How to sell - The danger within
While most IT managers concentrate on protecting the network from outside viruses and hackers, the biggest threat most organisations face is often found just down the corridor
The sheer scale of the security threat presented by employees should not be underestimated.
Either knowingly or unknowingly, employees represent the biggest threat to IT systems or data security, and businesses in the UK are not doing enough about the problem because of a mixture of ignorance, skills shortages and a lack of investment. This is a recipe for reseller intervention.
According to a joint survey conducted by consultant PwC and the Department of Trade and Industry (DTI) on behalf of Microsoft, Entrust and Computer Associates, the problem of security breaches is far from under control.
The DTI Information Security Breaches Survey 2004 found that 74 per cent of all businesses (94 per cent of large firms) have had a security incident in the past year.
Malicious incidents, such as viruses, unauthorised access, misuse of systems, fraud and theft, rose dramatically with 68 per cent of firms (91 per cent of large ones) suffering at least one such incident in the past year. This is a rise of 44 per cent compared with 2002.
It is a shocking statistic, especially when you consider that each serious incident costs on average £10,000 (or £120,000 for large companies) through disruption of business.
The underlying cause of this chaos has been blamed on employees for opening unsolicited email, browsing inappropriate web sites and downloading files from peer-to-peer (P2P) networks.
It is not just the DTI that has recognised this pattern either, as the figures are echoed by a number of other reports.
The National Hi-Tech Crime Unit (NHTCU) report from February, for example, followed a survey of 201 large and medium-sized companies, 83 per cent of which said they had experienced some form of high-tech crime last year, such as virus attacks, fraud and criminal use of the internet by employees, costing them more than £195m.
Despite this, only 77 per cent of the companies surveyed carried out regular security audits and only 31 per cent had crisis management teams. Interestingly, the NHTCU noted that although virus reports were high, it is laptop theft that is a greater cost burden to businesses.
Clearswift's annual Spam Monitor poll suggested the lack of knowledge among employees is worsening the spam problem. The need to educate employees on spam and security issues has, the poll says, never been greater, as 22 per cent surveyed said they knew of employees who had responded to spam offers.
While most employees don't report spam to the IT department, more than a third of businesses don't have spam policies in place anyway.
Fifty-seven per cent of respondents said their companies' spam policies were either not communicated, or they didn't know if their firms even had any.
So the picture is a gloomy one, and it is no surprise there is a widespread call from security companies and analysts for security to be taken more seriously at boardroom level.
As file sharing and instant messaging (IM) increase, this desire for top-level action is becoming more acute. The belief is that no one has really grasped the enormity of the problem - and this is the channel's big chance.
"There is a great opportunity for resellers," says Dave Ellis, director of e-security at distributor Unipalm.
"Smart resellers are offering businesses a health check and offering customers reports and analysis on current security breaches.
"It's a 'try before you buy' approach, and if it proves to be successful the businesses are more than likely to buy the products and either manage them themselves or outsource the upkeep."
The suggestion that resellers should look to offer health checks and provide managed security services is an increasingly common one. Products from companies such as BlueCoat and Check Point enable resellers to 'sit' on the customer's network and monitor unscrupulous traffic.
Ubizen, which partners with both these companies and a host of others, is a managed security services provider and has made a whole business out of providing services to under-skilled corporations.
The key for resellers is to identify the potential market and pull together the necessary resources to service it on an ongoing basis.
"A key opportunity for resellers is in providing managed services," says Manny Pinon, sales and marketing director at Norwood Adam. "But there are still some big challenges. Keeping pace with a market that is evolving constantly is not easy, and few resellers have managed this successfully so far."
Norwood Adam has its own managed service, called Prism, that its resellers sell onto their customers. It is aimed at SMEs and consists of anti-virus protection, a firewall for content and URL filtering and 24-hour support.
Companies pay a monthly subscription of £95. But how do resellers keep up to speed with the constant external and internal threats?
This is a tricky one. Pinon believes resellers need to invest time and effort here so that any policies that have been implemented are not too static. Companies such as Ubizen have a dedicated team of experts that monitor the market, and new external threats in particular.
The key here for resellers is focus. Targeting local SMEs, for example, should be about stopping staff from increasing the risk of virus infection by regulating web browsing, spam filtering and non-work-related file sharing.
One of the best ways for resellers to organise their customers is by implementing and managing a security policy. There is a standard (ISO17799) that can help in the formulation of a policy, but it is important to also provide a little common sense.
Businesses should be thinking not about just data security but also about physical security.
According to Peter Goodenough, UK managing director of security supplier HI SEC International, the statistics from the NHTCU show that the security problem is not about just high-profile cases of worm and virus intrusion.
Physical security such as laptop theft also has to be taken extremely seriously, especially as the cost implications can be greater.
"Physical breaches targeting IT are more directed and, in the long term, more damaging to a business," says Goodenough. "This is the true danger of rogue employees. The NHTCU's recent figures show an alarming occurrence of hardware theft."
This threat also raises the issue of being compromised by sensitive data falling into the wrong hands. According to insurance company Complete Computer Cover, about 67,000 notebooks are lost or stolen every year in the UK.
This should, in theory at least, force companies to look at using technology to 'tie-down' the laptop to the business.
One of he most obvious ways of doing this is through smart card technology.
IBM's Embedded Security System for example, provides an embedded authentication system into the notebook.
Combined with VPN technology, this gives users secure, high-speed connections when accessing corporate LANs via the internet, without the need to carry around separate, expensive key fob devices for authentication.
The sub-system also adds support for strong user authentication using pass phrases, fingerprints and proximity badges, protecting access to the system and to secure confidential information.
