While businesses have invested in technologies such as firewalls, intrusion detection, and now intrusion prevention, we are all too familiar with FUD (Fear, Uncertainty, and Doubt). How many presentations have you attended in the last six months where a security service provider discusses “Code Red”, “Nimda” or “Slammer”? The most recent of these is now two years old. So why are we still discussing them? One word, “fear”.
Fear of what exactly? Some might respond with, “Distributed Denial of Service (DDoS) attacks, Identity Theft, or the theft of intellectual property”. All of which occur. What are the odds of it happening to your company? Better than 60% of all US businesses face civil litigation at least once in the course of their operation. According to the FBI, approximately 85% of businesses surveyed in the United States last year reported a financial loss attributed to computer/cyber attacks. With decision maker’s core focus revolving around the types of attacks and if they originated from the outside or from within, perhaps you should turn your focus on the ramifications after the attack rather than the attack itself.
It seems almost daily that a news report highlights some form of a security breach. This barrage of reports helps the FUD factor. So, is the FUD factor justified? To an extent, yes. However, is our focus in the correct area? No! If you take vendor bias out of the equation, the one common denominator in preventing potentially negligent action is understanding “what” you do is more important than “how much” you spend. Obviously a cost is associated with security. Since security usually falls under the scope of risk management, the transference or acceptance of risk is more commonly understood than the ramifications of these same risks acting as the catalyst for civil litigation.
A common complaint from middle level management is not enough buy in from upper level managers. Even with the FUD factor in play, many maintain since court cases are not plastered all over FOX or CNN, that lawsuits in this area do not take place and therefore, the actual risk is more qualified than quantified. What any experienced attorney will concur with is that non-disclosure is commonly used in the terms of settling a lawsuit. This protocol is what keeps a lawsuit out of the public eye, not the lack of occurrence.
President Bush has set forth an initiative for tort reform. Just recently in Georgia, medical physicians are limited to a maximum of $350,000 per claim where before claims in the millions were very common. Even with tort reform in place, civil lawsuits will continue to take place. Are you ready for court? Is your CEO or President? Think so? As a result of incidents from Enron and Tyco, it should come as no surprise to business executives that security and networking personnel have a duty to document transgressions that can lead to a breach or fraud. If your networking manager provides the CIO or CEO information to support the need for enhanced security and it is denied, it should be incumbent on this same individual to say, “I understand. I need for you to sign here acknowledging that you were advised on this issue and declined my recommendations.”