Overcome Objections To Network Security
One network security integrator discusses the three main objections to network security solutions and how to overcome them.
Your customers' networks can be infiltrated - with relative ease - by disgruntled/former employees, foreign intelligence services, terrorists, competitors, etc. These potential hackers can steal all kinds of confidential information from a network, including social security numbers, credit card numbers, and medical records. Unfortunately, most of your customers are not aware of the full extent of the computer crime threat, much less the repercussions of lost or stolen information.
There are new regulations and legislation being put into practice that will severely penalize businesses that allow confidential information to fall into the wrong hands. Those penalties include six-figure fines and possible jail time for company executives. Network VARs and integrators suddenly have a very important role to play.
"The government has instituted new regulations relating to network security," says Rick Ricker, COO of security consultant and integrator Enterprise Systems Consulting, Inc. (ESC) (Irvine, CA). "These are federal regulations which state if a network breach occurs and it can be proven that an executive knew confidential information was exposed and did nothing to correct it, that individual can be subject to a fine of up to $250,000 and five years in prison."
New Regulations Toughen Network Security Requirements
According to Ricker, times have changed and customers must be made aware of the new rules. In the old days, companies only had responsibility for corporate duty of care. Individual directors and officers could defend against duty of care claims by showing they acted with reasonable care, relying on information reasonably available to them. But courts today are saying the reasonable care standard is not enough and have moved on to something called duty of oversight. Duty of oversight requires directors and officers to make sure systems are in place to safeguard customer data. "If there is a breach, not only is the company liable, but individual directors are liable as well," says Ricker. "That can mean real prison sentences and real dollars."
Demonstrate Network Vulnerabilities
Since most customers are not aware of just how vulnerable their networks are, Ricker's sales approach is intended to demonstrate the vulnerabilities while overcoming customer objections. There are three objections Ricker typically hears in regard to security solutions, and he comes prepared to shoot holes in all of them. The first objection is usually money. "Even before we present a solution to a customer, they will tell us they can't afford it," he says. "Every company has money to spend. It's simply a matter of priorities. When a customer uses the cost objection, what they are really saying is network security is an insurance policy they don't need to purchase."
To illustrate the need, Ricker identifies exposure points the company may not have considered. One ESC customer wanted to create and store a database with customer credit card information. Ricker will cover the provisions necessary to safely store the information, but convincing customers that security is more than an insurance policy requires a little demonstration. "You never want to demonstrate security weaknesses on a live production server," he stresses. "We will create a new database and load it with dummy credit card numbers. We then store that database on another server which mirrors their production server [this is done by loading the server with information from a backup tape of the production server]."
Once the 'new' production environment has been launched, Ricker will use another computer that is connected to the Internet to access the information on the server. The access is accomplished via an open port on the network. Typically this would be via the HTML port, which in most companies is always open. "It is the port that companies use to advertise their Web pages to the world and, for hackers, is always the path of least resistance," he says. In fact, a recent industry report stated that around 60% of all network attacks are done via HTML ports. Within three minutes of hacking this port, Ricker will have accessed all of the credit card numbers. While this demonstration is successful at showing how easy it is to steal critical information, it immediately leads to the second objection, which is, who would bother to invest the time and money to do that?
Anyone Can Hack Into A Network
"Customers will find this hard to believe, but the tool we use to hack their network can be acquired for free on the Internet," says Ricker. "Anyone can hack into a network because accessing a server does not require a $300,000 piece of software or some proprietary, cost-prohibitive piece of code." There are also sophisticated, robotic scanners that run 24 hours a day and do nothing except look for holes and vulnerabilities in company networks. Anyone who wants to breach a company's server has a variety of ways to do it. "We show customers just how easy it can be," says Ricker.
Customers also think that because no one has hacked them yet, they don't need to bother with security. To overcome that objection, Ricker has them put a server on the network. He then installs intrusion detection software. "The software shows customers what is happening to the server," he says. What the customer will see is that as soon as they put the server into their production environment, the software will detect the server being swept, or port scanned, by one of these robot applications that run 24/7. In fact, Ricker reports the software will typically detect someone or something trying to hack that server at least once per hour.
"To not install security solutions simply because you have never been hacked before is naive," says Ricker. "We tell customers to put themselves on the other side of the fence. If you were a hacker, would you advertise the fact that you accessed a company's server? The answer is no. Successful hackers will not tell you your system has been breached because they can now access your server and use it to get information, store files, or launch a deflected attack."
By now the customer has seen how easy it is to hack into a network and how their own network is accessible to hackers. This is where they normally turn to their final objection, which can often be the hardest to overcome. Customers will assert that all networks have holes in them, and hackers will always have ways to find those holes. Therefore, why even bother trying to plug the holes?
Expect Continued Growth In Network Security
Ricker explains that with the new federal regulations in place, not installing network security is a failure to perform duty of oversight and will lead to the previously mentioned fines and jail time, as well as the possibility of class-action lawsuits. Money is no longer a valid excuse for not installing adequate network security. Ricker believes VARs and vendors used to sell security using fear, uncertainty, and doubt (FUD). However, the new regulations have made things more concrete and less subjective. The FUD factors are no longer a selling or marketing gimmick. They are reality.
Spending on security is not expected to slow anytime soon. A 2002 survey by InfoSecurity found small organizations are dedicating almost 20% of their IT budgets to information security. Medium-sized companies are investing 10% of their budgets, and for large companies the figure is 5%. The mean of those numbers is around 11 1/2%. "Since an organization of just 2,500 employees can have an IT budget that is well into the millions, the numbers add up quickly," says Ricker. "We had one large customer that was on the verge of bankruptcy. But at the same time they were ready to file Chapter 11, they were still spending over $300,000 a year on security solutions. This company knew the risks involved and was taking the necessary steps to insure its data was protected. Even companies that don't have the money will come up with it if they understand the risks. VARs need to educate them on the risks and liabilities of not taking the proper steps to protect the confidential data."