IT Security In China Shows Cracks

As U.S. businesses move aggressively into the burgeoning Chinese market, they had better investigate the level of IT security in place among the local companies that could become their customers and business partners. Chinese companies, it turns out, are getting hit by more computer-system attacks than their U.S. counterparts--and they're less prepared for many of the threats coming their way.

11% of Chinese companies will spend more than $100,000 in 2005 on information security

For anyone who thinks computer-system security in the United States is worrisome, consider the plight of Chinese companies: They suffer more viruses, worms, denial-of-service attacks, and identity theft than U.S. companies. And they face the onslaught on limited budgets with fewer protections in place.

Those are the findings of InformationWeek Research's 2005 Global Information Security Survey, conducted online in September in conjunction with management consulting firm Accenture. We matched the responses of 700 business-technology and security professionals in China with those of 2,540 business IT and security pros who completed the survey in the United States to conduct our analysis. Bottom line: Chinese companies have a lot of catching up to do, and they know it.

Survey respondents in China are anxious about the situation. Nearly half (46%) believe their companies are more vulnerable to malicious code attacks and security breaches than a year ago. They cite the increasing sophistication of threats, the diversity of attacks, and sheer volume as top reasons for growing susceptibility. (For results of our U.S. Information Security Survey, see "," Aug. 29)

	Improving security is a slow process, says CIO Gao of Shanghai Hengrong International Transportation. Photo by Kevin Lee/Getty Images

Many Chinese companies have yet to implement carefully crafted security procedures. Among respondents reporting that their companies have become more or equally vulnerable to threats in the past year, 49% blame their susceptibility on the lack of an information-security strategy, 42% point to outmoded IT architecture, and 26% report inadequate software-patching procedures.

Complexity (55%), user awareness (53%), and budget constraints (30%) are their biggest challenges. "We're trying to educate our employees about the importance of IT security, but without enough investment, things won't change much," says Gao Hongfei, CIO at Shanghai Hengrong International Transportation Co. The Shanghai logistics and transportation company implemented information-security rules two years ago to inform employees of behavior standards, but it hasn't conducted regular reviews of these regulations since, Gao says. "In the past year, we strengthened the internal management by network isolation, bandwidth control, access control, portal limitation, and access control between different departments," Gao says. "Those measures have had some good effects on our information security, but not [enough]."

Misperceptions

51% of Chinese companies will spend $100,000 or less in 2005 on information security

The once tightly controlled Communist country has undergone a free-market revolution of sorts. China last year became the second-largest destination for foreign investment. In August, Yahoo Inc. handed over $1 billion and its China unit to get a 40% stake in Alibaba.com, China's hot E-commerce company. In September, General Electric Co. said it's buying a 7% stake, worth about $100 million, in China's Shenzhen Development Bank Co., just days after its GE Healthcare unit unveiled a $37.5 million expansion of its Shanghai production facility. GE wants to reach $5 billion in sales in China this year.

Despite growing Western influence, communism has left its mark on the way businesses perceive their exposure to high-tech threats. "China has had fairly strict government control over Internet use, causing many companies to think they are insulated from the need to defend themselves from malware attacks," says John Pescatore, VP for Internet security at research company Gartner. "The lack of appropriate protection to business services, PCs, and Internet connections are making them ideal conduits for security threats."

'Be Aware'

The problems aren't insurmountable. "Chinese companies are becoming more mature in how they deal with issues like security," says Ed Kamins, CIO at Avnet Inc., the $13 billion distributor of electronic components and computers. "We shouldn't be concerned or alarmed. Instead, we need to be aware and prepared to deal with security issues. They will, in time, become what we consider more normal."

Based in Phoenix, Avnet began its expansion into China five years ago, and it has acquired several companies in the process. Today, operations in China and Hong Kong include three operating companies. Business in Asia exceeds $2 billion annually, with most of it coming from China.

Avnet's approach has been to consolidate the systems of acquired Chinese companies with Avnet's own systems to form a global network and uniform applications. Avnet consolidated ERP systems in Asia into an SAP system, while the company's global network lets it centrally manage and monitor security breaches as well as install patches. "We've had regular attempts by all known security threats," Kamins says. "Yet so far, we've experienced no substantial disruption to our business or data."

Like Avnet's acquired companies, Bax Global (China) Co. has been able to insulate itself from IT threats by adopting the security procedures of its parent company, Bax Global Inc., a $2.4 billion supply-chain and transportation-solutions company in Irvine, Calif. "As we are the China branch of the company, we follow the security policies made by our headquarters," says IT infrastructure manager Luke Hu, based in Shanghai. "We use a firewall to protect our internal network. Access control, VPN, and antivirus software are also widely deployed in the company. We also do regular reviews to check the security of our network with our security vendors." In the past year, Bax Global (China) has invested in network security-surveillance systems and updated its security software.

www.securitypipeline.com/