IT security specialists believe that managers of local companies should re-think their levels of IT security expenditure, as they currently underestimate the gravity of the problems that can arise from the malfunctioning of their IT system.
Local firms invest very little in their IT systems, especially in their IT security, says Alexandru Molodoi, CTO of Gecad Net. A study conducted last year on the local market by Gecad Net and the consultancy company Avantera found that more than half of Romanian companies invest less than two percent of their IT acquisition budget in information security, and the budgets are usually small in the first place. From a company's total spending, only an average of 4.5 percent goes on IT.
Firms' IT spending to reach European Union standards depends a lot on its field of activity and size, as well the type and actual use of its equipment and the structure of its entire IT system. “We cannot compare the costs of a 10,000-employee production company with a 50-employee web design firm. Even so, it would be preferable that the IT and services investment budget represent at least 10 percent of the total costs of local companies,” Molodoi said.
Before deciding on the amount of money that has to go into the security of its IT system, a company has to first quantify the value of all the data it owns, the sensitivity of that data and the equipment the firm operates with. It must also establish the market value of the entire company that relies on its data. IT investments should always be proportional to the value of the company.
Measuring the risks
“A company should develop ‘what if…' scenarios through which it can estimate and measure the risks to its IT system if it were to be affected by different attacks, crises or other events. Based on these scenarios, you can determine the possible costs and losses caused by such events. The losses can be significant and there are cases when they cannot even be measured – as in the case of losing credibility on the market,” said Oliviu Talianu, BitDefender regional manager.
Taking into account the level of IT investments in Romania, local companies are more exposed to information threats than companies from developed countries with IT budgets tailored to their size and worth, says Talianu.
Costs combined with the lack of understanding of how much money their information and reputation are worth make companies consider their IT security systems a sensitive issue to talk about.
In the opinion of Cristian Bilan, managing director of Iron Mountain Romania, the small amount of funds allocated to the IT system is a common problem for companies who fail to realize how much money their information and organizations' reputations are worth, along with the lack of a multi-layered security approach. Processes should run through authentication, especially back-up, encryption and auditing. Relying primarily on a firewall is a common mistake companies make with their IT security. “Most of the companies do back up their data regularly but depending on a single copy of data is never a good idea,” Bilan said.
The main risk factors for a company's IT system security are the conduct of its employees, malware threats and the wrong configuration of the systems, Molodoi said.
As an internet service provider (ISP), Neogen has focused a large part of its investments on IT, especially on servers. “We are increasing the stocking and processing capacity and the assurance of a back-up system that could take over if the main system crashes, in order to provide non-stop functioning,” said Birtha-Arany Attila, IT infrastructure manager of Neogen. The firm's IT department is made up of 32 people, out of whom four are server administrators and three are quality controllers.
Meanwhile, mobile operator Cosmote has increased its IT investments along with the number of employees and clients, and as the company has diversified its activities. Recently, it invested some EUR 500,000 to implement the newest version of call center software Genesys. As far as internal investments are concerned, the company has focused its efforts to set up an intranet system.
“The IT department team has grown and constantly strengthened since Cosmote debuted on the Romanian market in 2005. At present, it is made up of 33 Romanian-based professionals and will be further expanded as new responsibilities, challenges and tasks appear,” said Christos Christopoulos, Cosmote Romania's IT director. For the integration of IT systems at group level, the Romanian-based team is working closely with IT specialists in Cosmote's headquarters in Greece.
Eastern Europe gets taste for cyber crime
Media reports say local companies have not suffered severe hacker attacks yet, although Romania has gained international infamy as a hub for internet criminality. The majority of hackers in Romania are believed to focus on larger international companies or institutions which prove more lucrative victims. Their specialties include defrauding consumers through bogus internet purchases, extorting cash from companies after hacking into their systems and the design and release of computer-crippling worms and viruses. Although the Russians are better known for online extortion, Romanians have become major players in the scam, also used by criminals from Bulgaria, Poland and Slovenia.
It was reported that in the classic scam of a few years ago, criminals offered high-end electronics or other goods for sale or auction, processed the order, confirmed the “shipment” and simply vanished the moment the victim wired payment. Some have developed web pages that mimic legitimate sites such as eBay, diverting them to a fraudulent site. Buyers think they're dealing with eBay, but their money ends up in criminal hands and the “goods” are never shipped.
Studies on the market indicate that companies in Romania have not taken the necessary steps to measure the losses caused by information attacks, image, productivity or confidentiality damage. If Romanian professionals paid attention to this, say experts, the difference between the losses suffered and the costs of the IT security investments would be obvious.
Threats to the functioning of servers are the worst thing that could happen, similar to a shop that has to close during peak hours, the Neogen manager said. The company's hosting service recently suffered a flooding spam attack from three servers around the world, two in Taiwan and one in Mexico. The solution was to contact the owners of the servers and ask them temporarily to stop them functioning as they had just suffered hacking attacks.
“We expect discussions on information attacks to pick up in the near future as the internet development is impressive, while at the same time there are gaps in the technical solutions blocking certain types of attacks,” Birtha-Arany Attila said.
In the case of Neogen, the victim was punished (by being denied access to servers by the ISP), not the attacker, because internet traffic can be monitored only by its destination, not from its origin.
IT investments should go into risk prevention and covering the system vulnerabilities no matter if there are functioning or infrastructure vulnerabilities. “For the time being, local companies are interested in infrastructure, in efficiency solutions unrelated to security – which is actually the foundation of the IT policy; the assurance that all the other activities are and will operate in good conditions,” Talianu added.
Given all this, it is worth underlining that implementing IT security technologies will not solve organizational-related matters inside companies. All employees must be familiar with IT policy and procedures.
Viruses remain top threat
Talianu thinks that the common threats to companies' IT systems for several years now have been viruses, while employee misbehavior or errors are slightly less of a danger. Internet worms, spyware programs and hacker attacks come next. People are becoming more aware of the dangers of annoying spam messages and phishing, while other types of accidental or intended data scams must be taken into consideration as well.
Senior executives are tasked with running a profitable business and in many cases are still wrestling with the changes that IT has made to the face of business. “It never makes sense to spend more money protecting an asset than the asset itself is worth. Security is about risk mitigation and sometimes an unacceptable security risk is an acceptable business risk. Pretending the problem will go away if they ignore it is one of the biggest threats,” Bilan added.
As a part of the recovery and business continuity plan, the best recommended practice for offline data storage is to copy back-up tapes and then send the copy off site to a secure area. Bilan estimates that 90 percent of the companies that have lost significant amounts of data will be disappearing from the market within a maximum of two years.
IT security also offers great business opportunities. Iron Mountain has developed the Secure Base Europe (SBE) vault management and inventory system, which is the primary operational system for the firm's Data Protection division to manage customer media. In Romania, this is a new service. The firm's customers include companies such as Hewlett Packard, AIG Romania and Lafarge.
Some companies have periodic IT security audits which are carried out in-house by the IT department or by specialized companies. Security specialists recommend a double audit, both internal and external, to make sure the vulnerabilities of a system are removed.
Well-known names on the local market, as well as internationally, such as Softwin and Gecad, offer such types of services in Romania.
Neogen is currently negotiating with a specialized IT security audit company a consultancy contract to prevent ant future attacks.
Mobile devices are usually threatened by the same risks as any internet-connected device. Even so, handsets can get infected through Bluetooth from any nearby device. The damage could be the loss of data from the memory or even the need to reinstall the operating software, which has to be done by authorized personnel.