Final Words | IT Security: Risking the Corporation

If you are an executive manager and you expect your intranet to be secure without proof, you may be in for a surprise. Threats against enterprises continue to rise, requiring higher and higher levels of security on intranets.

In the early 1990s, we approached a new crossroads in computer security. A few years back, many companies took the low road (little to no security protection) because the risks were fewer and the consequences less devastating. That situation exists no longer. Today, the threat to data on intranets is higher than ever. If your intranet is already at risk from out-of-the-box installation, inadequate security funding, and poor corporate communication, you need to get in gear now.

As this case clearly demonstrates, having poor communications in and of itself is a major security risk. Most of the actual security violations in this case study were pretty basic simple passwords, out-of-the-box installations, and so on. In this phase of the computer revolution, no self-respecting network should suffer from symptoms so simple, especially when most could have been fixed fairly easily with better communications.

Unlike armed robbery, computer crime doesn't always seem like the major problem that it is. Often hidden by the victim to prevent further damage (to stock values, reputations, and so on), computer crimes are growing at a phenomenal rate. At the National Infrastructure Protection Center, an FBI section that works with government offices as well as private companies, the number of active computer crime cases has doubled every year since 1998. The cumulative cost of those cases has risen accordingly. A survey given by Information Week and Price Waterhouse Coopers in mid-2000 estimated the cost of just computer virus damage for that year at $1.6 trillion. As the FBI's Leslie Wiser noted in his address to Congress on cybersecurity in August 2001, "That figure is larger than the gross domestic product of all but a handful of nations."

The CIO of any company should be kept abreast of serious security risks on the corporate network, including successful break-ins. I'm sure your CIO would rather hear about break-ins from line-level management than from CNN Headline News. If you don't have a clear communication path to the top, create one.