DigiCert QuoVadis

News and Events

Mid Ocean News: QuoVadis, an IT Security Specialist
10 Oct 2003

INSIGHT by Jonathan Kent published in THE MID-OCEAN NEWS .  Republished with permission.

LAST week the Bank of Bermuda announced that more than 200 of its customers were to have their Visa and EasyLink cards re-issued after a security breach had left the accounts open to potential credit card fraud.

Hackers had not broken into the bank’s system, but into the computers of a company in Canada, and had thereby gained entry to data including the account details of hundreds of Bermuda customers.  The incident highlighted the vulnerability of our personal information held in numerous computer systems around the world.

All hackers need is a computer, a phone line and the technical ingenuity to break into an organisation’s network and all sorts of sensitive information can be theirs – and everyone else’s too, if they choose to put it on the Internet.  Companies everywhere are waking up to the modern reality that the security of their electronic data is just as important as locking their doors at night.

In Bermuda, QuoVadis has set itself up as an IT security specialist. We spoke to three part-owners of the company about what they were doing to help plug the leak of private information into Cyberspace.

WHEN SOMEONE steals your identity they can cause mayhem in your life. Through no fault of your own, you can find yourself losing thousands of dollars and end up taking years to be able to get a loan again.

A report released by the US Federal Trade Commission (FTC) last month estimated that last year there were 9.9 million American victims of identity theft, who collectively lost almost $53 billion.

Around 3.2 million people discovered that identity thieves had stolen their personal information in order to set up new bank or credit card accounts. The cost to victims averaged $500 per individual and $4,800 per business.

These days, you don’t have to get your wallet stolen to become an ID theft victim. A hacker in Brazil could gain access to your information on a computer network right here in Bermuda and use it for fraudulent purposes.

As ID theft grows, so does the need to secure our personal data. QuoVadis was a company set up nearly five years ago in Bermuda to help companies deal with data protection.  The company started out primarily to offer digital certificates – a basic tenet of IT security – to businesses.

“When we started doing that, we found that many companies’ systems had other security weaknesses,” said Stephen Davidson, senior vice-president of marketing and business development at QuoVadis. “It was like the front door was locked, but the back window had been left open.

“So we started to add on security services, like round-the-clock monitoring.”  Since then, and even more so since the September 11 terrorist attacks on the US, there have been signs that more companies which were initially reluctant to invest in IT security have accepted the need to take it seriously.

“Two years ago, when we went to companies and said, ‘You have a vulnerability in your system’, they would be insulted,” Mr. Davidson said.  “But now that attitude has changed and they are realising they have a responsibility to their customers and their shareholders to keep their data secure.”

There is no doubt that a major loss or leak from a database could have expensive, embarrassing and even devastating consequences for a company.  However, still there are those who are reluctant to splash out on data security because they don’t see where they will get a return on their money.

QuoVadis chief executive officer Tony Nagel believes companies would best be advised to ‘out-source’ their security needs and summed up in layman’s terms the way he thought they should view it.

“If you look at any organisation, you don’t have internal staff who sit there monitoring the burglar alarms 24 hours a day,” Mr. Nagel said. “Likewise, they don’t look at buildings and contents insurance and say they shouldn’t have it because it doesn’t give them a return on their money.”

Mr. Davidson said many did not appreciate the scale of the hacking threat. “We keep hearing things like, ‘Bermuda is so small and the Internet is so big, why should we be worried by hackers’?” he said.  “But hacking does not mean you have one person banging on your door. The attacks are automated and the hackers, who are often teenagers, go around the Internet trying and trying different scripts until they get in somewhere.

“The numbers are impressive. On a normal day, you’re likely to see 2,000 attacks – one weekend we had a million. Faced with those odds, it’s just a matter of time before you get hacked.”  Hackers constantly probe networks for weaknesses. It’s the job of QuoVadis to respond immediately to alerts sent out every day on new weak points detected in different systems.

As an IT security firm, QuoVadis itself is an attractive target for hackers. “About two years ago, we suffered a particularly severe attack,” Mr. Davidson said. “It started at 6 p.m. on a Friday, when they thought everybody had left work for the weekend and gone out for a drink.

“As we were reacting to it, we saw that the attacks were coming from IBM in Mexico City. Very quickly we realised that hackers had got into the servers there and were bouncing off them to us. The attack was coming through quite a few countries.”

