The Internet will never be fully secure, but diligence and a number of safeguards applied by businesses and government could curb hackers' access to proprietary information, a General Accounting Office official said Wednesday.
"The Internet is not secure for a reason," said Rahul Gupta, assistant director in the Office of the Chief Technologist at GAO. "It was designed to share information, not protect it from something." Gupta addressed the American Institute of Certified Public Accountants' national auditing update conference.
Wireless communications are even more vulnerable to unwanted surveillance than Internet transactions. Cellular telephone calls can be monitored with a $20 gizmo bought at any electronics store and "no amount of encryption or security will stop someone from stealing from a wireless network," he said.
Although technology is evolving and security protocols are improving, wireless technology is not the safest way to transmit sensitive information, he stressed.
Cyber risks are manageable, but it is up to businesses and government officials to make network security a priority. "A lack of institutional will is more destructive than any technology," Gupta said. "If a large corporation sees it as an afterthought, the game is over."
Surveys show consumers' lack confidence in the security of Internet transactions. According to Gupta, 58 percent of those questioned do not consider online financial transactions safe, 67 percent do not feel confident doing business with a company that can only be reached online and 77 percent do not believe credit card information transmitted via the Internet is safe.
Businesses should assess security risks and prioritize what absolutely must be protected. Companies should do their own assessments and not leave all of the decision making to consultants. Then management should implement the necessary security technology and devise an employee policy, educate the employees about cyber security and monitor the effectiveness of the program. The system must be tested repeatedly, Gupta said, because technology is fluid and the slightest change could create security risks.
Software, hardware and employees all pose security risks, Gupta said. Companies often focus on the technology, but a disgruntled or ill-informed employee can be just as dangerous. Security breaches can range from a very helpful employee giving out passwords over the phone to unhappy workers purposefully leaking sensitive information, he added.
Gupta stressed the importance of doing both internal and external security tests. In its testing, GAO teams will sneak into offices and see if they can steal documents and computer disks and test the security knowledge of people on the help desks.
NEXT STORY: GSA to sponsor forums on IT access for disabled