Global internet disasters such as the Blaster worm grab headlines, but your firm may be at greater risk from hackers skimming through your customer database or rivals gathering inside information from unguarded pages on your site. Mark Lobel, senior manager in security services practice at PricewaterhouseCoopers in New York City, says information security can't be enforced with simple technology fixes.
Where should companies begin to build information security?
Mark Lobel: First, implement physical security. Second, designate one person with responsibility for information security who will have time to focus on it. They should identify key business information and what security controls need to be put in place to secure it.
How can you set a budget for this?
Lobel: The silver bullet for security ROI is to link it to business objectives. For each business objective, there is a percentage of spending that should be dedicated to protecting that value. Each company is different, and it's hard to figure that percentage in an actuarial sense. But make some assumptions about what controls you put in place, and you can get to ROI.
So building a framework is more rigorous than simply buying firewalls or other tools?
Lobel: If you don't know your processes, you're throwing money away. In some sectors, everyone's buying an intrusion detection system. But some aren't seeing the value because they don't know why they're buying one-they just buy it because it's a hot technology.
As companies increasingly connect electronically with other firms, are security risks going up?
Lobel: Yes. As you set up these connections, a lot of the time you're setting up controls on intellectual property as well, but there isn't always a way to limit what your business partners see. The issues aren't just technical. Is there a legal agreement between the two organizations on what security controls will be in place? If you can't process transactions for three days because of the Blaster worm, and it came from a busi-ness partner, what's the legal liability?
Are most employees up to speed on security issues?
Lobel: They need to understand basic "hygiene" like not sharing passwords. Also, if your kid is loading files via Kazaa on your business laptop, do you understand all the risks for your company?
What new risks come with wireless networks?
Lobel: When I take a cab from Penn Station [on 33rd Street] to my office on 46th Street, I turn on Wi-Fi on my laptop and monitor wireless access. There are about 130 networks on that drive, and the majority have no encryption. If you have no encryption, it's like dumping the contents of your desk into a box and putting it out on the street.
So who is winning this war?
Lobel: It's a constant back-and-forth; a constant cycle of new vulnerabilities and new product controls. The risks are rising faster than the controls. Users must be trained to protect information resources, and our model for creating operating systems and applications must improve.
Eric Bender ia a former executive editor of PC World magazine.