As far as Richard Stieman is concerned, the terms "online security" and "China" do not belong in the same sentence. The founder of US-based online security consultancy IT Harvest believes many of the more serious online attacks on computer networks around the world are coming from China or Chinese-run servers.
Stieman does not have much in the way of empirical evidence, just extrapolated information gathered since before the 2001 hacker wars, during which US hackers targeted sites in China and teenagers from China took aim at the US. (See: Worst Case Scenario)
"China is always the source of attacks from the area," he said.
Regardless of the movie-like quality of the idea of teenagers from across the ocean engaged in a cyber stone-throwing fight, there's no denying that a growing number of people in China are willing and able to take a shot at a computer network, launch a virus, a worm or a denial of service attack.
In some cases, these attacks have targeted foreign government facilities. A handful of government departments in both the UK and the US have had to temporarily shut down due to attacks that originated in China.
This amounts to a warning for businesses operating in China, whose networks may also be at risk from a growing number of potential threats.
Companies specializing in online information know this and put in place strong security measures. Others, however, less savvy or willing to invest in an umbrella before it starts raining may end up paying a hefty price.
Frugal and vulnerable
A 2005 Global Information Security Survey published by the consultancy Accenture found companies in China tend to rely on piecemeal approaches to protect their information online rather than building a careful protection structure. The survey found that only 11% of Chinese companies planned to spend more than US$100,000 on IT security.
More telling, however, was that 46% believed their companies were more vulnerable than a year before.
Just setting up a firewall is no safety guarantee. Everyday applications like instant messenger programs can provide easy entry points for external attacks. A common lack of internal security, poor security procedures and the fact that almost all retail anti-virus products are about 10 days out of date multiply the dangers.
Alan Jefferies, an online security specialist with consultancy firm International Risk, said most companies take a reactive approach and rarely consider the dangers they face until after something happens.
"It is a case of money spent after the horse has bolted," he said.
But even prevention can be complicated. Companies are reluctant to share information on their own security protocols, much less on any successful attacks that could have put information at risk.
"No one is prepared to say, we had such and such a problem that cost us X millions of dollars," Jefferies explained. "Listed companies would not want this information out."
Leigh Jasper, CEO of Acconex, an Australian company that provides online information management solutions and has recently set up servers in Shanghai, says its facilities are constantly attacked. Thanks to tight security, its servers have not been breached, but then keeping information safe is the company's business.
In China and Asia there are few companies that can manage large amounts of information through cross-border computer networks. Most of Acconex's clients are companies developing property and looking for better ways to manage the large amount of information they need.
"Almost 100% of the market uses traditional methods to manage information," said Jasper.
Many companies, particularly those that develop rapidly from a small base to operating facilities in many places or many countries, may approach management without much regard for IT. This points to a wider malaise among businesses, one that creates a chasm between business strategy and IT logistics.
According to Peter Koo, a partner at Deloitte Touche Tohmatsu who specializes in governance and IT issues, few companies bring an IT person into the boardroom when developing a strategy. This creates a disconnect between the IT management and overall strategy. As a result, the company can be left vulnerable.
And the reverse is also true – many IT people do not care about management.
"This is a key point. This is worldwide. There are IT people who don't care [about management and strategy]," Koo said.
Koo advocates improving the links between IT people and management but not just on security grounds. His argument is one of corporate governance, pointing out that businesses are getting so big and complex that full compliance is difficult. IT people can ensure information is more easily shared and available.
To do this, however, they need to be aware of the company's overall strategy.
Implementing a coherent IT and corporate strategy is easier for smaller companies that are just beginning to grow, but few of them think about it from the ground up. Putting systems in place early is a lot easier – and cheaper – than to wait until after an attack.
It can also be a good philosophy to deal with what is perhaps a more significant danger for most companies: the threat posed by the large staff turnover. Industries plagued by the "revolving door" syndrome are at particular risk from employees that help themselves to things like client lists and then go across the road and set up shop.
The solutions are similar to those that come into play with almost all other types of security. Prevention and proactive thinking are always best.
"Be careful who you recruit," said Steve Vickers, president and CEO of International Risk. "Don't hire people who are butterflies ? employee dishonesty is the number one problem."
A strong IT security platform, one that includes multiple access levels and various levels of information classification, is also key. But Jefferies thinks it's unlikely this wisdom will become common practice anytime soon.
"I still think it's going to be a reactionary, not a proactive thing," he said.