Andy's Technical Notes Main Security Page

Security ? The top ten questions

As collected, answered, and copyright by HP 2005
original page from HP, no longer available.

There is no such thing as perfect security. Letting employees, customers and partners access our data electronically is part of doing business today. But that creates risks. Information security is about balancing those risks with the rewards of doing business electronically. Here are ten of the most common questions people ask about security, and some of the answers.

  • 1. What happens if we have a security breach?

    It depends. Computer viruses and worms can cause downtime, lost sales, and damaged data and computers, plus irritated users and IT staff. But that doesn't hurt your reputation the way other kinds of security breaches can.

    Website defacements are especially problematic. "Hacktivists" use other people's websites to make political statements. Security breaches can also lead to severe financial losses. Part of the loss is indirect, such as an erosion in business confidence, but security breaches can also lead to direct damages and serious losses to the bottom line.

  • 2. Aren't firewalls enough?

    Many people believe firewalls mean security, but they are not enough. Hackers can flood a firewall with too much data to inspect, or they can use an encrypted email message with a virus inside it.

    Firewalls are necessary tools, but they are not the core of information security. You need to concentrate on a holistic security architecture. Security shouldn't be added to an enterprise; it must be woven into the fabric of the application.

  • 3. Who should be in charge?

    Security has usually been part of IT. Some people believe the responsibility for security should lie elsewhere, because it needs a higher profile. It can also be a conflict of interest for the CIO to manage something that often hinders speed or ease of use. But CIOs have a crucial role to play, because they understand the role and limitations of technology.

    Security is a big job, and many companies delegated it to a chief security officer (CSO), responsible for both physical and information security. The CSO should report directly to the CEO, and be in close contact with the IT, physical security, audit, HR and legal functions.

  • 4. Should security be outsourced?

    For some companies, finding and keeping hard-to-find security staff is worth the trouble. But others have outsourced at least some of the security function. Outsourcing vendors can be specialist security providers, or large services companies that offer security as part of a package. The larger companies offer more stability and better prices, but they sometimes lack the expertise of a specialist.

    But outsourcing security involves more than just writing a cheque every month. Security needs to be tightly tied to the business, and there needs to be someone in-house to manage it.

  • 5. What technologies are involved?

    Antivirus software is usually the first step, watching for malicious code that can destroy data and applications across the company. Because new viruses are discovered every day you need to be vigilant about ensuring users have the most up-to-date versions of the software.

    Firewalls are still crucial when it comes to preventing security problems, if only because they hide the IP addresses of the company's computers. Many companies are investing in intrusion detection systems (IDSs), which identify suspicious activity.

    It is important to look for holes in software and hardware that could be exploited by hackers. Keep track of the latest vulnerabilities, install patches to fix them, and make sure that doesn't cause new problems. This can be time-consuming, but there are services to manage the process.

  • 6. What about wireless?

    Wireless technologies pose a great security risk, for obvious reasons. Doors and walls are meaningless. When implementing wireless technologies, proceed with extreme caution. Know the boundaries of your wireless signal. Make sure information is encrypted, and that users are familiar with security procedures and follow strict guidelines for passwords.

  • 7. What are my legal obligations?

    Companies that don't meet legal requirements could face lawsuits filed by customers, partners, or stockholders who suffer damages due to the disclosure or loss of confidential information. These kinds of cases are only beginning to surface, but there are several ways to protect your company.

    Set rules for how you protect and handle your data, and communicate those rules to employees. Write security requirements into contracts with vendors. Have a security audit done, where an independent company tests your security measures and recommends how they can be improved.

  • 8. Can I insure against security breaches?

    Business insurance policies typically do not cover the risks associated with e-business. Cyber-insurance, which is offered by some insurance groups, fills the gap. This coverage can shield your company from financial loss caused by viruses, theft of customer information, privacy-related incidents, liability lawsuits, and more.

    This kind of insurance is relatively new, but is already helping build information security standards. Some insurance companies have already announced that they charge differently for clients who use specific operating systems.

  • 9. How can I measure return on investment?

    A positive ROI on security is "nothing happened." That fares poorly in budget reviews. Security costs are in dollars, but benefits are not. Lacking a specific ROI, the best you can do to justify security spending is to point out problems that others have had.

    Start a file of newspaper clips about companies that have experienced damaging security breaches. The most frequently cited surveys are a joint survey performed annually by the Computer Security Institute (, and from Computer Economics (

  • 10. Why does no-one seem to get security right?

    You might keep out hundreds of hackers, but just one can wreak havoc. There are few security standards and little expertise, and no one wants to talk about it for fear of attracting attention. And hackers are all too willing to share news of security vulnerabilities.

    The best way to fight back is to make your company security-conscious. People need to spend time thinking about something that won't make money, just save it. There always seem to be more immediate concerns, but as the number of attempted hacks continues to rise, it's time for companies to stop being afraid of a security breach and start doing something about it.

    Last updated 2003-10-23