QuoVadis detected a major weakness in the security of many Bermuda companies when it carried out a survey, in conjunction with Ernst & Young, last November.  Inside one hour, they accessed nearly 70 corporate IT wireless networks from the street. Many of the networks were open to anyone with a laptop and a wireless card, their report concluded.

Wireless networks have become increasingly common in offices, retail outlets and homes because they are cheaper and more convenient than wired systems.  Another threat comes from cyber vandals who send out viruses capable of bringing down big networks.

FOR EXAMPLE, just two months ago the Sobig virus was credited with crippling Air Canada’s passenger ticketing network and shutting down the New Zealand stock exchange.  The virus attacked Microsoft Windows users via e-mail and file-sharing networks. It also deposits a Trojan horse, or hacker back door, that can be used to turn victims’ PCs into senders of spam e-mail.

Just a week before Sobig, the Blaster virus caused the Bermuda Hospitals’ Board (BHB) to turn off its external e-mail to stabilise the systems after the computer system was hit.  The networks of some large companies in Bermuda are also known to have been brought down at the same time.

The QuoVadis staff of nine includes six technicians who continually adapt their customers’ defences against new threats as they appear.

But being a hackers’ victim is not the only way an organisation can suffer a data security breach.  “Number one is hackers, but that’s not the only security risk,” Mr. Davidson said. “Two is inappropriate internal use, snooping or causing chaos on the network. Three is system failure, virus damage or a natural disaster like a hurricane.”

Mr. Nagel spelled out some of the damaging effects of an IT security breach.  “Loss of valuable data can cause huge amounts of corporate loss and companies risk embarrassment and damage to their reputations,” he said.

“For example, look at the banks who have been in the spotlight over credit card fraud. People don’t care if the banks have done nothing wrong. They are screaming at the banks, because they are perceived as having done something wrong. That sort of damage to a reputation could effectively kill a company.”

Most companies whose data security is compromised keep it quiet to avoid that potentially damaging embarrassment. But that is changing in parts of the US.

California has set the trend with its controversial SB 1386 law, which requires organisations to report breaches of their data security when consumer details are accessed by unauthorised people.  The effect of that legislation is spreading across the US and the world.  “That legislation has all sorts of implications for companies,” Mr. Nagel said. “There may be companies in Bermuda, for example, who have information about California residents. So does that mean they have to report when their security is breached? And what happens if they don’t report it?

“This type of regulation is pushing its way quietly across America, through state insurance commissioners and through the Securities & Exchange Commission.  “The flip side is that the corporate entity, while it is under an obligation to keep your data secure, also has to allow individuals access to their data to make sure it’s correct. That is another challenge.”

Mr. Davidson added: “There is an impact in Bermuda from regulations made elsewhere. For example, there is the Sarbanes-Oxley Act in the US and the post-Enron legislation which means companies have to ensure the integrity of their financial data, to protect their systems so they can’t be interfered with and to have tested recovery plans.

“One implication of data protection legislation for companies is that to move towards protecting databases and individuals’ privacy, they have to have the wherewithal to know when they’ve been hacked.”

The Bermuda Government is also planning to get tougher on data protection, with new proposed legislation expected to be tabled in the next session of Parliament.  More details will be revealed when the proposals go up for discussion in a public forum within weeks.

Any tightening up of data protection law is good for business and QuoVadis, which offers the likes of Sentry, a programme that monitors a network for hacking attacks 24 hours a day, and Sweeper, an anti-virus and spam system. And the company is encouraging customers to out-source all their IT security work and monitoring.

“When people are focusing on building up a business, they’re not thinking much about security – security requires a different mind-set,” Mr. Davidson said.  “That’s why having an independent security specialist is a good thing.”

ROMAN BRUNNER, the general chief executive officer of the QuoVadis group, said: “If you out-source your security and have a service-level deal, then you have professionals looking after your security.

“Dealing with security internally is difficult. If a company has ten people in its IT department and security is breached, each person will say, ‘It’s not my fault because ...’ But if you have out-sourced, you know exactly who is responsible for your security.”

Out-sourcing IT security management to specialists was a growing trend in Bermuda business, he added, especially among international companies which were feeling pressurized by burgeoning data protection laws in Europe and America.

QuoVadis has a clientele of more than 20 companies, many of which operate internationally. Mr. Brunner said he was aiming to expand QuoVadis’ business overseas, through Bermuda-based companies.