Risk drive
Selling security products and services has become a money spinner. As resellers venture into risk analysis, Steve Gold sizes up the dangers.
Risk analysis is often dismissed by IT managers as being too subjective to be of practical use within an organisation. But, just as the rise of the PC in the last decade brought with it a raft of security problems, so the PC itself can help rationalise the science of risk analysis. On a practical level, risk analysis is not an expensive process, although many medium and almost all large organisations employ external consultants.
According to the US National Bureau of Standards (NBS), which drew up its blueprint for US businesses compiling their own risk analysis chart in the 1980s, the IT analysis breaks down into six main areas - operational divisions information systems project development, data handling application program development, data communications and program validation.
The NBS defines an operational division as an organisational unit responsible for one or more general functions. In analysing the risk inherent in the functions in such divisions, the NBS argues that it is necessary to compile and verify the job descriptions and functions of staff within the unit.
On this basis, an accurate analysis of worst case disaster scenarios can be compiled for the divisions in question.
On the information systems project management front, short and long range planning objectives assume a greater role in analysing risk. The failure - or success - of an organisation to adhere to these plans is highly indicative of the success of staff in managing their risks effectively.
In the absence of short and long term plans, the risks to the integrity of an organisation's IT department are very high, as it is a sign of a disorganised and misdirected approach to management. According to the NBS, failure to manage effectively can have a very negative effect on the viability of an organisation.
Data handling is another critical area to the viability of an IT department, as well as to the organisation as a whole. Analysing the risks inherent in the data handling department's operations involves looking at issues such as errors in data and the introduction of unauthorised and possibly fraudulent transactions in the system.
Other issues, such as susceptibility to fraud, civil and criminal penalties for mishandled data, and direct financial loss, also need to be looked at when assessing risk.
Application program development is an interesting sector where risk analysis is concerned, as the operational functions - management and performance of systems design, programming and testing to support data processing - tend to be viewed as standalone from the rest of the systems. This despite the fact that application program development must be an integral IT function if an IT department is to succeed within an organisation.
The risks associated with the inadequate control of application program design should not be underestimated, as there is a danger that the IT system may be uncontrolled as a direct result of poor safeguards.
Perhaps worse, if application program development is not carefully controlled, is the risk that IT systems in operation within an organisation may not satisfy internal and external requirements. Therefore, the IT department - and maybe even the entire organisation - could be susceptible to the danger of interruption in operations.
Data communication is another sector of high risk. If data communications fail or are intermittent within an organisation, terminal maintenance and repairs tend to be disruptive and time consuming.
The failure of a part of a communications system may render it completely unusable. Such interruptions can cause insurmountable operations problems that affect the integrity and even viability of the organisation concerned.
Last, but not least, is program validation, an element of the IT function that's responsible for reviewing, validating and approving all programs and changes within the computer system. In most organisations, program validation function falls within the remit of application program development.
Selling risk analysis products and services through dealers is a value-added business. While anti-virus and generic IT security software has been around for more than a decade, the concept of risk analysis from an IT manager's perspective is still in the very early stages of infancy.
According to Miles Hutton, business manager of IT broker Crew, many IT captains are currently suffering from Swiss Army knife syndrome. He claims that project managers find themselves pitting their wits against specialist suppliers of a wide range of technologies from software development and security to integration and convergence.
"There's an increasing challenge to deliver innovative systems within the constraints of existing business functions such as purchasing, commercial and logistics. The ability of project managers to meet these challenges depends on a complete tool box of support and training," he says.
As a result of its research, Crew is now calling on the British industry to relieve these pressures and give IT managers the reassurance and advice they need.
Neil Bailey, managing director of Empower Dynamics, claims that 75 per cent of projects fail in some way in the deployment of IT, highlighting the need for improvement.
The company has just recently embarked on a project called IT Doomsday, a mixed risk analysis service jointly developed with the Defence Evaluation and Research Agency (DERA).
"IT Doomsday is for businesses. It allows clients to analyse the risk in systems implementations before they start. The service looks at every single danger in a commercial framework, not in a vacuum," says Bailey.
Empower Dynamics claims to have developed packages for a range of projects that address large scale changes that cost at least £1m and affect 500 or more users.
Content Technologies (CLT), the firm behind the Mimesweeper software, is also migrating into risk analysis. It has just published a White Paper entitled Business Issues Relating to Content Security and Policy Management. The company claims the White Paper meets a growing demand among internet users for information on the financial, cultural, and legal risks to a company as a result of accidental and deliberate misuse of the internet and email.
Chris Heslop, marketing manager at CLT, says that the White Paper discusses how internet usage, including email, can cause breaches of confidentiality and exposure to legal liability.
It also outlines the differences between liability and privacy laws in eight European countries, as well as listing the areas where legal liability is most commonly evoked.
