IT Security In China Shows Cracks

Prepared For Problems

National Oilwell Varco, a $5 billion-a-year manufacturer and distributor of equipment and components used in oil and gas drilling and production, has a straightforward strategy to shield itself from potential security breaches. The company uses Web-based systems to track products purchased in China, ranging from commodities such as gloves to capital equipment, through U.S.-based third-party logistics providers that have Chinese operations. Should security problems occur, processes revert to E-mail or fax and manual updates of delivery and commitment dates, says Carlos Castillo, manager of business development at the company.

Chinese businesses rely heavily on analysis of server or firewall logs and intrusion-detection systems to learn of security breaches, but that's not always effective. Half of the Chinese sites that experienced a breach in the last year learned about attacks after discovering actual data or material damage.

Nearly half (47%) of survey respondents say breaches compromised confidential information. Internal records were either lost or damaged at slightly more than a third of companies, or resulted in system destruction. A majority of Chinese sites (68%) aren't able to put a dollar value on the losses sustained.

Attacks are primarily related to operating-system and application vulnerabilities and to the opening of E-mail attachments. And, just as in the United States, the most common suspects behind security breaches are computer hackers, malicious coders, and the intentional and unintentional actions of employees.

In the United States, spyware generally causes only minor damage, such as slowing a PC's performance. In China, however, 44% of companies say spyware has resulted in more significant damage, such as financial losses and identity theft. One possible reason: Only 18% of survey respondents in China report using anti-spyware software. Other tools used to protect information systems include basic user passwords (82%), network firewalls (67%), VPNs (44%), and the Secure Sockets Layer protocol (46%). Chinese companies lag U.S. companies in several such areas. For instance, only 58% of Chinese companies use virus-detection software, compared with 73% of businesses in the United States.

Chinese companies realize they're vulnerable to more sophisticated threats and recognize they'll have to "modify their information-security approach from today's very tactical and piecemeal actions to a more strategic, integrated plan," says Alastair MacWillson, managing partner of Accenture's Global Security Consulting Practice.

Still, Chinese companies are frugal when it comes to spending money to improve security. Only 11% of the companies surveyed (compared with 35% in the United States) estimate they will spend more than $100,000 on security products, services, and salaries this year, and 51% estimate they'll spend $100,000 or less. There is good news, though. Nearly half (49%) say their companies have increased security spending this year.

Follow Through

Once security plans are in place, Chinese companies must follow through with strong, scalable, and integrated architectures if they're to manage risk effectively, counter security threats, and provide a stable environment in which to conduct international business, MacWillson says.

"There are a lot of things we have to do to protect our network in the coming year," says an IT director in the Jiangsu branch of a Chinese telecommunications company. Planned security investments at the company include additional Web-security software, database backups, VPNs, antivirus software, intrusion-detection systems, and traffic-analysis software. The company also will pay closer attention to new systems that are added to its IT infrastructure, such as several unused servers it plans to deploy. "Before doing this, we should take measures to make sure that they are secure to our network," says the IT director.

That's the kind of thinking that will give U.S. business technologists a greater sense of confidence as their companies expand into China. And there seems to be no turning back on that trend. "In general, we see ever-increasing opportunity in China," says Avnet's Kamins.

U.S. businesspeople can't have blinders on as they seek out those opportunities. "Be aware what's acceptable to you," adds Kamins. "If things aren't in your best interest, walk away."

For some companies, inadequate computer-system security could be a deal breaker. Better to start investigating now than to face the consequences later.

--with reporting by Violet Tan, InformationWeek China

Continue to the sidebar:
A Market Of Opportunity?