Enterprises should use e-mail server and firewall-side antivirus software as well as daily vulnerability scanning services--such as 002326%2Easp%3Ftag%3Dst%2Eww%2Esr%2EQualys%5Fdetail%2E1%2D1084%2D1284%2D1002326">Qualys or Ubizen--to catch vulnerabilities before hackers exploit them. Enterprises should also pressure their ISPs or hosting providers to provide denial of service attack protection.

Enterprises will face a new threat when they extend e-mail out to wireless devices such as PDAs and WAP-enabled phones. Although the over-the-air signal is well protected, the devices themselves include few, if any, security capabilities. Lost or stolen devices will enable fraudulent e-mail and information access. These devices should be assigned a login password and be equipped with a timeout function to log out the device after more than a few minutes of inactivity. The IT department should maintain control over the software used to synchronize wireless devices to corporate systems, even if users procure their own devices.

Corrupt insiders and outsiders will use clever and very focused attacks such as social engineering, network sniffing, Trojan horse deployments, and password cracking to glean information of great value.

They will make copies of the next product design, source code, or financial data. They will attempt to modify critical data so that you make a bad product or make bad decisions. They will dig for information that is embarrassing or detrimental to you, while being very profitable to your competitor.

These sorts of attacks are the most difficult to prevent and the most damaging to a corporation. To protect the business, we have to identify the resources of value that the competitive hacker is seeking, then defend those locally. We should also enlist all corporate users to be aware of social engineering methods and how to keep confidential information private.

Security technologies protect the network, but only security practices and awareness programs protect the business.

The most disturbing trend about this loss of brand equity is that since it is so difficult to measure, few companies will understand the risk and take appropriate action. How do you quantify the lost revenue impact to a customer base that won't do business online? It is far easier to measure the number of intrusions detected, of viruses detected and cleaned. Even infrastructure availability and performance measures are easier to come by. To mitigate this risk, Hurwitz Group recommends that companies quantify the value of a brand and create and enforce a security policy that accurately reflects its importance to an organization.

Companies that make the mistake of searching only where the light is will find it harder to recover in these more difficult economic times.

Access management includes both authentication and authorization; it is the key to easing security concerns when conducting B2B transactions. Authentication is the ability to determine that a person is who they say they are, while authorization determines where they are allowed to go once let into the system. Trust needs to become a fundamental component of the business partnerships, and security provides the control. Organizations will find that the ability to work in a trusted environment is a necessity, and access management is essential to accomplish this.

Creating this balance requires the CIO to provide clear guidance to business units about the level of threats and the necessary policies, processes, and technologies to partially offset those threats. Without such guidance, companies run with inconsistent security solutions. As a result, every business unit in the enterprise sinks to the security level of the weakest unit.

Nearly 40 percent of global enterprises are currently operating without effective security policies. Smaller organizations are in much worse shape. Poorly configured and maintained servers, despite the best efforts of technicians working without security guidance, have resulted in huge and growing financial losses every year. Losses and brand damage will continue to increase until CIOs learn that security is not a function that will fix itself if it is ignored. Security requires leadership.

The unhappy truth is that security on the Internet is like security anyplace else: an endless process of adapting to changing threat. And companies will have to manage as they always have by trying to quantify the value of what they want to secure, identifying the threats to it, estimating the risk, learning the options for and cost of risk mitigation, and then implementing what they can afford.

In general, the most effective way to implement will be to build up the ability to manage a security service provider and to outsource security. That implementation must include investing up-front in an internal mechanism for dealing with security breaches and facing squarely that nothing can keep the company 100 percent safe.

To protect themselves, companies should install firewalls with centralized policy enforcement on all remote machines. This will help to prevent attacks through VPN connections over broadband services, such as the highly publicized attack on Microsoft in October of 2000. In addition, as XML becomes more widely deployed, protocols such as SOAP, with the security extensions proposed to the W3C by Microsoft and IBM, will have to be implemented to protect sensitive communications at a higher level.

The most important challenge will be to enable all of the forms of communication that support the business, without sacrificing the integrity of the computer systems involved.