Last year was a watershed for the Internet. The number of users worldwide passed the 300 million mark. Whew! But that also means that the number of crooks on the Web surpassed 1 million.
The calculation is based on the U.S. Uniform Crime Reporting Statistics, which we have extrapolated to the world at large, so we're only talking about crooks whose vitae include arrest and conviction. Their crimes include forgery, embezzlement, fraud, vandalism and disposing of stolen goods. To reach that number of crooks, we assume that the ratio of criminals to law-abiding citizens is the same in the online world as in the off-line world. At this rate, there will be twice as many crooks on the Web in four years.
Appropriately, spending on hardware, software and services to make Web sites secure will also more than double, from $14 billion last year to $30 billion in 2004, according to IDC forecasters.
So everything should be all right, right?
Nope. Metcalfe's Law says a network's value grows by the square of the cost of adding users. So does the potential impact of an action with malicious intent. Crooks in the off-line world at most can mug only a small group of victims at a time; on the Net, it's as easy as spam pie. With Internet commerce expected to grow from $300 billion last year to almost 10 times that in 2004, I don't think we're spending anywhere near enough on security.
In an IDC survey last fall, 95% of IT managers at large and medium-size U.S. companies acknowledged that they had experienced some kind of "incident" in the past year, but mostly, that meant dealing with viruses like the Love Bug. Some 55% thought they had had an attempt at unauthorized use of their systems, applications or e-mail, but only 10% said such an event was detected after it occurred. Only 45% thought they had experienced unauthorized access to systems or information. And less than 30% encrypt any e-mail.
Given the highly publicized Web site problems at Yahoo, Microsoft, AOL and the World Economic Forum, I'm surprised that was the only mayhem detected in the survey. I allude to those crime statistics. How many crimes are committed for which there are no arrests and convictions? How many aren't reported or detected?
Make the following assumptions:
- Sometime in the next year, you will have a significant security breach.
- Sometime in the next five years, you or a company in your industry will have a near-catastrophic security breach.
- Between now and then, you will spend only about a tenth of what you should on security.
- No matter how many times you have requested more money for security and been turned down, the IT department will be held responsible if and when there's a major security breach.
Two pieces of advice: First, make sure you have some crackerjack security technicians in your shop to stop problems before they occur. And make sure they're well paid, well motivated and won't cause trouble themselves. Half of all security breaches occur from inside the company.
Second, force your company to develop a mission statement on security, document company security policies and spell out security deployment plans for every major business initiative. These should be signed off on by all top executives. That way, when the big breach occurs and you're under fire, you'll be able to drag others with you into the foxhole.
This story, "Take a bite out of crime on the Web" was originally published by Computerworld.