So we continue the journey with the next evolution of "information security". At this point (1999 - 2000) the motivators for implementing security were small and very little time, effort, and money was spent either on tools, technical training or in preparedness. 1999 was a banner year for malware (viruses, worms, etc.) with most environments being subject to at least one of the major outbreaks (Melissa, Sub7, etc.). Melissa was an interesting one, like many malware infestations to follow, the impact of the worm was that it spread exponentially and impacted the services running on the affected systems.
For the first time (for most IT teams) there was an actual outage or impact to having Malware in the environment (other than having to spend the time, to clean it up). This got the attention of (some) execs, and they started to ask the questions like "what could we have done to prevent this?" and "how do we deal with the next virus like this?". Alas many environments have a short memory, and the next crisis quickly overshadowed the brief spotlight that was cast on the need for an Information Security program.
Year 2000 a.k.a Y2K was on most companies minds, and preparing for the potential Armageddon that would be unleashed when all of the clocks in the world went haywire was a big focus of the last part of 1999, and many administrators that were involved with the budding security movement were spending time testing for Y2K compliance and making sure their systems were up to the task. Also notable in 1999 was the "Financial Services Modernization Act of 1999" also known as GLBA or the Gramm–Leach–Bliley Act. This was one of the first specific privacy acts in the U.S, targeted at financial institutions and helped to pave the way for later privacy regulations. This type of compliance and privacy motivator is key to the later adoption of Information Security and Risk Management as key disciplines within an organization.
2000 was fairly slow for malware with the very notable exception of the "ILOVEYOU" worm. This worm spread like wild fire through MS Outlook/Exchange infrastructure and was time consuming and costly to remove. This was another sign of things to come, and again for a short time Security had some management visibility. Most environments resolved the threat by deploying anti-virus software, which itself isn't a bad thing, but doesn't really address the larger issues, as we will see.
To be continued...
For the first time (for most IT teams) there was an actual outage or impact to having Malware in the environment (other than having to spend the time, to clean it up). This got the attention of (some) execs, and they started to ask the questions like "what could we have done to prevent this?" and "how do we deal with the next virus like this?". Alas many environments have a short memory, and the next crisis quickly overshadowed the brief spotlight that was cast on the need for an Information Security program.
Year 2000 a.k.a Y2K was on most companies minds, and preparing for the potential Armageddon that would be unleashed when all of the clocks in the world went haywire was a big focus of the last part of 1999, and many administrators that were involved with the budding security movement were spending time testing for Y2K compliance and making sure their systems were up to the task. Also notable in 1999 was the "Financial Services Modernization Act of 1999" also known as GLBA or the Gramm–Leach–Bliley Act. This was one of the first specific privacy acts in the U.S, targeted at financial institutions and helped to pave the way for later privacy regulations. This type of compliance and privacy motivator is key to the later adoption of Information Security and Risk Management as key disciplines within an organization.
2000 was fairly slow for malware with the very notable exception of the "ILOVEYOU" worm. This worm spread like wild fire through MS Outlook/Exchange infrastructure and was time consuming and costly to remove. This was another sign of things to come, and again for a short time Security had some management visibility. Most environments resolved the threat by deploying anti-virus software, which itself isn't a bad thing, but doesn't really address the larger issues, as we will see.
To be continued...
Comments