Companies Poorly Equipped to Fight Cyber-Attacks

"IT Security 2003" study
"IT Security 2003" study

Basic data defense mechanisms remain the norm, as is shown by the “IT Security 2003” study produced by InformationWeek in conjunction with Mummert Consulting. Around 86 percent of German companies and 79 percent of American companies use antivirus software. 80 percent of companies in both countries additionally protect their networks using firewalls. More than half of the IT managers surveyed state that they safeguard data using automatic backups. 70 percent of German firms apply updates regularly to make sure their security programs are up-to-date. In the USA this figure is 35 percent. Many companies believe themselves sufficiently protected as long as they have the latest software.

Virus scanners alone are usually powerless

Companies are set to continue employing a strategy of basic protection. Only 40 percent of American companies earmarked more funds for IT security in 2003 than in the previous year. In Germany this applied to just 24 percent of companies. This is a perilous stance in a world where rapid technological development spawns ever more cyber-threats. IT experts believe that even constantly updated classic virus scanners are increasingly powerless in the face of new species of computer virus. Only the addition of a personal firewall for every individual terminal used in conjunction with an Intrusion Detection System (IDS) – a kind of virtual alarm device – can repel the majority of attacks.
Such systems are however extremely personnel-intensive, since they generate a plethora of data. In IT departments with stretched personal resources they can even do more harm than good. In the USA 43 percent of companies do nonetheless use IDS, and a good third have personal or user firewalls. In Germany the figure for IDS is 24 percent, for personal firewalls 29 percent.
Since new security loopholes are emerging all the time, regular risk assessments are essential. Firms should also review their current security guidelines. This is however done by only 34 percent of German and 36 percent of American companies. According to Mummert Consulting and InformationWeek around a tenth of companies on both sides of the Atlantic have not yet established any security guidelines. Almost half of those surveyed do not even know whether or not they have been the victim of a cyber-attack.

New threats on the advance

The importance of being properly equipped to deal with security violations can be seen in an analysis of last summer. From July to September 2003 alone 823 new cyber-threats appeared – 26 percent more than in the same period the previous year. Almost half of all attacks on German and American company networks can be put down to viruses, worms and trojan horses. New applications such as music exchange sites and electronic messaging systems (instant messaging) leave the door wide open to ever more sophisticated web-parasites that leave traditional antivirus programs at the starting blocks.
Worms are an especially serious threat to companies’ IT security. In contrast to viruses, these multiply themselves independently through the network and can so doing cause vast amounts of damage. The “Blaster” Internet worm alone caused two million US Dollars worth of damage worldwide in 8 days. The increasing number of private Internet connections has also increased the danger of what are known as “script kiddies”. “Script kiddies” are for the most part youngsters who obtain hacker software from the Internet and arbitrarily unleash it without understanding the consequences.

Consequences of attacks
Consequences of attacks

In Germany almost 60 percent of companies have already been the victims of external attacks. Nine out of ten suffered financial loss as a result. In the USA the number of companies who lost more than 500,000 Dollars as a result of security breaches rose threefold from the previous year to six percent. 85 percent of viruses, worms and trojan horses begin their destructive work in the USA before spreading all over the world. External attacks paralyze whole applications or even networks more often in the USA than in Germany. In this country data storage is particularly prone to malicious attacks. Around twelve percent of security breaches lead to damage or loss of data. In the USA the corresponding statistic is approximately six percent.
Alongside external threats, a company’s own staff also represent a menace to IT security. They often cannot use applications properly and make avoidable mistakes. More than a third of those surveyed in both countries complain of staff’s lack of problem awareness and inadequate training. Plans are afoot to change this: 50 percent of companies in the USA and Germany want to do more basic and follow-on staff training in future.

IT security is a matter for managers

Security barriers
Security barriers

Yet on the whole not enough is being done about IT security. Most companies relax in the belief that they are adequately protected against cyber-attacks. This is also due to the fact that IT security in both countries is often only escalated to management level when attacks on IT systems lead to considerable damage. Data security is regarded as a technical problem and is therefore often delegated to the specialist department. While in both countries the CEO generally sets the IT budget – 62 percent surveyed in Germany and 49 percent surveyed in the USA confirmed this to be the case – it can hardly be said that there has been an interest for this subject up to now at management level.
In the USA and Germany it is IT departments who have primary responsibility for data security. However they very seldom have the necessary decision-making powers. Only twelve percent of the German and 21 percent of the American companies employ a Chief Information Officer. The figures for companies with Chief Security Officers are three and five percent. In most cases therefore there is no responsible decision-maker concentrating on regular risk assessments or security tests. Weakspots remain for the most part undiscovered and nobody knows whether chosen strategies are actually working.

Combining single measures

This is why measures taken to increase IT security often resemble uninformed action for action’s sake. The best protection can only be achieved by linking single security measures to a multilayered security network that keeps gateways, servers and client terminals from being attacked. Data security is after all still considered important: On a scale of one to ten those surveyed in both countries gave it an average score of 7.5. Let’s hope that this appraisal is soon translated into adequate preventative measures.

Roland Heintze