If you heard any of the speakers at the recent RSA Security Conference, you may have concluded that we should abandon doing e-business altogether, since nothing can ever be absolutely secure. Hows this for gloom and doom? "Our current security systems are failing catastrophically. We have a lot of technical challenges ahead of us, and in a lot of cases we dont have the intelligence to solve them right now." Thats how Paul Kocher, president and chief scientist at Cryptography Research, in San Francisco, put it.
Cryptography authority Bruce Schneier said, "The future of Internet security is not very good. Every year, it gets worse. We are not breaking even. We are losing the battle." When the security industrys leading experts take such a stance, is there any hope for e-commerce?
In a word, yes. But first, we need to understand that, in security, there are no absolutes. Nothing can be made totally, unquestionably secure. This applies to the physical world of banks, cars and homes as well as to the digital world. Knowing this is true doesnt stop people from putting their money in banks, driving their cars or living in their homes, does it?
What makes the imperfect security of the physical world acceptable are systems that mitigate security risks, such as locks, alarms, security guards, police and insurance. With those in place, we have enough confidence to go about our daily lives. The same philosophy must apply to digital and Internet security. IT needs to educate business managers to the facts of life with regard to security. There will never be complete security, but there can be a level of acceptable risk for any business on the Internet. All of an enterprises personnel, from end users to IT managers up to the CEO, must be aware of procedures and policies about how to thwart potential security breaches. Each user is a link in the security chain.
Second, investing time and money in building a sound security infrastructure is critical. We may be losing ground to the nefarious elements of hackerdom, but better technology is emerging every day. These innovations must be implemented. Third, all companies should consider augmenting their internal security systems with some form of managed or outsourced security services. These firms can offer 24-by-7 monitoring and rapid response to break-ins.
Finally, companies should investigate insuring all aspects of their IT infrastructures. Most managed security services offer vulnerability assessments that can form the basis for an e-insurance policy.
If all these steps are followed, your company still wont be 100 percent immune from security threats. But you should have a manageable level of risk. In businesses of all kinds, thats all anyone should ever expect.