motive can manage it. Clyde says the 'democratization' of hacking has been aided by the advent of simple 'click-and-hack' programs. By Symantec's count, wannabe hackers can turn to any one of more than 30,000 hacker-oriented websites for guidance, giving social activists a new vent - "hactivism".

Where in the World

Clearly, the events of 9/11 raise fears that terrorists might bring the Internet to its knees. "I firmly believe that not only is the threat of a cyber attack real, but the first phase is already under way," says Mark Fabro, president and chief scientist at Terrasec, an information security consultancy based in Toronto. Fabro says the intrusion detection logs of large multinational corporations "show precise data-gathering operations in which outsiders are looking at network structure, points of weakness, and infrastructure locations of weak security." Since 1998, three global scanning projects have been sponsored by "rogue" nations, he says.

Yet many businesses remain alarmingly complacent. Studies show the typical company spends barely 5 percent of its IT budget on security. "Not only is that not enough, but the money itself is not being spent on a dedicated line item called 'security'," Fabro says. Only when security is a dedicated line item in the budget does management recognize it, he maintains, adding that if companies are serious about information security, the figure should be more like 15 percent. The Pinkerton study, albeit conducted before 9/11, found barely half of companies in Asia planned to increase expenditure on security in the next three to five years.

Given the potential for damage, it's easy to argue in favor of increased investment. Symantec's Clyde reckons just 10 to 15 percent of cybercrime is ever reported because it makes for bad PR. Still, various groups have tried to identify the cost. In 2001, the US-based Computer Security Institute, working with the FBI, found that the average loss of the 600 respondents was US$13 million, up considerably in recent years. Information Week magazine and PricewaterhouseCoopers estimate the total annual loss of security breaches and virus attacks, including downtime and recovery efforts, to be US$1.6 trillion..

Know Thyself

Companies should apply the same kind of measured approach to security that they did for Y2K, the experts say. This entails taking a fine-tooth comb to the entire infrastructure - firewalls, routers, applications, operating systems, Web applications and databases - in a search for weak spots. Often, a successful attack takes advantage of a service or function inside the server that is never or only rarely used. Fabro says this "additional functionality" should be removed, and the operating system secured so attackers cannot penetrate the system.

Above all, companies should make sure that they bring plenty of human intelligence to bear. "Careful inspection of the frequency, type and source of attacks can lead to insights that the intrusion detection software can't provide," says Fabro.

That may motivate more companies to create the position of chief information security officer, a growing trend among security-conscious companies. Some 65 percent of respondents to the Pinkerton study said their company had a security manager overseeing the Asia Pacific region. Yet 35 percent of them rely on someone who is based in the US or Europe to oversee Asia from afar. Now might be the time to bring them back in from the cold.

Adam Lincoln is executive editor of CFO Asia in Hong Kong. Additional reporting by Esther Shein of CFO.com in New York