HP ProLiant 4500 Compaq Enterprise Security Framework - Page 8

WHITE PAPER (cont.) ... On the opportunity side of the security equation, IT managers must consider the possibilities that can be pursued with robust security in place. These items could be revenue-enhancing and/or costreducing to business' bottom line. The first category of opportunity is Electronic Commerce. Here, with adequate security, companies have the potential to sell their goods directly to their customers and potentially branch into new businesses. For example, a supermarket could set up a virtual store/web site for customers to purchase specific food bundles that could be packaged and delivered regularly. Businesses could also sell this information to food suppliers so that these vendors could effectively target their advertising mail and coupon efforts. In addition, businesses can foster closer relationships with customers and consumers. By creating and maintaining communities of interest over the web, businesses can strengthen their value to customers. Finally, there are significant cost-saving opportunities for businesses with adequate public network security. Businesses can reduce their leased line expenses by setting up encrypted virtual private networks (VPNs) with their business partners to exchange information. By granting partners access to internal parts databases and allowing them to order parts directly, manufacturers and suppliers reduce their customer service costs. Security Environment: Current Situation Over the past several years, computing security breaches have become a regular issue for enterprise IT managers. The exact size of the issue is an open question. However, industry surveys identify a few important facts: • Computer security breaches are a common, widespread, and growing problem. • The most prevalent threats to computing security are well known. • The insider remains the primary threat to computing security, but outsider attacks are quickly rising. • To date, enterprises have deployed only simple solutions to address these issues. The traditional threat to enterprise security has always been the insider. This menace remains prevalent in today's computing environment. However, the growth of the Internet has brought the insider and outsider threats to near parity in terms of the number of attacks and breaches reported this past year. Recent surveys report that this growing equality is due to the fact that corporations have established network links with outside sources (e.g. remote employees, consumers, business partners), and greater numbers of people have the requisite skills and tools to break into these networks. While these external "hacker" attacks are rising, the most prevalent and damaging breaches remain the most basic ones. Most business surveys cite virus outbreaks as the most common computer security incident, affecting 75% of enterprises. The frequency of these attacks also seems to be rising. A recent study cited a threefold increase in virus attacks on corporate PCs over the past 12 months. The two most common, reported means of asset theft (digital and physical) are simple password exposure and equipment theft. RSA reports 200,000 laptops and 100,000 PCs were stolen in 1996. Although the theft of hardware represents a huge loss, the information and applications on these devices are far more valuable. The problem is widespread. As mentioned earlier, over 75% of the businesses surveyed reported suffering a financial loss due to a breach in computing security. At least 32% of those recounted experiencing five or more significant breaches in 1996. Some surveys have stated that as many as 98% of businesses have been attacked at least once, and as many as 43% of large operations have been breached 25 times or more in the last year. Most analysts believe these surveys understate the threats to enterprise computing security. The FBI estimates that almost 95% of computer intrusions are undetected. This is due to the advanced 8