Since the advent and infancy of the internet, many U.S. companies and corporations have functioned and operated with very little Computer and Network Security in place in their network infrastructure. Although many of these companies and corporations have hardware firewalls and intrusion detection systems in place, many of these businesses do not have policy and procedures to guide and govern their infrastructure security. Policies along with personnel are the backbone of the Computer and Network Security. This backbone is the fragile structure that keeps companies secure in today’s digital world. These directives (Policy and Procedures) insure that companies and corporations will
be in compliance as long as the CIO or IT manger enforces them. Although a definite and structured compliance has not been put in place, directives and training are the true tools needed to help companies maintain a form of security within their organization.
Until now, computer security and locking down the network infrastructure has been on the back burner with most companies and corporations because of cost. According to a corporate poll in A nationally recognized information technology magazine, 99% of U.S. companies now use some type of preventive antivirus technology with 98% of these companies now using firewalls. This electronic security poll was based on compiled information from larger corporations and their practices and does not include small to midsize companies found throughout the United States. The recently released polls in this research paper show are usually focused on larger companies and corporations in the United States. The main reason for this was found by interviewing several midsized and smaller companies locally. These smaller companies and corporations usually have outsourced their Information Technology infrastructure to private organizations that do not have written policy and procedures written for these smaller companies. Normally, these companies do not have any type of policy and procedure in place for their current clientele. Because of this practice, these companies and small corporations do not look at industry related security trends, security issues or any relevant areas of computer security. Although it was found that <10% of the companies offer a service related plan that pushed security issues for their clientele.
This complacency can have an enormous impact on consumers and customers of the companies and corporations. With no or very little money or funding for a technology budget, these entities often use friends, family or small computer companies to fix or repair their computers or network. This results in a huge security gap between a professional information technology department and someone who is not trained in basic security needs. With this gathered statistical information, numerous private and public corporations can appreciate the need for network infrastructure security, and are beginning to put in place multiple phases of internal and external protection for their digital and electronic assets. Small to mid-size organizations are hesitating due to simple inadequate funding and the rising cost and expenses of security of digital assets found in the modern workplace. Companies often miss the importance of the cost of a security breech vs. the cost of preventive security measures. This unintended hesitation of implementing network infrastructure security is causing more and more companies to be violated or exploited by malicious hackers and crackers. With this exploitation, companies subject themselves to lawsuits from their own customers. These companies often are ignorant of the simple fact that they have been exploited until customers report the issues to these companies and corporations. Many times, more than thirty days goes by before someone alerts the company of a possible security breech. Cost of an electronic exploit can be greater than a million dollars per incident as reported by the FBI. This information is found in the FBI’s (Federal Bureau of Investigation) report of cyber threats in the United States. In order to help counterbalance this, smaller to midsized companies could spend less than $5,000 to harden their systems and operating systems to put a statefull firewall in place. As stated in this paper, these companies often lack the resources, materials and funds to do so. With the FBI report showing reported incidents, there are thousands of incidents that go unreported. Often these incidents are yet to be discovered.
With this number of small to mid-size corporations ignoring or slowly implementing security measures, more and more electronic computer crimes are beginning to take place throughout the U.S. With extortion now moving into the digital age, many corporations do not report intrusions to law enforcement in order to avoid negative publicity. Reports of an intrusion could directly have a negative effect on the company’s sales and position in a global competitive market. Approximately 35% of corporations don’t report electronic intrusions to keep their competitors from gaining any type of advantage. Today’s modern bank robber can be a hacker thousands of miles away hidden behind spoofed ip addresses or behind a zombie computer. Reports are also withheld to avoid embarrassment with the general public. This withholding of information often leads to a band-aid fix.
Other means of protection include standardizing policy and procedures within corporations to help protect the network infrastructure of corporations. Policy and Procedures rely on the initial implementation along with annual or semiannual follow-ups. Without these policy and procedures in place, a company’s survival in the security race to protect their infrastructure is compromised.
Smaller and mid-sized companies very rarely have these policies in place and often operate their network by the “seat of their pants”. These companies rely and trust their computer vendors to make them as safe as possible. Poorly trained personnel with these computer vendors can have a negative impact on the overall security of the organization.
Medium size companies often have the budget but the Information Technology manger is often stretched too thin to prevent or react to security needs of the company. These IT Mangers often work longer hours and tend to miss early warning signs of network lapses. Through no fault of their own, breeches can occur and not be discovered for weeks.
Outsourcing information technology teams to other countries can have another form of negative impact with companies. With third world countries competing in a global market, the confidential information of clients and internal data can be jeopardized by these companies. Using third world countries for technical support can lead to disastrous consequences when relying on someone over a world apart to secure your network.
CIOs (Chief Information Officers) and IT Mangers found in larger companies and corporations usually have these operational policies in place with a system for disaster recovery and planning. The logistics alone in larger corporations can be a double edged sword. With these policies in place, the arduous task of changing the policies can take weeks or even months as management goes through several meetings with committees and sub-committees. Agreement among industry professionals on the correct internal computer security is usually lead by a trained security analyst in the corporation who may or may not have proper certifications or security training. CIO’s have to put raw faith and trust into the company’s security analyst in hopes that their knowledge is on the cutting edge in a technology that is changing daily. These analysts have to make decisions on how and when to implement protection within minutes of finding out vulnerabilities. The communication by the analyst must be thorough and accurate. The Computer and Network Security analysts have to look into the immediate future for growth of their business and often they have to try and foresee changes before these changes come about.
Smaller companies and young corporations, on the other hand, usually do not have policies or disaster recovery and planning policies in place. With limited budgets, these companies may have a limited number of IT (Information Technology) personnel within their ranks or may outsource all of their network or technology personnel. This limit in resources may cause a lack of compliance with industry standards and conformity to security standards. With laws in effect such as HIPAA (Health Insurance Portability and Accountability Act of 1996), GLB (Graam Leech and Bliley) and the U.S. Patriot Act, these companies may not be conforming to U.S. laws or rules imposed in their industry.
Therein lies the problem: Companies have to understand that setting internal policy and procedures on security (along with proper disaster recovery and planning) have to be put in place in order to protect their assets and the consumers they serve. With ecommerce growing by leaps and bounds each year, more and more companies from small to large are accepting credit cards, debit cards and electronic checks on line. With over two million dollars in lost annual revenue in the United States, they must ensure
that their initial investment will be worth the protection of their data and their client’s information. This act alone can help to prevent the breech in security of their corporate network. Setting and maintaining an information technology budget along with policies can help to insure the protection of the company’s network.