Firewall issue a burning question

By ADAM GIFFORD

Computer Associates New Zealand managing director Richard Collins says it is only a matter of time before companies are financially damaged by viruses or malicious software,

"People have gone out and bought their anti-virus products and their firewalls, but there's been no thought put in to how secure they are - they look for a product as a solution."

Mr Collins said malicious intent on the internet was an industry.

"Management has to understand it's not just some IT nerd sitting in a corner hacking away and doing damage. They exist, but also there is an industry and people are profiteering from hacking into systems and stealing information."

He said the sophistication of hacking and virus-writing tools was high, but the sophistication needed to use the tools had diminished. Not only had the number of virus attacks increased sharply over the past year, the viruses were becoming more destructive.

"The issue is what protective coating you put around your organisation and the organisations you deal with."

Many organisations believed they were secure because they had done security audits, "but those are traditional process audits where they check boxes.

"Without an automated audit you can't check the security of your own network or the network of business partners or customers. You don't know how effective your software is.

"You don't know if the intrusion is coming through the front door or the back door and what to do to fix it."

Mr Collins said no thought was put into internal security. "A lot of email users aren't educated, so they pass on viruses because they don't know better."

Many companies did not realise 70 per cent of attacks came from within the enterprise.

Mohammed Siam, a Melbourne-based business development specialist, for Computer Associates, said e-commerce security was usually done with what was left over in the budget. "It's seen as a cost - there is no revenue attached to putting an insurance policy in place."

He said security should not be treated as a cost management exercise. "You must think about your security as a means of facilitating income-generation. That mindset is important.

"There is a close correlation between the integrity and security of your website and your capacity to generate revenue from it."

A hacked site could destroy the branding and trust companies may have spent years and thousands or millions of dollars building up.

Mr Siam said that apart from appropriate technology, a worthwhile security policy would include change management.