Despite the massive growth in the e-economy and the opportunities provided by it, British business from CEOs to secretaries still seem ignorant towards security and the basics of using everyday technology.
The business leaders don’t seem to have any control over strategy and the end-users are the ones putting the business at risk every time they send an email. Businesses seem to admit that their networks are in drastic need of improvement.
Vanson Bourne, an independent IT research consultancy, conducted this research programme on behalf of Network Associates. Research fieldwork took place during September and October 2000, involving telephone interviews with 120 Network Managers in large organisations (more than £200m turnover) in the financial services, telecommunications & media, petrochemical, pharmaceutical and general manufacturing, and government. These were selected on the basis of the size and complexity of their network (42% of the sample had more than 1000 networked users).
Participants were asked about the complexity, vulnerability, security and manageability of the business network, given the increase in users and applications to which the network is put. The result is a snapshot of the status of the business network, the strategies that support and protect it and the pressures on those responsible for its maintenance and development.
This report was written by Vanson Bourne based on the findings of this research programme.
SUMMARY OF MAIN FINDINGS
Ebusiness – Impact on the Network
By end 2001 over half the businesses sampled will conduct ecommerce from their website.
Ebusiness tools and methods (Intranet, Extranet, remote access to corporate systems for employees) will be almost ubiquitous in the sample group by end 2001.
In over 70% of companies over ¾ of employees have use of email
Network & Communications managers recognise the strains ebusiness is and will continue to make on corporate networks:
84% say ebusiness will increase their network traffic.
85% say ebusiness means they need to upgrade AV technology regularly.
Over 70% say their network availability and access speeds are put into question by ebusiness.
However in approaching half of the companies in the sample, the Network & Communications Manager does not report to the IT Director. These messages may be being watered down or even blocked, because over ¼ feel their budgets are inadequate for the task set.
Vulnerability and damage to the business
Virus attack is a growing threat in an ebusiness world.
23% of companies have had data corrupted through virus attack
In the last six months 16% have had to take the network down, such was the severity of the attack.
That corrupted data is unavailable on average for five hours
Not surprisingly Network & Communications managers remain vigilant.
Only 34% feel “completely satisfied” with the ability of their current measures to rebuff a virus attack.
Security and Business Risk
Network security is a greater concern than virus attack in the majority of companies surveyed, in fact some telling statistics emerge..
Almost half of Network & Communications Managers think both their own company’s progress in ebusiness and the ebusiness economy at large are being hampered by fears over security.
Over half do not consider their senior managers “alert to network security risks”.
Network users are even less trusted. Less than 30% of respondent consider their network users “alert to network security risks”.
“Users” are seen as by far the least secure part of the corporate network.
Managing the Business Network
Network & Communications managers spend far more time than they would like in purely operational matters.
Five days a month, on average, are spent on specific security and anti-virus issues, despite over 80% claiming to have strategy in place (which, by extension, would suggest less need for week-in-week-out involvement of this kind).
If there is an outage, look at the WAN first. This is the most susceptible area of the network and 30% say it is out of action more than once a quarter.
Outage is perhaps a diminishing issue, although the numbers are still quite high. “Brown-out”, when speed and availability shrink, are more of a challenge and good network management software should enable early detection.
Less than 50% of Network & Communications managers believe their network management tools to be effective at detecting low output or low availability.
Users – they need all the support they can get
Friction and chafing at the interface of IT department and user is as bad as ever.
25% of Network & Communications managers’ time is consumed by user support issues.
62% reckon users think that the support function is understaffed.
Almost half think users are “inept” when it comes to IT. The problems logged at the help-desk are in the “user error” category and are soluble using online and other resources, without contacting the help-desk telephone line.
In this context, not surprisingly, 73% of Network & Communications managers see little role for extending user self-service.
EBUSINESS – IMPACT ON THE NETWORK
To establish the extent to which ebusiness has changed the role and profile of the business network, we enquired about current and planned usage.
We found that networks have become highly extended. Almost twice as many companies (excluding government) expect to be conducting ecommerce this time next year, which has huge implications for the security and durability of the network.
Internet access and the use of email are also significant factors in the maintenance of a secure and functional network. We found that over 70% of organisations give email access to at least three-quarters of their staff and that over 50% of companies give web access to over 50% of employees.
