How to beef up IT security

IT support staff get the complaints all the time. The company's security systems are either not working well enough - each morning your inbox is stuffed with spam - or the programs are too effective and vital emails never arrive because they contain one slightly suspicious word.

As well as being a potential frustration for staff, IT security is a budgetary headache for management. It opens up a financial black hole seemingly capable of sucking down as much money as the company cares to throw into it.

Eric Sorenson, Secure Computing's Australian-based senior sales engineer and a ten-year veteran of the IT security business, says he regularly encounters cynicism over the type of products security companies sells.

"What I hear more often than not is frustration," Sorenson says.

"Companies have gone out and spent money on their firewalls and their intrusion detection systems and yet they're still having to deal with a lot of hassles - viruses, worms and things. They're struggling to figure out what value they're getting out of their spending on security."

Some aspects of IT security are easier to sell than others. Spam filters, for example, are a no-brainer for business because chasing down spam takes up so much of people's time, Sorenson says. "But the days of profligate spending are over and everything has to be brought back to 'how is this benefiting our business?' which on the [email] messaging side is pretty easy because of productivity, et cetera. But in terms of some of the more esoteric stuff like intrusion prevention and detection, I'm finding it's a bit of a tough road to hoe."

So how are security software companies overcoming this reluctance and continuing to sell their wares to businesses?

"What we're trying to do is bring a lot of those [security] functions together so that the higher-ups in an organisation - the executive team - can actually see what the devices are doing," says Sorenson.

"We provide them with integrated reports to say these are how many messages with viruses you've been blocking, this is how many spam messages you've been blocking."

On top of that results-focused approach, it has to be said the security industry loves new shocking tales of woe it can share and scare with.

On one of his regular visits to New Zealand last month, Sorenson came armed with news of the latest scam to hit electronic banking. "Vishing" is a cunning new variant on "phishing" - the dark art of sending spam emails that ask bank customers to visit a phoney website where they are instructed to "confirm" their account number and password.

The vishing version is a voice-over-internet (VoIP) variant, where the victims receive an automated phone message asking them to call a certain number and leave their bank account details.

"There are very few counter measures against it apart from consumer awareness," says Sorenson.

"Just the same as we've been trying to convince people not to respond to these emails that you get asking you for your banking information, now we're having to teach people not to respond to the phone calls they might get."

He admits that while vishing is not an issue that Secure Computing has the products to combat, it makes for a good IT security ice-breaker.

"For us it's an opportunity to highlight the current insecurity of a lot of the online banking. Whether it's on the web or via telephone there's no real way to know who a person really is and if you're just relying on things like pins and credit card numbers and dates of birth that doesn't give a lot of security."

What companies like Secure Computing do offer is "strong authentication" systems - tokens or "bingo cards" physically kept by account holders containing a piece of information that needs to be entered before they can access their accounts.

"We're just bringing it [vishing] up as another reason why you need to have strong authentication in your e-banking environment," Sorenson says.

"The real challenge right now for companies such as us is that all the banks and financial institutions know how to do this. They, in fact, often have the technology in place to do this, they're just choosing not to."

He says the reason is because banks are still losing more money through internal staff fraud than online fraud, even though it's a growing problem.

"Online fraud is increasing but it still hasn't reached the level where their risk managers are saying, hey, as a business we need to address this. They feel that they're covered in that regard and it's not that big a problem yet. It's more of a public relations problem."