According to Heslop, the primary aim of the White Paper, is to help companies to identify the key elements of an internet content security policy. "Businesses can no longer afford to ignore the impact that internet and intranet misuse can have," he says.
"Recent research shows that up to 70 per cent of security breaches happen inside companies. This shows that firms have to do more than protect their networks from hackers and viruses and that threats can come from both internal and external sources," he adds.
A study carried out by Protek confirms the need for risk analysis in the channel's security. Many companies are trusting in what amounts to non-existent security to protect themselves from malicious attacks. It claims that 73 per cent of companies rely too heavily on firewall protection, while 82 per cent fall foul to inadequately managed directory systems.
John Cuming, head of sales at Protek, says: "The most used area of their network was email, yet it was the least secure. The majority of firms surveyed believed they had a definite protection plan in place."
When Protek reviewed their customer's network infrastructure, it found that few had even basic security measures in place.
"This belief that systems are already up and running can leave a company wide open to attacks from users determined to intercept and tamper with essential communications," he says.
Protek is tackling this lack of awareness by offering a security status analysis service. This forms part of the company's overall business package in the field of secure messaging.
One of the biggest problems facing the industry now, the year 2000 bug, could have been avoided if there had been a system of risk analysis in many of UK organisations and their IT departments.
While it's too late to sell risk analysis technology to companies frightened witless by the spectre of the millennium meltdown, there are products and services that solve the problems and open the door to an ongoing risk analysis relationship between a Var and its clients.
One company that appears to have picked up on this is Reflex Magnetics, which is offering the channel access to a special seven-month Program Security Guard (PSG) licence.
The licence guarantees users against computer viruses compromising year 2000 compliance at the desktop. Reflex Magnetics claims that, as they enter the second half of 1999, a huge number of organisations will have addressed the year 2000 compliance issue and lock down servers and desktop configurations until next year. But they face a significant stumbling block when it comes to maintaining compliance - their PC users.
While there are monitoring tools that enable network managers to keep close tabs on suspicious server activity, what happens at the desktop is virtually impossible to control without expense.
According to Phil Benge, sales and marketing director at Reflex Magnetics, even companies that have implemented a security policy will be hard pressed to stop users loading programs or exposing the network to the risk of viruses.
Benge says that PSG can be deployed centrally to every networked desktop PC running Windows NT, 9x or 3.11. The program enforces configuration lock-down by enabling users to protect any selected file type.
"PSG's generic approach is far more effective than conventional scanning and monitoring technology because it doesn't matter whether the threat is unknown. PSG detects the problem and stops it before any damage occurs.
It also reduces the number of support calls from users, because the configuration of their PCs can no longer be altered," he says.
The special edition of Reflex PSG started shipping at the beginning of August at £5 per user - all licences expire on 31 January 2000.
Even after the end of the year 2000 problem, there will still be rich pickings for many companies who are provide risk analysis packages.
Risk analysis is all about thinking through the many different consequences of installing a control mechanism.
This is particularly relevant to email systems, as proved by a recent survey by Content Technologies (CTL), the company that developed the Mimesweeper content security checking software.
The survey revealed that 61 per cent of UK business users admit to sending an email to the wrong person at some point in their career. In addition, 73 per cent say they would reply to an email from their director requesting confidential information, without checking the source. CTL claims that although this does not often have serious implications, the dangers of email usage are implicit.
CTL found that not everyone who made a mistake was so lucky. One employee had tried to forward a client's email to a colleague but replied to the client instead.
Chris Heslop, managing director of CTL, said the insult that the employee typed at the top of the email not only lost the company the client, but also cost the worker her job.
He says: "Most people don't mind if they are sent the wrong email, but if it comes from a business address, it can have some very serious consequences in terms of corporate credibility and integrity."
TIME IS RUNNING OUT
The issue most in need of risk analysis is the year 2000 problem.
According to Robin Guenier, executive director of Taskforce 2000, almost one third of the UK's top 1,000 companies are failing in their battle against the millennium bug. As a result, many of them will face the ultimate punishment - bankruptcy.
Guenier notes that many companies have put in place effective plans to fight the bug, but a significant minority cause concern.
A survey last month by Taskforce 2000 and law firm Dibb, Lupton & Alsop, found that there are serious concerns about the ability of a number of UK companies to complete their year 2000 preparations in time.
"About 50 per cent of companies are on track with their remedial efforts and 20 per cent will make it by cutting corners and radical planning. That leaves 30 per cent. They are in grave danger of not making it," says Guenier.
The survey also found that 24 per cent of companies did not try to tackle the issue until last year, although only 35 per cent have spent more than 80 per cent of their budgets.
"Only 43 per cent of companies have or almost have completed their internal compliance programmes across all systems, but 19 per cent have not even completed the initial inventory stage," adds Guenier.
If large organisations had applied risk analysis procedures to the year 2000 issue, then the problem would have been identified several years ago. Now it could be too little too late.