How important are security concerns for small to mid-sized businesses?
Loga: I’d like to answer your question with another question: How important to you is security in your car? Why do customers consider airbags when buying a car, but don’t think much about the security of data in their own business? The answer is simple: Most people still think in terms of the 90’s, when a computer system was expensive and worthwhile, but they don’t go any further. That the failure of such a system can have dramatic consequences has become more than obvious by now. And that the consequences are multiplied if a company’s data is lost in the process should be just as apparent to anyone.
What are the most important concerns right now in the area of IT security for small to mid-sized businesses?
Loga: What’s essential now is a redundant backup system to protect a company in case of a hardware failure and total loss of corporate data. What I also consider a basic necessity is a classic virus scanner; any system without one is just an accident waiting to happen.
Doing it right means asking a whole range of relevant questions. How can I protect my data from being accessed, manipulated, or deleted? After all, the objective of every virus is exactly that, and every Trojan horse attempts to circumvent exactly these protective measures. But indirect protection is also important, for example protection against intercepted e-mails. Disgruntled employees are a security concern as well.
All this really boils down to just one question: How to ensure continuous business operations and secure revenues at an affordable cost? IT security has been and continues to be the guarantee of a stable business. So, how can I recognize a risk to my business quickly and with certainty? How can I keep my know-how current? When and what type of countermeasures does my business need to take?
To what extent do different conditions or variations in legislation across international boundaries play a role in this regard?
Loga: Different laws require different actions – business people are used to this, of course. What they’re unfamiliar with is the legal uncertainty outside of the EU. Here [in Germany], we have clear legislation in this regard. Other countries have a long way to go.
An example: Data security and privacy in the case of data transmission to the U.S. Despite its status as a “safe harbor”, the U.S. is still formally regarded in EU legislation as an “insecure third country with regard to data protection and privacy legislation.” The transmission of personal data is permitted only through specific framework contracts, if at all. However, companies could to be added voluntarily to the “safe-harbor list,” or to enter into an individual data protection and privacy contract with EU business partners (“code of conduct”).
Do the most important issues being considered match up with the most glaring security holes?
Loga: When discussing security holes, people always think first of viruses, worms, and Trojan horses. The right software can establish reasonable protection against these threats. But without the right accompanying measures within the organization – such as employee training, contingency plans, and checklists for employees – what happens is exactly what we’ve seen in recent weeks. Worms are nonetheless are unleashed on PCs, and security is lost.
When you look at it in this way, there’s no direct, causal relationship between an important concern and the most significant security holes. Only the provision of basic protection can somewhat lessen the danger of glaring security. As part of such basic protection, I include the introduction of routine checks, employee education, and standardized protection against viruses, worms, and Trojan horses. Regular updating of internal company operating systems with the latest patches must also occur.
What currently poses the greatest danger to IT security? Why are increasingly camouflaged Trojan horses an ever-increasing danger?
Loga: In my subjective opinion, the greatest danger is the trend of opening ports on PCs, and then later transmitting sensitive data, such as passwords for online banking, through the ports. The Computer Consultant Association technical group also finds it bizarre that industry publications encourage data manipulation as a sport. “10 Ways to Spy on Your Own Network” was a cover story that recently hit the newsstands. This would be the same as the newspaper “Auto, Motor and Sport” leading with the headline “How to Fudge Your Odometer Reading the Right Way” – unthinkable.
The attempts by Trojan horse programs to access PC data is a logical consequence of the successful hacking activities to date. What should keep such programmers from continuing their criminal activities? The likelihood of data being spied upon and manipulated will continue to increase. Then it’s just a matter of time before protective measures render the Internet slower, more cumbersome, and far less creative than it is today. For businesses, in turn, it then becomes too great a risk to move freely on the Internet. Even today, we can see companies restricting the online resources that many of their employees had previously been allowed to use.
What proportion of IT security does an individual person provide, and how much does software contribute?
Loga: You’re rightly touching on a major problem, but it’s one that can be found everywhere. While software is very good at intercepting routine functions, a person – as a creative agent – carries far more responsibility. In other words: People are the greatest security risk – which surprises no one.
Of course, it might seem amazing that even at present, computer viruses are still triggered by users. By now, everyone should have learned that it’s dangerous to simply run unknown files from e-mail clients. Clearly, this is not the case. Which is why we ask the question – and shockingly enough, it’s not meant rhetorically: Who teaches a company’s employees about IT security?
From your perspective, where will the significant security problems be found in the future? Are people coming up with any approaches or ideas for solutions?
Loga: The most frightening scenarios won’t catch up with us for another eight to ten years, but then they’ll hit us full force. What I mean is the problem that most often, no efforts are made towards long-term archiving. Sure, it’s wonderful that we have data storage media that preserve data for ten years or longer. But in ten years, will we still have the devices that can read this data? Will operating systems still exist that can recognize and write to a 3.5” floppy drive? What do we do with the old 5.25” floppies? Ten years from now, will we still have programs that can read an old WordStar format from 1983?
Security doesn’t just mean keeping data safe in case of problems. Security also means that the data is sensibly archived and accessible. In today’s newspaper archives, you can still find newspapers from two centuries ago — the data is stored in a secure medium. We fear that our great-grandchildren will find only a minimal amount of data from us, because by then people will have long-since forgotten what a DVD is.
In the meantime, we already have solutions for this problem now. Businesses with an international reach provide these services. But in addition to the technical formulation of the task, this too has a human aspect: Thus far, who has thought about doing anything about it?
In terms of security, what types of legislation and training are needed? What would you want to communicate most urgently to (international) lawmakers?
Loga: If the [German] Federal Data Protection Act [BDSG — Bundesdatenschutzgesetz] and the concepts of the [German] Federal Agency for Security in Information Technology [BSI — Bundesamt für Sicherheit in der Informationstechnik] were consistently implemented, IT security in Germany would definitely improve. But many businesses don’t take these concepts and this legislation seriously. A great example is how rarely GNUPP, freely available email encryption software, is being used in the course of everyday work.
Pressure cannot be exerted through laws; it must be created by economic action. Then businesses will also be willing to expend funds for it. The mandatory recording required by Basel II, for example, is already a step in the right direction. In the future, business continuity must be a criterion that characterizes a modern IT security concept within a company.
An example: Often, a company’s 400 to 500 computer users are supported by only two to three computer specialists. What happens when these two employees meet with an accident on a company outing? Does the business close its doors? This type of dependency should be avoided.
Internationally, we need to make unpopular demands of our lawmakers regarding IT security: The introduction of document formats for long-term archiving is one consideration.
How would you rate security standards in an international comparison? Is there too much security in Germany, and too little elsewhere?
Loga: There’s certainly not too much. Often, we observe that businesses don’t even begin to implement the security standards, because they haven’t been informed about them. Many business managers would be open to applying the security standards, if they only knew about them. Key factors are often semi-professional IT specialists who, due to a lack of knowledge, fail to inform their own clients about security risks. Experiences at U.S. companies show us that although the security standards required there are not as extensive as ours, IT managers and business managers invest more in security measures on their own.