So, aside from the conventional sharing of files and printers, the network is genuinely the platform upon which the business appears to rely. No surprise then, that 97% of Network Managers agreed with the contention that it would be difficult to run the business without the network and 90% thought their business network confers competitive advantage.
64% of organisations interviewed claimed to have an ebusiness strategy, even though many more (almost all) are indulging in ebusiness activities. Clear indication that piecemeal activity is taking place with no-one attending to the overall objective. Equally concerning (NB Mr Blair), only 37% of government organisations stated that they have an ebusiness strategy, even though they too are very active with ebusiness applications and activities.
The rise in ebusiness places new demands on the network and its guardians. We asked Network Managers to rate some of the issues arising from ebusiness growth and found some major shared concerns.
Demonstrably, whether an ebusiness strategy exists or not, there are ramifications for the network infrastructure, which need attention before the organisation can reap whatever benefits it expects ebusiness to deliver.
Where there is an overt ebusiness strategy in place, are those responsible for it likely to be alert to these upstream issues and does the Network Manager have his/her ear? In 55% of those companies with an ebusiness strategy our respondent believes the driving force to be the IT Director. This seems unlikely on two counts; first, in only 46% of these organisations does the IT Director sit on the board and second, isn’t ebusiness a more pervasive business remodelling than would sit comfortably in the hands of the IT Director? This response suggests that the Network Manager is thinking more in terms of the IT implications of ebusiness, rather than in the wider context.
Of course, the IT implications of ebusiness are vast, not least in the domain of the Network Manager. So does he/she have access to the IT Director, in order to make the case for network improvements and more investment? Our survey shows that, in 43% of organisations he/she does not. This is not a healthy sign. Whereas almost all companies are ebusiness active (if not all working from a strategy), meaning that the issues raised are prevalent, the Network Manager has to communicate with the senior IT manager via an intermediary.
VULNERABILITY AND DAMAGE TO THE BUSINESS
The “threat from without” has been a major ebusiness issue and remains a constant threat given the large population of business email users. The research went on to discuss the effects of virus attack and the measures being employed to nullify the risk.
85% of Network Managers believe that regularly upgrading of anti-virus technology is an essential corollary to ebusiness. A testament to Network Managers’ refusal to be complacent in the face of this threat is that only 34% of them claim to be “completely satisfied” with their current measures to prevent virus attack. The obverse of this, of course, is that 2/3rds feel to some extent uncomfortable and exposed.
Next the research sought to quantify the damage virus attack has caused and the results show why Network Managers must remain vigilant. 16% of companies within the group sampled – we estimate that to equate to approaching 300 companies – have experienced a virus attack in the last six months severe enough to bring down the network. Looking at the growing incidence of ebusiness activity, it is tempting to predict that this number of casualties will increase.
On an even larger scale, 23% of organisations in our sample area – that’s around 400 companies – have had important data corrupted. The average period of data unavailability is over 5 hours and the estimate for total data downtime in the area of business covered by the survey at 250 working days and many thousands of network-user days. Whilst estimates based on averages, these figures begin to bring into relief how much potential damage is caused by virus attack in the UK.
SECURITY AND BUSINESS RISK
Network security is a bigger headache in 60% of UK organisations than the threat of virus attack. The majority of Network Managers feel that non-technical colleagues, even senior managers, are simply not alert to the risk.
To compound the somewhat stereotypical image of the “techie’s” view of users, when asked what they considered to be the least secure part of their network fully 41% of Network Managers said “users”, nearly three times as many mentions as number two on the list.
At the same time around half perceive that both their own company’s ebusiness efforts and the ebusiness economy at large are not as advanced as they would be if not for security fears.
Some of these fears seem to be unfounded, because 93% trust their network security measures to protect them from intrusion. This suggests that those responsible for ebusiness developments have less faith in the security of the network than does the Network Manager. Perhaps justifiably, as we found that in only 48% of organisations is confidential email traffic encrypted and in 35% of companies no encryption of confidential data takes place at all.
This is not the only area of contradiction when it comes to network security management. Whilst 81% of Network Managers have a specific security strategy in place, which we assume includes a regular review of procedures and technologies, 41% said that recent high profile internet security lapses caused them to review security standards. Something caused the normal review process to be overridden. Maybe this was a knee-jerk reaction prompted by the boardroom having seen the headlines in the FT or maybe there was a recognition that review procedures were inadequate.
