There is no such thing as a totally secure online computer network.
"The only way to make it 100% secure is to unplug it, put it in a cupboard and lock it up," quips Gordon Love, security services head at listed IT company Faritec, which manages network security for some of SA's largest companies.
The fact is that if you can send and receive information online, somebody else can use that link to attack your information system - either to disrupt, disable or steal from it.
But you can minimise the risk and make it almost nonexistent. The extent to which you need to do this depends on how susceptible your network is to attack, how important it is to your business, to what extent its data needs to be kept confidential and, ultimately, how much you are willing to spend to make it near bulletproof.
Most organisations reduce network risk by installing basic security measures such as a firewall (with log-on and password system), antivirus and intrusion-detection software, and a mail filter. These are necessary, but are often installed haphazardly and without adequate planning, says Anthony Southgate, security division GM of network service provider Internet Solutions.
"When an organisation decides to actively reduce risk, a more formal and structured process is required," he says.
First, one has to understand the value of the risk - the potential loss to the company should an incident occur, and the probability or frequency of it happening. Security breaches are invariably deliberate attacks, so it will help to keep a record of incidents to understand the nature of the risk.
Next, the company should decide how best to reduce the risk, by means of a security policy. "Defining a policy means we have thought more about why this risk occurs and how to remove the root cause," says Southgate. "This is an important step that many organisations in SA fail to take."
Too many companies, he adds, purchase a product or service that patches a perceived vulnerability but fails to address the risk.
"Don't be fooled by the media emphasis on hacker attacks," says computer sleuth Dave Oswald, founding director of IT consultancy Forensic Restitution. Though the risk of such attack is serious and is growing internationally, hackers account for only about 15% of network incidents. "At least 70% of all firewall breakdowns are caused by employees of the institution itself," he says.
It could be a disgruntled employee deliberately planting a virus in the company network or a departing member of staff stealing data with which to start a rival business. Or it could simply be negligence: an employee using a company laptop to download pirated software that contains a hidden virus that enters the network when the laptop is reinstalled at the office, with potentially disastrous results.
"The best way to cut down on such risk is to have a strong IT policy," says Oswald. Typically, such a policy would prohibit employees from using company equipment to make unauthorised downloads and would be written into their employment contracts.
The reason information is more threatened from within an organisation than from external factors is because the threats are not properly understood by most managers and employees, says Sean Reuben, chief information officer of IT outsourcing service provider Computer Sciences Corp, which manages network infrastructures of companies such as Old Mutual, Hollard and SA Eagle.
"Because IT security seems surrounded by complexity, it is subject to cost-cutting pressures and perceived to be a drain on processing and financial resources," he says.
But a corrupted IT system can lead to a complete breakdown of business. No matter how sophisticated the security system, all networks in SA still have to pass through a third-party carrier: Telkom. As a result, many companies encrypt their information to prevent it from being read by outsiders or unauthorised employees. But an authorised employee may be a security risk.
The future of encryption appears to lie in quantum security, which uses the location of an electron in an atom to encrypt and decrypt data.
But security is not always about technology, says Business Connexion chief technology officer Andy Brauer. "Firewalls are great, but how do they help if someone can fax the information out of your office?"
It is crucial to view IT security as a business-risk management issue; one that requires board level attention, says Dimension Data security business GM Gary Middleton.
Too many SA businesses rely on tactical security solutions such as antivirus software or firewalls, when they should be adopting holistic security strategies for every facet of the organisation.
"IT security is no longer just about protecting IT assets, but about effectively managing business risk," he says.
The key is to blend physical and IT security strategies into a comprehensive security policy that has the support and understanding of all staff and stakeholders, says Patrick Evans, regional manager of Symantec, the world's biggest IT security company.
Telkom information security manager Eben Visser agrees. Companies, he says, often overlook the need for a competent information security professional to assess the organisation's needs and to tailor solutions to its areas of vulnerability.
"Few companies have the resources to employ full-time IT professionals to protect confidential business information," he says. But they can outsource those requirements to an information security manager, such as Telkom, that has the expertise to develop holistic solutions.
One of the biggest challenges facing network security managers is the increasing speed with which cyber attackers are able to exploit network vulnerabilities. It used to take months for hackers to write attack programmes (known as "exploit codes").
But, according to Symantec's latest security threat report, the average time has dropped to 5,8 days. This means that if a system designer such as Microsoft announces a vulnerability in its Windows operating system today, network users have less than six days to come up with a patch to close that vulnerability.
That's why companies such Symantec are constantly scanning the Internet for signs of new vulnerabilities. Symantec is the largest of such companies, with more than 20 000 sensors monitoring network activity in more than 180 countries. It is able to gather malicious code data from more than 120m client, server and gateway systems that use the company's antivirus products.
Symantec operates six hi-tech security operation centres around the world, monitoring the Internet traffic of big corporate clients. "We see 15% of all e-mail traffic around the world, which gives us a good chance of picking up early indications of threats and warning our clients ahead of time," says Evans.
The quickening pace of the cyber war requires network users to re-evaluate the way they protect their networks - ideally with a blend of integrated measures to prevent and detect intruders.
An international security standard does exist: BS17799. But Middleton says few SA organisations are compliant. "We are still pretty far down on the IT maturity level," he says. But as global competition grows, more companies will find themselves under pressure to become compliant.
Gradually, regulations are catching up with security needs in SA. The Electronic Communications & Transactions Act (ECTA) took effect in 2002, which, together with the King 2 corporate governance report, provides a measure of statutory and regulatory protection. The ECTA not only outlaws hacking offences but malicious acts by employees.
But Oswald says it is not easy to track down hackers because they are able to disguise their activities across international boundaries.
Furthermore, the police are swamped with cyber crime, "which means there's lots of work for private forensic contractors who can earn up to R1 500/day," Oswald says.
Sleuths such as Oswald will handle a case for a client, produce a docket and guide police through the process to effect prosecutions. They will even present insurance claims on their client's behalf.
The proliferation of wireless networks and mobile gadgets - cellphones, calculators, digital cameras - has vastly expanded the range and possibility for information smuggling and other forms of cyber crime. "People forget that computers aren't just what's on the work top; they are around us all of the time," Oswald says.
