Migrating your physical business to the Web is a great idea, but what happens when a smart hacking cookie decides to have some fun by bringing your e-business to a halt?
A study by consulting firm Deloitte Tohmatsu Touche shows that while most company executives around the world are satisfied with their organisation's e-commerce security measures, that confidence is not matched by their IT managers.
"Education of top-level managers and executives is crucial," said Rod Bass, managing director of Perth-based security reseller NetSupply. "Many organisations still believe that network security is an IT problem and fail to understand it is a crucial business problem that requires the understanding and support of all levels of a business. Once the business significance of the issues is understood, more executives will make it a mainstream company objective."
Peter Sandilands, regional manager Australia and New Zealand for Internet security company Check Point Software, argues that unless network security is treated as a business problem, human nature will invariably defeat any technological solution.
"The technology attacks a particular problem, but there are always ways around them - you can copy a file to floppy, write your password down, or leave the door unlocked," Sandilands said. "It doesn't matter how good the technology is, it can always be defeated by people. The key is to imbue the importance of security to staff so they see it not as an imposition, but as a normal part of doing business."
Andrew Peters, a group product manager from Cisco, agreed: "A firewall is like a steel door on a grass hut. People have passwords written on yellow post-it notes and hidden under staplers."
The rise of virtual private networks (VPNs) carrying encrypted messages on public infrastructure has brought the cost of networking down but also increased the vulnerability of attack.
"The biggest trend at the moment is switching from private infrastructure to virtual private networks (VPN) using public infrastructure to communicate between offices, suppliers, clients and travelling staff," Sandilands said. "The second biggest trend is the growing awareness of threats in the security area."
With Y2K budgets freed up, network security is set to become a priority investment for businesses investing in e-commerce and a huge opportunity for resellers to make both initial and follow-up sales.
"Most people are saying that with Y2K over, security is the next real issue," said John Meddows, chief operating officer of Triton Secure, a security software distributor.
Check Point's Sandilands said the market potentially included every business with a network or Internet access.
"It's an enormous opportunity for resellers. Our company has sold over 110,000 licences, and that's probably 30-40 per cent of the current market. Compared to the number of networks and sites with Internet access, we've only just begun to scratch the surface. For the reseller, it's an enormous area of potential, firstly selling solutions, and secondlymanagement, updating and monitoring of thosesolutions."
The early adopters of high-end network security systems have been large corporations, particularly in banking and finance, and government agencies, but SMEs are also a potentially lucrative market.
"The market will follow the standard market curve with early adopters and late arrivals. At the moment it's early in the curve. Banks, insurance companies and government agencies have been the first to come on board, but now [the market is] broadening."
Sandilands continued: "The market ultimately is anyone who needs to communicate. SMEs communicate and connect to the Internet and they have the same risks as larger firms. They might not do finance, but they have sensitive information like sales records and employee lists. A competitor could stop you printing invoices just by trashing your printer."
NetSupply's Bass added that security is important to ensure a business has access to reliable information.
"It is extremely important that a business can rely upon the integrity of the data, as it is the value of its information that, in many cases, determines the competitiveness of the business," Bass said. "It's equally essential that a business has access to that data. In many cases, should a network crash or a server be unavailable, this would result in significant losses to an organisation."
Bass said many SMEs are starting to implement network security measures to protect themselves from both deliberate attacks and benign accidental events.
"This trend will continue as the Internet pervades this level of commerce," Bass said. "Organisations realise that along with the benefits of Internet-based commerce there are also perils. They are taking the opportunity to review the security measures of the entire network, including policies, in order to implement up-to-date ways of doing business."
Bass said the traditionally conservative SME market had been slower than larger enterprises to embrace network security, but they were starting to see the benefits of having network solutions in data availability and desktop management alone.
"Without a doubt, the main market emerging for us is the medium-sized enterprise. This market segment is after cost-effective IT solutions that enable them to quickly respond to their customers' needs. Traditional forms of networking and desktop management are just too cumbersome and expensive to maintain for this class of organisation."
Effective security measures include a combination of authentication technology to verify a person'sidentity, authorisation policy to ascertain what that person is allowed to do, and data encryption to protect information from outsiders.
"For authentication, you need something you know, like a password, something you have, like a security token and something you are, like a finger, retinal or voice scan," explained Sandilands. "Ideally, you'd have all three. It depends on your level of paranoia. You have to allow for coercion - just watch Mission Impossible!"
Biometric technology replaces the password for accessing the network with a biometric controller such as a fingerprint, iris, or voice scan.
Triton Secure sells biometric security software, but Meddows is quick to quell any privacy concerns: "It's not the fingerprint that's stored but a highly encrypted code. Even if you break the code, it could not be reconstructed into a fingerprint."
Meddows said that biometric technology is not new, but only recently reached the desktop at a reasonable price.
"Biometrics has been around some time. We've had fingerprint technology for 10 years, but it's only six to12 months old on the desktop. It's only now that it's reached an affordable price. Twelve months ago it was $2500 per user, now it's under $500. From the reseller point of view, it's a value-added solution they can sell to their existing customer base. It's differentiation between their offerings and the competition. It gives you a real edge over people without biometric solutions. It's a new business opportunity to grow business within an existing account."
Bass from NetSupply said the acceptance of biometrics would go up, as the price went down, and the use of biometric keyboards and retina scans will eventually become mainstream authentication devices.
Chris Blask, a group product manager from Cisco, predicted biometrics would overcome anynegative public perception with privacy concerns.
"I thought biometrics would have been built into laptops by now," Blask said. "It's a social hesitation rather than a technology problem. It's public perception but it will be overcome, because everybody has 100 passwords and can't remember all of them.
Meddows said more than 60 per cent of network fraud is internal, with staff accessing information they are not authorised to.
"It takes away the weakest link in the chain by guaranteeing identity. The advantage from enhanced security is a significant reduction in fraud," Meddows said.
Check Point's Sandilands acknowledges thatbiometric technology is an effective way to verify identity, but it needs to be backed by an authorisation policy.
"Biometric technology is a piece of technology approaching one piece of the problem," Sandilands explained. "Its single role is authentication, which is part of the puzzle - the 'who am I?' You then need to ask 'what can I do?' "The rise in VPNs to communicate between offices around the world means that data encryption and firewalls to block the network from the Internet are essential.
Cisco's Blask said that firewalling, intrusion detection and encryption are now mature technologies. "People are coming to expect them as part of the purchase, like seatbelts and airbags in a car. The security industry will continue to grow but those three things are reaching ubiquity."
Blask said the next obvious stage is to continue to protect and encrypt data inside the network as well as outside, using an intelligent self-defending network (ISDN).
"An ISDN can sense when a user is not behaving in a standard way. The user assumes the identity of a valid user with access to the database but the network can sense it being used inappropriately, so it automatically cuts them off.
"The goal is to get to the point where you can lead a black hat (malicious) hacker into the building, sit him down, log in, and walk away."
Features of a secure network include sound security policies, built in redundancy to servers and data protection devices such as firewalls, but Cisco's Peters argues these need to be included as an integral part of the design.
"In the past you'd build the network and the security would be added as an afterthought," Peters said. "Just as in California, were earthquake protection is part of the design, with networks, security needs to be part of the design. The cost of a break-in is about $US1 million. It's a far lower cost to build a secure network."