Make security your priority

CIOs will have to tackle the rise of increasingly sophisticated attacks on their corporate systems, writes Emma Nash.

Last year generated some particularly nasty security problems for companies, and the situation is not likely to improve any time soon.

Add the increase in e-business, a rise in the number of home workers, new scams such as phishing, the fact that the hackers, fraudsters and their methods are getting more sophisticated, a rise in spam, not forgetting all the old favourites such as denial of service attacks, and it's obvious that security is going to be as important as ever this year.

"Unsurprisingly, threats this year are not going to be that different to the ones we saw last year," said Tim Pickard, European strategic marketing director at security specialist RSA.

"But a lot of the threats are getting worse. The total number in 2003 was massively up on 2002. The time it takes for these threats to spread across the world is literally minutes, so the time we have to react to them has decreased too."

Pickard also predicts an increased threat from junk email. "Spam is a massive security problem we need to fix," he explained.

"It can't go on unchecked because it will become a major problem that will get more difficult. Hacking is increasing to the point where it can't go unchecked either.

"The other interesting trend is the amount of patches being released. It stands at about 30 per week from the top five vendors.

"If you think about the way people implement patches, they don't do it when they come out. They want to test it and see what impact it will have on the rest of their infrastructure first."

So, not a great deal to look forward to then. But don't despair. While this all sounds awfully bleak, methods of combating security breaches and preventing fraud and theft are improving.

Security is being taken more seriously and the ways of investigating breaches and IT crime are becoming reminiscent of those used in the physical world.

Simon Perry, vice president of security strategy at Computer Associates, believes that forensics will be applied as a matter of course to computer crime investigations in the next two years.

"In physical investigations you look for evidence of fingerprints or DNA," he said. "Around that you need a case. It's exactly the same for electronic crime. A physical fingerprint could be the equivalent of proving someone was logged on to a machine when something happened."

Users, consumers and businesses will have to be more proactive in their approach to security if they are to stand a chance against the ever more virulent security attack.

Risk analysis and re-education are going to be an important part of security strategies, according to Alan Stanley, managing director of industry body, the Information Security Forum.

"One of the big areas we're working on is risk analysis. How do you get the risk process embedded in the organisation? Typically, if you can make people aware of the risks, they can see that they need to do something about it," he said.

This year, education, awareness and proactive defences are going to be essential if businesses want to avoid being embroiled in severe security breaches.