To further blur the picture fully 27% of Network Managers feel that their network security budget is inadequate. If only more had the ear of the IT Director, perhaps this figure would be lower. By coincidence, 27% of Network Managers have suffered a breach of network security, of whom 17% in the last six months. This represents an estimated 300 large companies. Again, with reference to the increase in ebusiness activities outlined earlier, we have to assume that some of the 73% yet to experience a breach will get their opportunity.
MANAGING THE BUSINESS NETWORK
We asked Network Managers how they spend their working day
Team management and development is, quite rightly, the most time-consumptive element of the Network Manager’s role. However, purely operational issues consume a large proportion of his/her time. For example, Network Managers spend on average over five days a month dealing with security and anti-virus issues. This seems a remarkably large amount of time, when the setting of a strategy, the selection of a technology partner and the process of regular review would reduce time spent to no more than one or two days a month. Similarly, the Network Manager is being dragged too deeply into network user support issues, judging by the approximately six days a month spent dealing with them. We will investigate the specifics of user support in the next section.
Moving from the day-to-day, to crisis handling, 29% of Network Managers said the WAN was the area most prone to outage and that outage in general is a more regular occurrence than we might expect. In 15% of companies this happens more than once a month, doubling to 30% that experience it more than once a quarter. And the survey does not show that this situation is improving across the board. Around 1/3rd of Network Managers say that outages happen as frequently as or more frequently than they used to.
The statistics revealed above show how great the need is for surveillance of the network. Equally, we found that Network Managers feel their network availability and access speeds need to improve in order to deliver efficient ebusiness. This section of the survey looks at how they monitor and manage those characteristics and how long it takes to resolve a network fault.
Based on this survey, we estimate a network fault to take on average 2.5 hours to fix, with the span of survey response ranging from “less than an hour” to “more than two days”.
Network Managers told us how effective their network management software is at detecting the early signs of a potential outage, or a brown-out which users find so frustrating.
The most surprising feature here is that more than 1 in 5 Network Managers do not know how good their network management software actually is. This must cause both them and the users of the network a good deal of avoidable frustration.
Network Managers spend over one-quarter of their working day attending to network user support issues. Nonetheless, here are some statistics that reinforce what a “black hole” the provision of user support can be.
24% think that users remain dissatisfied with the support provided,
This number that rises to 33% in organisations where users also perceive the support function to be understaffed.
Fully 62% of Network Managers reckon users believe the support function to be understaffed.
Balance these results against the Network Managers’ view of users
49% describe users as “inept” in terms of IT use
41% describe users as the least secure part of the network
and we have a microcosm of the old user/IT disconnect. Surely means can be implemented to bridge this particular gap?
Some of the Network Managers’ comments above are opinion rather than fact, because 33% of organisations do not have processes to track and analyse the effectiveness of their technical support. That means they do not actually know how dissatisfied users are or whether they have just cause. This survey provides clear evidence of the improvement monitoring can bring.
The survey investigated the extent of “self-service” support for users. This concept would appear at first sight to be a good one, because the most common problems logged on the support desk are:-
Password problems – 40%
General user errors – 17%
Printing problems – 13%
These would appear to be absolutely the level of problem that appropriately-trained users could deal with, or even avoid in the first place. However, there’s the rub. The survey identifies a classic “chicken & egg” situation. Half of all Network Managers think users are “inept” and 78% say users still want to get on the phone to someone, even though there is abundant self-help resource. Mindsets on both sides seem set against the “self-service” concept and, consequently, in only 20% of organisations are users empowered to fix PC problems and 73% of the rest do not foresee self-service becoming a feature of IT provision.
The solution is out there, but attitudes seem hardened against it.
THE NETWORK ASSOCIATES “PRESCRIPTION” FOR A HEALTHY E-BUSINESS
1 Elevate the care of your e-business’ health to the board – it’s a strategic issue!
2 Construct a practical, easily manageable but comprehensive E-business security policy that reflects your business processes
3 Review it and audit it constantly – the world moves at internet speed and there is no room for complacency
4 Invest in your e-business security strategy – the ROI will become clear
5 Train your users in basic security policy and get their buy in and understanding
6 Keep Anti Virus software constantly up to date – otherwise it is useless!
7 Centrally manage your e-business security systems