The lack of understanding of IT-related security issues in many small-to-medium sized businesses that I encounter as a management and technology consultant often worries me.
There seems to be a mindset amongst senior managers (often at partner and director level) that security breaches are only perpetrated by external human hackers and that their firms are not sufficiently important enough to attract attention.
These senior managers miss the fact that almost all initial external attacks are automated and that although many of these attacks may be unsuccessful in compromising their organisation’s data security, they may nonetheless seriously damage their internal infrastructure, resulting in significant costs in order to rectify the damage.
It would be a lucky organisation indeed that did not have its Internet defences probed at least once every couple of minutes. The most recent log I inspected for a small organisation was receiving an attack per minute in what appeared to be an attempt to swamp instant messaging clients with spam. The log also revealed port scans and other nefarious activity once every 10 minutes. These more serious attacks are often scanning for weaknesses through which to inject malware.
We have conducted occasional exercises in assessing just how bad this type of wanton vandalism is by simply connecting an unprotected set of newly built PCs to the Internet. Our somewhat primitive research shows that it takes around 15 minutes before machines in this condition are crippled with malware. Much of the malware also seems to be aimed at stealing credit card details and the like; and could cause enormous damage to an organisation’s reputation.
I’m often confronted by SME senior managers that argue that they have nothing of value on their networks, but my immediate retort is that neither did the machines mentioned above, but the cost of putting them back together again was expensive. It is clear from the subsequent discussions with these managers just how valuable having an operating computer system actually is to their organisations.
The irony is, of course, that the sort of dubious activity I see time and time again in firewall logs is the equivalent of a criminal gang casually walking down the road trying the doors and windows of each building they encounter for weaknesses, with a view to coming back later to investigate the weaker buildings further. I have little doubt if our streets were full of such marauding gangs then there would be huge public concern. The problem for IT is that this kind of behaviour is literally “out of sight, out of mind”.
I believe, like many other observers in the profession, that there is a discernible shift away from writing viruses for the sheer devilment of it to one of seriously making money out of it.
Indeed, Joe Telafici, vice president of operations for McAfee’s Avert Labs, recently said in a BBC interview that he felt 2007 had effectively seen the extinction of young hackers who wrote viruses and other malicious programs for fun and that writing Windows malware was now all about money.