Protecting data and networks is an ongoing strategy

Mike Jones: One customer said they just needed something to help them ‘stop stupid’. Most people mean well, but are perhaps unaware of the impact of lax security

No organisation can afford to rest on its laurels when it comes to IT security. Protecting data and networks from malware and unauthorised access is an ongoing commitment that requires constant review of existing technology and practices as the volume and diversity of threats to sensitive or mission-critical information continue to expand.

A study by security software giant Symantec questioned 2,100 chief information officers, chief information security officers and IT managers from 27 countries in January this year. It estimated that 75 per cent had experienced cyber attacks in the past 12 months, losing an average of $2m (£1.3m) per organisation through reduced productivity, revenue and loss of customer and/or business partner trust.

Every respondent said their employer had lost something as a result of those attacks, either intellectual property, customer credit card or other financial data, or personal identity details.

But while the need for constant vigilance does not change, the approach to co-ordinating and managing adequate threat protection continues to evolve. As does the approach to network security, which now needs to encompass a much wider variety of end-user devices, many of which are used outside the company firewall.

Many IT managers have historically preferred to keep security in-house, but increasing numbers are trusting managed and hosted service providers to protect both their data and their networks, through software-as-a-service (SaaS) and cloud computing models.

Firms such as MessageLabs, for example, are signing up new customers for web-based hosted email filtering services. These scan a company’s message content to identify not only malware in incoming messages, but also sensitive data in outgoing email that could put the firm in breach of the Data Protection Act or other industry rules if it falls into the wrong hands.

“SaaS is gaining traction, especially when you look at web site security and anti-spam, where attacks can be blocked in the cloud,” says Adineke Babatola, analyst at research company Canalys. “It is simple and easy to manage and customers like that, so they understand the business models being offered from the likes of MessageLabs and ScanSafe [acquired by Cisco in December 2009].”

Symantec says its customers are looking for software that will give the bill payer better visibility into what is happening in their IT environments, in terms of infrastructure security health and information security at the network layer. This also includes making sure that sensitive information is being sent back and forth securely between different groups within the same organisation, and making sure that they are exchanging data in an appropriate business manner that is visible to the IT department, but invisible to the end user.

“One of our customers said they just needed something to help them ‘stop stupid’. Most people are well intentioned and well meaning, but they are just trying to do their job, and are perhaps unaware of the impact of emailing credit card details to colleagues, for example,” says Mike Jones, principal security marketing manager at Symantec.

Some 30 per cent of those responding to Symantec’s survey said that messaging security was an issue, partly because of understaffing in the IT department. This is despite findings that suggest the typical organisation employs 120 people with some responsibility for security or IT compliance as part of their role, a figure which rises to 232 in larger companies.

A lack of specialist security professionals means many firms also continue to encounter problems securing the network against attacks from external entities, not least because the location of that perimeter is always changing.

“In the old days, companies just needed to put firewalls on the network perimeter, but now that workers have access to data through remote and mobile devices, that is no longer enough,” Babatola says. “Some vendors see a solution that integrates network security with client security on the end point, and delivers a single policy across it all, as the way forward.”

Combining defences at the network layer, such as firewalls, anti-virus and anti-spam, intruder prevention and detection systems, with end point protection software that manages defences on individual devices such as desktop PCs, laptops, smartphones and other portable computers, is one way to tackle the security challenges posed by remote workers.

But given the need to protect so many types of devices from such a wide source of potential threats, Jones believes there is now greater em­phasis on security management, rather than individual tools for specific jobs, which give firms greater visibility into their infrastructure.

“It is clear that companies can no longer ignore the external threat or just say they are going to deal with it at the end point,” Jones says. “It is about understanding what is going on in the cloud as well as local security and roaming user security – that is more important to them than having the latest widget.”

Patch management and virtualisation
Knowing what security software is installed on each client device, and whether or not the latest updates and patches that deal with newly emerged malware have been applied, is a crucial part of that security management process.

But the challenge of maintaining the health of so many types of systems, particularly in large corporates with many offices, thousands of employees and computers running hundreds of applications, is huge.

“Most security issues are based on things that are easily patchable, but if you do not have automated tools, this can be very painful,” Jones says. “Just relying on native Microsoft security tools is not good enough given that most organisations have heterogenous environments with many operating systems and versions of applications.

“It is not easy to get a company-wide view if you just use off-the-shelf tools.”

That is doubly true when it comes to ensuring that virtual, as well as physical, servers and desktop PCs are hardened against potential threats.

“There are lots of big challenges around protecting IT infrastructure, particularly around stopping virtual desktops and servers from being hacked, and the market for virtualisation security is still in the early stages,” Jones adds.

Whether or not IT managers consider that their virtual infrastructure is more or less vulnerable to security threats than the physical infrastructure is not clear. Symantec’s survey suggests most have never heard of or encountered a threat that is specific to the hypervisor layer, and experts say organisations need to approach virtual security in exactly the same way as they do physical security – by keeping close control of patch management, virtual LAN segmentation, configuration and change management, and access control.