For Cigna, a health insurance and benefits provider based in Philadelphia, the biggest security issue isn’t necessarily neutralizing the virus du jour or fending off shadowy mobster-hackers—it’s sifting through mountains of data.
“Sometimes we get overwhelmed because of all the information that comes out of the devices we’re monitoring,” says Craig Shumard, Cigna’s chief information security officer. “It’s data overload.”
Cigna, which had $18.1 billion in 2004 sales, employs about 100 people in its information security management unit. Still, the company has for the past five years outsourced security event monitoring to Symantec, which looks at trends and detects when coordinated attacks are being mounted against Cigna systems or networks.
Shumard’s challenge is finding folks who have the expertise to understand and analyze security data. “It’s very difficult to attract and retain people in that field, because it’s very specialized,” he says. “It’s hard, even for a company our size, to do a good job 24/7.”
Getting a 30,000-foot view of information security is tough, especially when trying to gather metrics from different vendors’ systems. But many security managers believe that dealing with multiple suppliers is simply a fact of life.
“It’s easier to maintain a relationship with one vendor instead of 10,” says Mike Howell, an information-technology security consultant at health maintenance organization Humana. “But you’re not going to find somebody who can do antivirus and firewalls and intrusion detection all better than anyone else.”
The problem is, many information-security vendors have solely focused on their own little niche and haven’t done a good job of delivering products that provide a holistic view of security conditions across the enterprise, says Eric F. Guerrino, senior vice president of information security for The Bank of New York.
“A lot of the vendors don’t realize that the technology itself isn’t the whole solution,” Guerrino says, though he declines to name specific companies. “Some of these products really do a good job at their primary focus, but the administration of the products sometimes falls short.”
For example, he says, intrusion prevention systems are great at providing alerts, but his team still needs to figure out what extra steps to take, such as reconfiguring a firewall, to counter threats.
meanwhile, the threat of financial loss from malicious attacks has continued to climb. The average annual loss attributable to attacks that resulted in the theft of proprietary data in 2004 was more than $355,000, according to the annual Computer Security Institute/FBI Computer Crime and Security Survey; in 2003, the figure was $169,000.
Gartner analyst John Pescatore says he’s seen a rise in more financially damaging security incidents aimed at an individual company, involving extortionists or disgruntled workers—for example, stealing employees’ account numbers to make fraudulent purchases.
The danger is that such targeted attacks often happen below the radar and don’t get much publicity. “I can’t scare the CEO with that,” Pescatore says. “Worms make it easy to get money for security because it’s on the front page of the newspaper.”
At the same time, the viruses and other junk on the wire are morphing into more virulent strains. Information-security executives say they’re seeing an uptick in viruses and worms that can clog networks or disable computers.
The most pernicious new threats are “multi-headed” ones that automatically attempt to exploit multiple vulnerabilities simultaneously, says Stan Gatewood, chief information security officer for the University of Georgia. “These aren’t plain old hackers sitting in an easy chair,” he says.
Some may be tempted to pin the blame for the rising tide of viruses, worms and spyware on Microsoft. Holes in its operating systems have allowed hackers halfway across the world to wreak havoc with a single, targeted piece of self-replicating code.
“It’s been a continuing frustration with Microsoft,” says Matt Speare, chief information security officer for M&T Bank, which is based in Buffalo, N.Y. But he also realizes that Microsoft’s software is targeted because it’s so ubiquitous. “If I were writing a virus, the return on my time to write an exploit for Windows is higher,” Speare says.
A Microsoft spokesman says the company has increased its focus on minimizing security problems and fixing flaws but adds, “The important thing to remember is that no software is 100% secure.” That means, then, that computers will need to be loaded with additional security software for the foreseeable future.
That extra overhead can be significant: Security agents, including antivirus, anti-spyware and personal firewalls, can consume up to 30% of the processing capacity on a single computer, says Lynda Fleury, chief information security officer at UnumProvident, a disability insurance company.
“The next thing that we want vendors to work on is bundling [multiple security enforcement features] into one product,” Fleury says. “The big push for me is having these tools be agentless.”
But security technologies and systems are only effective if the people using them know the drill. Health insurance company Aetna, for one, has required employees to complete security awareness training every year since 1999.
“It’s just good risk management,” says security adviser Donna Richmond, who oversees the training program.
Aetna’s training includes perennial guidelines (such as how to create a strong password) plus new procedures; for example, this year the company started requiring employees to encrypt any health or financial information when transmitting it electronically. Richmond’s group starts shepherding 30,000 employees through the training process in early September and aims to achieve 100% compliance by Dec. 31.
For Richmond, it’s a key part of the information security loop. “If you have a rule, you have to let people know about the rule,” she says. “And then you have to monitor their behavior.”