If corporate security officers aren't alarmed by the growing popularity of file-sharing software, let them heed this lesson learned the hard way: In June a major pharmaceutical company reported that personal data, including Social Security numbers, of more than 15,000 of its employees were exposed when an employee installed unauthorized file-sharing software on a company laptop.

The incident only accentuates a steady drumbeat of warnings about peer-to-peer software. In March, a report by the U.S. Patent and Trademark Office identified features in popular file-sharing programs that could cause users to inadvertently distribute files and data. In early June, Dartmouth College's Tuck School of Business released a study of the security dangers of such software. The Dartmouth report called peer-to-peer file-sharing networks "a common, but widely misunderstood source of inadvertent disclosure." It said that criminals troll these networks hoping to find information to exploit.

The study monitored three popular file-sharing networks over a two-month period this year, focusing on searches and files that referenced any of 30 top U.S. banks or that fit a specific digital footprint that Dartmouth created for each bank. Results show that a large number of people were inadvertently exposing bank account data and other personal information stored on their computers.

"Many of these documents contained enough information to easily commit fraud or identity theft," says the report. "For one bank, we found a spreadsheet with 23,000 business accounts including their contact names and addresses, account numbers, company positions and relationship managers at the bank." The study even uncovered a bank's detailed manual of its security review process.

Defending Against the Threat

So how can corporations defend against such a threat? Step one, of course, is to have a security policy that prevents the use of file-sharing software. However, "history bears out that just having a policy isn't an effective prevention step," says Jerry Bell Jr., senior manager of technical planning at IBM Internet Security Systems. "It's important, legally, but it doesn't do anything to keep you out of the headlines." Companies should put specific controls in place that ensure that confidential data is never put on PCs that leave the corporate site, he says. If such PCs must carry sensitive information, the data should be encrypted, he adds.

Another critical step is educating the workforce, notes David Meunier, vice president of business development and information risk management at MasterLink Corp., an IT consulting company. "Get users to understand why they shouldn't use this software," he explains. "Specifically spell out what the risks are."

Indeed, IT managers and employees alike sometimes have a false sense of security, notes the Dartmouth report. "Firms often mistakenly believe that they are immune from P2P disclosure problems because they protect the perimeter of their networks with firewalls and even use software to block corporate users from accessing files sharing networks. However, even the best perimeter systems fail when corporate users connect to the Web on public networks while traveling or at home."

It's become routine in the IT world: A security vulnerability is discovered in a vendor's product, the vendor announces the vulnerability and then ships a patch. Some security experts have studied the time between a vendor discovering a problem and issuing a patch, measuring the number of "days of risk." They even compare such numbers by vendor to see which one responds the fastest.

But how much damage was done before the problem was discovered, before it was announced, or before a patch was issued? "No one should be getting any comfort from 'days of risk' measurements," says Pete Lindstrom, a senior analyst with Burton Group. "My big beef with it is the assumption that prior to disclosure there was zero risk."

Of course, no one knows how many undiscovered vulnerabilities are in vendors' products at any given time -- including the vendors. Despite vendors' best efforts to write secure code, holes are inevitable. In fact, vendors with the highest number of announced vulnerabilities are not necessarily the ones with the least secure products, notes David Mackey, manager of the IBM Internet Security System (ISS) X-Force Threat Analysis Service. "If they are being more proactive in finding vulnerabilities and addressing them, does that make them inherently more secure or less secure?" he asks. "That's a constant argument in the security community."

IBM ISS takes a proactive stance in protecting customers from vendor vulnerabilities. "We can start taking preventive measures even before the patch is released," says Mackey. "In a lot of cases, ISS will have enough information to create a signature for our Proventia gear [IBM ISS' intrusion prevention system] to block that type of traffic." In some cases, Mackey says, IBM ISS has protection in its products even before the vulnerability is made public -- either because the vendor has shared the information with IBM ISS or because X-Force discovered the vulnerability and is helping the vendor develop a patch, says Mackey.

Lindstrom thinks all vendors should be required to specifically and openly describe the behavior of their software so that intrusion prevention systems can be more effectively tuned to defend against vulnerabilities. "We could have the software ship with a safety data sheet -- a policy file that is machine readable and implementable at the system-call level," he says. Such an approach wouldn't eradicate vulnerabilities, he adds, but "it would minimize their impact."

Government regulation is not enough to ensure that enterprises take the necessary security measures. The healthcare industry spends comparatively less on IT security than other industries -- a mere $3.2 billion of the total $61 billion spent by U.S. enterprises last year, according to Info-Tech Research Group.

In general, healthcare spends less of its overall budget on IT than other industries, notes Ed Daugavietis, senior research analyst at Info-Tech, based in London, Ontario. The average IT spend is 6.3 percent of revenue; healthcare spends just 5 percent. Daugavietis says that's because healthcare providers typically focus resources on front-line services, such as doctors and nurses. In addition, medical facilities must dedicate sparse IT resources to managing very complex medical networks, which include medical imaging and other industry-specific applications.

The money that is spent on security tends to be on quick fixes. "The healthcare sector tends to spend on intrusion prevention and detection, enterprise encryption, authentication and endpoint security," Daugavietis says. "It is low on spending on comprehensive suite solutions, like universal threat management." This assessment is based on his research company's most recent budgeting survey, conducted in the third quarter of 2006.

These numbers are surprising, considering that healthcare companies are now subject to the Health Insurance Portability and Accountability Act (HIPAA). Although the security requirements of the act went into effect in 2005, a survey last summer revealed that only 56 percent of hospitals and medical practices have implemented the security provisions.

