The Business Case for Focusing on IBM i Security: Close Security Gaps to Avoid a Data Breach

Cybersecurity climbs higher on the IT priority list with every new data breach making headlines, and for good reason. The average total cost of data breaches around the world in 2016 was $4 million, according to the Ponemon Institute. This is an increase of more than 29 percent over what was seen in 2013. Costs related to data breaches are climbing for many reasons:

• Recovering lost data is an expensive and time-consuming affair.
• Investigating who perpetrated the breach, how they did it, and when the breach first occurred is difficult but necessary, and typically requires outside consultants.
• Legal services are often required.
• In the aftermath of a breach, security and infrastructure must be overhauled to prevent future problems.
• Valuable IT time must be diverted from other mission-critical tasks to get systems running again.
• Many customers are wary of doing business with a firm that’s been breached.

Depending on your organization’s size and financial health, $4 million could either sound trivial or astronomical.

$4 million is the average, but many breaches are substantially more expensive. (Target reportedly spent $200 million on crisis management alone.)

Some data breaches (Home Depot, for example) can trigger lawsuits that take years to resolve.

And while breaches at smaller organizations get less media attention, small- and medium-sized businesses (SMBs) are popular targets for attackers. Cybercriminals appear to consider SMBs low-hanging fruit less likely to prevent or detect a breach. For example, Symantec has shown that over 60 percent of phishing attacks target SMBs.

Smaller organizations also have fewer resources available to respond to a breach, making recovery more difficult.

You have your Windows servers patched and firewalls tuned, and network access is restricted. What about your IBM i?

IBM Power Systems servers are among the most tempting cyberattack targets. Although they're not as prevalent as Windows servers, Power Systems servers are often used for mission-critical systems within the enterprise.

75 percent of organizations that run IBM i use it for core business applications, according to the IBM i Marketplace Survey. These core applications include ERP, payment processing, HR, and business intelligence.

With ERP systems like Oracle, SAP, Siemens, and others often storing credit cards on IBM i, the server is a tempting target for attackers.

Insurance companies, healthcare providers, and financial institutions appreciate IBM i’s reliability and scalability, but they’re also the types of organizations more likely to store customer data (such as Social Security numbers) that can be used for identity theft. This data is extremely valuable to criminals, selling for 10 times more than a credit card number on the black market.

With such crucial data stored and managed on IBM i, a robust security plan is a must. But in the 2016 State of IBM i Security Study, virtually every server studied had security gaps that attackers could exploit. 29 percent of IBM i servers were found to operate below IBM’s recommended minimum security level. Most individual users had far greater access to data than necessary.

This is because many administrators aren't aware how much mission-critical data actually resides on IBM i, and so fail to utilize appropriate security measures. Or they erroneously assume IBM i is already secure enough because of its strong reputation for security.

Are you sure you’ve covered all the gaps?

While it's perhaps the most robust OS on the market today, IBM Power Systems servers are not secure in their default state. Even setting your system security level (QSECURITY) to 40 or 50 doesn’t mean your IBM i is fully secure.

Your IBM i is like a car with a built-in anti-theft system: it has the potential to effectively thwart theft and vandalism, but those security features are useless if the window's left open.

IBM i includes great security controls. The problem is the server ships in a dangerous “allow all” configuration. IBM i is highly securable, but you need to know where to look for security gaps and how to correct them. The most important security gaps to consider include:

• Over-privileged users snooping and stealing data that should not leave your organization’s networks
• Former employees who still have access to sensitive data
• Lost and stolen devices with access permissions to critical systems
• Hackers using botnets to hammer firewalls, which can prove especially damaging if you have few safeguards beyond the firewall
• External network access security holes, whether they appear through zero-day exploits or not, are common ways hackers make their way into networks
• Software tools able to access data on servers, as these connections are easily overlooked in security schemes

Some of these gaps are “soft,” originating from human behavior, which makes them difficult to protect against. Still, they can be planned for and guarded against, so long as you know they exist.

Consider this example: an IT staff member grants IBM i access to a user and forgets to log it. If that user’s laptop is stolen, you have an open route straight to the server without anyone realizing it.

That gap could remain open for weeks or even months. On average, a financial firm will take three months to discover a data breach!

If a breach occurs, an organization should—and typically does—announce it publicly.

In the United States, 47 states require businesses to notify customers whose information may have been compromised. Notification laws vary significantly by location and country, although many firms may choose transparency following a data breach to stem the tide of bad publicity.

So, imagine what your CEO would face after a data breach occurs—hard questions from the media and possibly even government scrutiny. A top-to-bottom IT analysis is necessary to isolate the breach pathway. The company's reputation and stock price will likely suffer.

In 2015, U.S. businesses spent an average of $509,000 on customer notifications following a breach. German businesses were second-hardest hit, spending an average of $290,000, according to the Ponemon Institute. Some organizations are able to absorb these costs, but others never recover. And these numbers could be miniscule compared to the cost of long-term reputation damage.

Staff members might also suffer consequences. Some employees may be let go in favor of new IT management in the wake of a breach. The security team is likely to shoulder most, if not all, of the blame for a breach, even if they followed best practices and were not the source of the problem. A breach could and typically does cost someone their job, and that firing can severely damage their future employment options.

Dedicating time and resources to IBM i security reduces the risk of a data breach occurring at your business. Focusing on IBM i security also:

• Protects individual customers (which can give you an advantage over your competition)
• Lowers IBM i’s total cost of ownership by reducing risks and making day-to-day management easier
• Protects your organization and your job!

But what's the best way to drill down on IBM i security?

Hands down, the fastest way to identify security gaps is with a security audit.

Perhaps you’re no stranger to PCI DSS or SOX audits. In the case of IBM i, a security audit is best conducted by experts who are intimately familiar with the IBM i OS and its unique security controls.

An IBM i security expert can spot gaps other auditors miss. Plus, an expert can advise you on how to close security gaps uncovered during the audit.

For an audit to be effective, it must examine the security around all of the following elements:

1. User profile configuration
2. Virus threats
3. Operating system integrity
4. Password policy
5. Data vulnerability
6. Public authorities
7. Event logs
8. Inter-operation with other servers in the network

Your audit is only complete after all these elements have been investigated. You’ll have a thorough understanding of the security gaps on your system and can turn your attention to remedying the vulnerabilities.

• An IBM i data breach could be catastrophic, resulting in millions of dollars in costs and long-term damage to an organization’s reputation.
• No business is too small to be a target.
• Power Systems servers running IBM i run business-critical applications, which means these servers require proper security.
• Security controls on these servers aren't properly configured by default.
• 29 percent of IBM i systems currently operate below IBM's recommended minimum security level.
• The best way to reduce the risk of an IBM i data breach is to get a security audit.