"Single static passwords can also be a problem when employees leave a company," says Ian Kilpatrick, chairman of Wick Hill Group. "What can happen is that the employee's password and access rights are not deleted immediately and that employee may still access the system as long as they have the password.
"If you have a disgruntled employee, there's the potential for them to do damage. The way around this is to use strong two-factor authentication with a token. You just make it an automatic part of the leaving process that you take the employee's token before they leave.
"That way, they cannot access the system once they are no longer employed by the company."
While these solutions may seem a little obvious to people working in the IT industry, and in the security sector in particular, the rest of the business world is, not unsurprisingly, lagging behind. End-user education on security issues is still a major concern.
While awareness of the risks of viruses is now quite high among businesses, the mediums through which viruses spread, for example, are not so well understood.
There is also the increasing problem of spyware that tends to affect firms through more recent applications such as P2P networks and IM. According to employee internet management specialist WebSense, 92 per cent of organisations with at least 100 employees have been contaminated with spyware.
Getting businesses to understand these issues and then opening up their budgets to do something about it is not that easy. It is often a case of closing the door after the horse has bolted.
The problem is trying to marry the demands of communications with the potential risks to security, as well as the loss of staff productivity from applications such as the internet, email and, more recently, IM.
The latter is seen as a useful business tool, given its immediacy and collaborative working capabilities. File sharing and whiteboard applications are proving popular, but if they are not managed properly have a potential for disaster.
According to research commissioned by Hitachi Data Systems for its Storage Index survey, IM is a growing problem. Of the 690 IT directors polled, 80 per cent admitted to not monitoring IM, and of the 22 per cent of companies that did monitor IM, only nine per cent archived the material.
The findings show that it is possible for employees to disseminate sensitive business information without their company's knowledge. And even in those instances where IM is being monitored, with so few companies archiving material the production of an audit trail to support litigation would be impossible.
Denying staff access to a legitimate communications tool may not be the answer either, so companies may be better off turning to IM and P2P monitoring tools from companies such as FaceTime Communications.
P2P problems are similar to those connected to IM. Martino Corbelli, director of marketing at web and email filtering vendor SurfControl, says the risks posed by P2P file sharing are still not part of the corporate psyche.
"We urge resellers to use the consultative sales process to raise awareness to the threats file sharing creates by auditing how the prospect's or customer's online resources can be abused.
"P2P file sharing is going to be big in 2004 and our advice to resellers is to stay ahead of the curve and identify the risks before they become incidents," he says.
With employers held vicariously liable for the illegal file sharing actions of their employees, Corbelli believes that all resellers can demonstrate an important value-add when dealing with prospects and existing customers.
"Resellers focused on any vertical sector with a concern for their customer's security have the perfect opportunity to demonstrate their credentials by helping businesses devise an acceptable use policy to deal with P2P file sharing at work.
"We've been here before, with the use of web and email in the workplace. Resellers can play an intrinsic role in assisting UK businesses to tighten up company policies and minimise this latest threat by deploying the appropriate filtering technology," Corbelli says.
And what about the remote worker? Analyst Datamonitor predicts that between 2002 and 2005 the number of home workers in the UK will have increased by 26 per cent to 8.2 million. That adds another facet to the already growing security problem.
Businesses need to have a plan that is both forward thinking and all encompassing, and they need a reseller to help implement and manage that plan. It needs to cover not just existing employees and current business practices but should look forward to potential increases in business mobility.
So who takes responsibility for a security plan? There has to be a degree of cooperation between IT and human resources departments. This is perhaps why security policies have traditionally been difficult to administer.
Cooperation between departments, especially when a budget is involved, is not easy at the best of times and suggests there is a need for a well-informed and independent go-between - again it's the security reseller.
Simon Hill, director of UK distribution at Azlan, says: "Resellers need a good understanding of security to offer such advice. We advise them to make full use of the resource and support available to them from distributors and vendors.
"We can offer extensive training in security and have a team of experts in place, ready to help them deal with complex issues."
Roger Hockaday, director of marketing at vendor Packeteer, believes that whether it is the attachment from IM that introduces the virus, the laptop that was taken home and used by the children, or the next version of file sharing that circumvents the perimeter security, the security implementation must be dynamic.
"When the virus, Trojan or worm strikes, the key is to maintain the operation of the key applications and not allow work to be disrupted. SoBig and SQLSlammer all appeared within the network, and did their damage by stealing bandwidth from the key business applications.
"To identify the traffic created by a security breach it is first necessary to identify and classify all the applications on the network to set a baseline.
"As new applications appear on the network they can be classified as valid, unknown or, sometimes, immediately as a known threat and then contained automatically," he says.
The range of tools on offer to help resellers identify, control and manage security risks is immense. The key is education, both of reseller staff and the customer's.
From here resellers can offer health check services, monitoring traffic and ensuring a level of security that fits the requirement of the business. Given the increasing demand for IM and mobility, the opportunities for resellers could run for a while.
Security issues are not going away, and as long as company employees are allowed to misuse company networks and resources, the problem will continue to grow.
CONTACTS
Azlan www.azlan.co.uk
BlueCoat www.bluecoat.com
Check Point www.checkpoint.com
ClearSwift www.clearswift.com
FaceTime www.facetime.com
HI SEC www.hisec.com
Hitachi Data Systems www.hds.co.uk
Norwood Adam www.norwood-adam.com
Packeteer www.packeteer.com
SurfControl www.surfcontrol.com
Ubizen www.ubizen.com
Unipalm www.unipalm.co.uk
WebSense www.websense.com
Wick Hill www.wickhill.co.uk