Security Gets a Higher Profile. (Tech Topics)

If you think the banking industry was vigilant about online security breaches before Sept. 11, you can bet that, since then, interest in locking down gateways is hitting a new peak. "Businesses are more focused on all security matters," says Charlie Young, director, U.S. network solutions at Unisys, Bluebell, Pa. "Disaster recovery may be the immediate concern, but protection of their online assets is right up there; bankers are asking more questions about their security configuration." It's no wonder. In Young's circle alone, eight clients of the company's network monitoring outsource service experienced an attempted breach by the recent Code Red attack, a denial of service-style virus launched in late August. Only a swift rewrite of firewall rules saved the banks from temporary performance glitches. Frank Robb, executive vice-president, manager of information services at Wachovia Bank, Winston Salem, N.C., was also concerned about Code Red and another high profile virus that arrived soon after, called Nimda. Although his organization didn't experience any attacks on their firewalls, Robb knows from years in the business that these sorts of attacks are bad for reputation and bear high direct costs, too. "Over the next few years, security will get an even higher profile. If hackers get more active, and the industry wants to move forward with e-commerce initiatives or place mortgage processing online, we will have to feel impervious," he says. Not that the industry didn't earn decent marks from many security experts prior to the eventful late-summer-into-fall-season. "Banks on the whole have always paid more attention to security than many other businesses--they have to," says Richard Dobrow, president of Guarded Networks, a security vendor and consulting firm in Cooper City, Fla. "Still, there is room for improvement as new types of hacks and intrusions crop up. It's an ongoing process of revision," says Dobrow. He, too, had banking clients that were adversely effected by Code Red. "These sorts of attacks have a total event cost--the tech personnel hours it takes to fix the problem and the direct costs of shutdown," Dobrow says. "It isn't insignificant." Now, his clients are doing control and getting "inoculated" by applying patches--fixes to holes in code that get exploited by viruses or hacks. Dobrow agrees that the general climate of heightened security concern makes security technology a talking point at meetings and, for now anyway, a top priority on many action plans. Andy Evans, senior security engineer at Ecora, a security vendor and consulting firm in Portsmouth, N.H., has this to say about security: "Its importance was always acknowledged," says Evans, "yet, before you might see a bit of fall down on some forms of implementation beyond firewalls, which were always fairly well attended. Intentions were good, but information technology people tend to be spread thin." Rebecca Herald, former security analyst and consultant with Netigy.com, was quoted in a recently published security report saying that many companies turn securities responsibilities over to staffs who may not be qualified or do not have the appropriate background. Kristin Valente, national leader of innovative assurance issues for Ernst&Young, Cap Gemini, New York, concurs that, even today in the tight economy, the competition for IT talent is fierce, and could negatively impact how security is implemented or administered. Valente and her group do security audits of companies, developing action plans and a ssessment strategies. "We want to look at security, continuity, and availability in the context of the business strategy," says Valente. "Companies need to prioritize what they protect, with top priority processes getting the most protection. As part of that evaluation, companies need to look at personnel." Even companies that do allocate the appropriate budget and create the right staffing, have to think of security as a process, not a project spanning the shortrun. …