The survey -- conducted twice a year by the trade group Healthcare Information and Management Systems Society and IT outsourcing company Phoenix Health Systems -- also found that large hospitals were the least likely to comply. Only 49 percent of hospitals with 400 or more beds were compliant, along with just 44 percent of hospitals with 100 to 400 beds. The noncompliant organizations cite budget constraints and the complexities of integrating HIPAA into existing systems and processes as the biggest barriers.

It's not as if the security procedures are unnecessary. Alarmingly, the poll revealed that 39 percent of the healthcare providers had experienced a security incident in the previous six months.

Part of the problem may be that healthcare providers have not yet realized the business benefits to be gained from HIPAA. In the survey, only 15 percent of healthcare providers said they had begun or plan to put in place initiatives to achieve a return on investment from their HIPAA implementations. Such plans might include moving to all-electronic transactions and converting to electronic medical records.

In Inherit the Wind, depicting the famous Scopes trial about evolution, the defense attorney makes an impassioned speech about progress: "I sometimes think there's a man behind a counter who says, all right, you can have a telephone, but you'll have to give up privacy ... You may conquer the air, but the birds will lose their wonder and the clouds will smell of gasoline."

If the same speech were made today, it would sound something like this: "You can electronically trade information with anyone on the planet, but your data will be vulnerable to a multitude of thieves in a multitude of ways, and the world will judge your company on how well you protect yourself."

Because of this expanding landscape, the concept of security is changing. It is no longer just an IT concern. As more and more businesses deal with customers and partners electronically, they are encountering growing numbers and types of vulnerabilities -- and doing so under a more intense spotlight than ever before. When the loss of data through theft or negligence puts your CEO on the evening news and affects your stock price, it stops being a technology issue and starts being a major
business issue.

That requires companies to shift their thinking about security from a tactical standpoint to a strategic one. "Security often has a tactical and technical focus buried in IT operations that is ineffective at meeting the complex requirements that organizations face to protect information," says Michael Rasmussen, vice president at Forrester Research. In fact, executives should think about security holistically.

"More corporations are recognizing that security is more than a product in a box -- it's also a service and even an attitude that a company weaves intimately into its operations," says Gunter Ollmann, director of security strategy for IBM Internet Security Systems. "Even as enterprises look to add more security hardware and software, it's important to remember that it also requires a shift in attitude."

The problem starts with the concept of the "product in the box." The increasing complexity of threats means that the average user has added as many as 10 security products to his desktop, Ollmann notes, each from a different vendor. Managing all of those is an increasingly onerous task.

But looking at security holistically means thinking beyond the desktop. That means expanding your thinking about security to all the vulnerable points within the network -- Web servers, e-mail servers, network servers -- anywhere you've opened a port or channel to enable data to flow in and out. Those bear careful monitoring as well.

These days employees need to understand that ensuring secure operations is not just the purview of the IT department, but of everyone. They need to be as careful of their office computer as they are of their home computer.

The upshot for companies: Develop, distribute and reiterate clear and concise security policies to all parts of your business, and regularly update them to make sure they continue to serve the company's needs.

This expansive view of security can overwhelm companies. That's why they may want to consider the option of handing off the increasing tactical security issues to a managed security services provider.

To discuss outsourcing security, call David Puzas, IBM ISS Professional Security Services, at 404-236-3673. 

A key part of the job of Chris Rouland, CTO of IBM Internet Security System (ISS), is to speak to governments and businesses about the myriad lurking security threats. Rouland believes that corporations must do more than just protect their own networks, because most transactions these days occur beyond their networks -- out there in the untrustworthy universe of the Internet. One endpoint of a transaction -- the corporation -- may be well-protected. But the other endpoint, the consumer's computer, may not. Rouland estimates that 80 million to 100 million consumer computers worldwide have been compromised.

"With that rate of infection, if you're Bank of America, for instance, you have to assume that the bad guys are intercepting one out of every 10 of your transactions."

The answer lies in quickly identifying the malware used for the interception and disabling it. "That's the technology we're working on under Horizon 3," Rouland says. "If a bank had it up and going, its computer would switch to read-only and deny the transaction."

Rouland believes that corporations are shouldering too much of the financial burden for the unpoliced wilds of the Internet. "If a consumer gives away his credentials because he didn't secure his computer, is a corporation to blame? I don't think so. But right now consumers enjoy this protection and corporations eat the cost."

That is one reason Rouland wants enterprises to band together for collaborative protection -- to move into gated communities. His notion is that "some of its computers would be linked peer-to-peer, and the instant a virus appeared in one place, the entire community would be notified and mobilized to respond. No shipping off viruses to a company and waiting for a software update. It's too slow." Such a unified system could help stem some of the burgeoning threats, including from VoIP.

Getting the Government Involved

But Rouland says the road to dependable, unified security for VoIP and other messages must run through the government --there is no way around it, he believes -- and he has spent considerable time trying to win over officials to his thinking.

He sometimes has to scare them to get their attention. He recently warned the chair of the U.S. Federal Trade Commission, for example, that the do-not-call registry, which empowers consumers to block unwanted phone solicitations, would soon be obsolete because of VoIP.

Government also must wade into one of the biggest ongoing battles about the Internet, namely privacy. Rouland jumps right into the fray, taking a somewhat controversial stand.

"Let me put it this way: I'm not a very big privacy advocate," he says. "People complain that their ISPs shouldn't be permitted to inspect packets. But if they don't, how can they protect you? Take Skype, for example, a secure, anonymous VoIP telephony system and the communication of choice for criminals. Last year, more than 20 improvised explosive devices were detonated over Skype. Hook an IED to a cell phone, call into the phone through Skype, key in the code and set off the bomb. You're never going to get caught. Totally private and anonymous communication systems may protect you, but they also protect the bad guys."