WorldCity Business Magazine

Looking outside the office

by Mary Dempsey

As Hurricane Wilma descended on South Florida in late October, companies grabbed their computer servers and credit cards and lined up at the loading dock of the NAP of the Americas. The desperate 11th-hour goal of these companies? To find a safe place for their data.

The bunker-like NAP of the Americas is designed as an off-site safe place for data storage. Panicky executives rushed to the downtown Miami facility as South Florida weather became the latest addition to the list of information technology security threats, which already include viruses, hackers, spyware and phishing. These breaches not only compromise the confidentiality of corporate information but they may cause extensive damage to a company’s brand or image.

Although hurricanes can compromise the safety of corporate data, cybercrime is the real enemy of IT security.

During a recent banking security conference in Saudi Arabia, U.S. Treasury officials said cybercrime profits now exceed those of drug trafficking. The estimated $105 billion in cybercrime in 2004 included piracy, extortion, child pornography and corporate espionage. The speed at which criminals can hack into or jump from Web site to Web site makes it difficult for law enforcement o catch them.

Companies have increased their IT security budgets, but experts at a DHL Connections event in December said where security is focused is just as important as how much is spent on it.

Marvin Wheeler, chief operations office at Terremark Worldwide, which runs the NAP of the Americas in Miami and other high-security facilities both inside and outside the United States, said businesses routinely underestimate the scope of their networks. “You need a whole database plan. If everything’s secure yet people are walking around with a PDA, you’re not covered,” he said. “Your network has extended out to T-Mobile. Or Blackberry. What if you leave a cell phone in the bathroom and it has all your contacts?”

Even something as routine as wireless laptop use on an airplane or laptops operated without screen protectors, which block onlookers from reading screen content, can open the door to security breaches.

“It’s very important that every company have a full business plan,” Wheeler added. “You need to figure out all the possibilities of extrusion and intrusion.”

Wheeler joined Symantec’s Wilson Grava and Nortel’s Juan Chico in speaking at the DHL Connections briefing titled “IT Security: Fighting viruses & worms, hackers & hurricanes.”

Grava is vice president for Latin America sales at the Miami office of IT security giant Symantec Corp. Chico is the Sunrise-based vice president for enterprise sales in the Caribbean and Latin America at telecommunications company Nortel.

Grava said companies like those that rushed to the NAP of the Americas as the hurricane closed in are reacting to threats when they should be investing to prevent them. In an Internet security analysis that Symantec undertook during the first six months of 2005, the company found that there had been a shift in the focus of security attacks.

“Attackers are moving away from large, multipurpose attacks on network perimeters and towards smaller, more focused attacks on client-side targets,” according to Symantec’s Internet Security Threat Report. “The new threat landscape likely will be dominated by emerging threats such as bot networks, customizable modular malicious code and target attacks on Web applications and Web browsers.”

Bot networks are computers that become linked when computer users unknowingly download something with the same malicious code. The code can be used to activate the computers into some action, ranging from the dissemination of spam advertising to attacks on Websites.

Trouble at every turn

Computer threats are growing in frequency and power. Symantec documented 10,866 new computer viruses and worms in the first six months of 2005, a jump of 48 percent compared to the number document in the previous six months.

The first worm affecting mobile devices surfaced in March 2005. And for companies like Nortel, the specter of voice phishing, which would affect voice-over-Internet protocol, or VoIP, looms.

“VoIP opens a significant amount of challenges, especially in the security sense. VoIP is a real-time application,” said Chico. He added that it is crucial for companies using VoIP to make sure their contractors are knowledgeable about all the security risks.

The DHL Connections participants said companies recognize that they must address security but often they don’t understand how. For example, it is estimated that 50 percent of U.S. companies do take even the simplest step of backing up their data on a daily basis.

“It’s more than back up of data,” said Terremark’s Wheeler. “It’s ensuring that your core databases are in a secure place with appropriate software around them.” He said the investment to guarantee that security may seem hefty at the time, but there is a colossal recovery cost if a breach occurs.

“When people know that your brand has been intruded, you lose business,” Wheeler said, adding that the damage to a company’s image can occur even if the intruder is caught before any breach can take place.

For companies with business in Latin America, the exposure to potential security threats is even greater owing to the proliferation of pirated software. Latin America’s IT sector has the highest piracy rate of any region of the world, according to a study released in December by the Business Software Alliance. The independent research, conducted by International Data Corp., identified the Dominican Republic, Peru and Venezuela as among the countries with the highest piracy rates.

Grava noted that Latin America received one-third of the world’s computer shipments but only a tenth of its software shipments an indication of the extent of the piracy.

Out of control

As online shopping and Internet banking have become more popular, threats to customers’ personal information are increasing. The second annual AOL/National Cyber Security Alliance Online Safety Study found that phishing attacks with the goal of identity theft affect one in four U.S. computer users each month. Wireless computer operations, in particular, fail to set up safety features to prevent intrusions.

The ability for consumers to safely conduct business online is critical for many corporations.

At the Connections event, Fernando Figueredo from Porter Novelli, expressed concern about cyber criminals’ ability to outwit the safety nets. “It seems like hackers are a step ahead of some of these security systems,” said the public relation company’s managing director for Latin America. “How can they get in to break through such high-tech, secure networks?”

Wheeler said there is a new breed of hackers. “Five years ago, they did it to prove they were smarter than the system. It wasn’t really with malicious intent,” he said. “Now the people who are the bad guys are very organized. There are dollars involved. And it’s not individuals it’s actually little mafias.

“It’s big business. It’s big money,” he said.

In fact, the Symantec report reached the same conclusion. It found that hacking and viruses were no longer the work of computer geeks interested in showing off their skills. Rather, “many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion and fraud.”

Further, Symantec’s Grava noted that hackers are now more deft at finding weakness in computer operating systems. Five years ago, he said, it took an average of three months for cyber criminals to find a system’s vulnerability and exploit it. Nowadays, they can do it in six days. Yet it takes an average of 50 days to patch the glitch. In the fast-moving technology world, a lot of damage can be done in 50 days.

But weaknesses in a corporation’s system are not all technical. Breaches by employees often innocent missteps are not uncommon.

“Someone calls the administration department and wants confirmation of a password over the phone,” said Grava. “And they may get it.” He added that simple questions from strangers about the names of an employee’s children may actually be a ploy that opens the door to discovering passwords or other security-clearance information.

Wheeler said such confidentiality is critical for a company like Terremark, which works with sensitive government contracts. Acknowledging that humans may be the weakest link in the security chain, Terremark has some contracts that specify that there be at least three people at any meeting. “It’s harder to bribe three people than it is two,” Wheeler explained.

Nortel’s Chico said it’s not just about trusting employees. He noted that companies must also be able to trust the security practices of their business partners.

Companies should not look only at how much it costs to get secure, Chico explained, but also at the cost of not doing so. “If you have just three [cyber] attacks a year that bring your system down for just half an hour, that represents $9 million a year for a company the size of Coca Cola,” he said.