Threatened from all sides
The economic downturn is making business data more susceptible to attack from both internal and external sources. So how should IT leaders go about building a good all-round defence?
Security problems can come from almost anywhere
Information security is no longer merely a technical problem – it has become a business imperative. Organisations that have failed to grasp this fact can find their reputations shredded as quickly as sensitive data can be smuggled out of their networks.
Those responsible for information security management must therefore have a deep understanding of the technology and business processes within the company, and ensure that all information users follow best practice.
“Companies need to bring together IT, security, business, legal, HR and other professional groups to agree levels of acceptable risk and put in place the policies and controls needed to meet these targets,” says Professor Howard Schmidt, president of user group the Information Security Forum.
However, good data security is not just about good housekeeping, it is also a legal requirement. In the UK, the Financial Services Authority has imposed significant fines on organisations that have suffered data breaches as a result of their own negligence. Meanwhile, the Information Commissioner is seeking tougher powers to enforce data protection laws.
IT security chiefs should use the guidance from these regulators to shape their policies, says Chris Coulter, commercial lawyer and partner at law firm Morrison & Foerster. “The Information Commissioner is now very clear that encryption on mobile devices is a good thing and that failure to encrypt is going to be an obvious breach of the law if the data is subsequently lost,” he says.
“Clearly, the increasing prevalence of mobile devices is placing pressure on IT leaders to ensure that out-of-the-office data is properly protected and that users understand the basics of security – lock doors, password protect devices and don’t leave laptops on trains.”
Recent high-profile data breaches have pushed IT security up the boardroom agenda, and IT departments are in the spotlight like never before.
Security has always been a priority – at Meggitt Avionics it goes with the territory of manufacturing components for military aircraft. But increasingly the business understands the need for a holistic approach to IT security, rather than relying on point solutions.
Identity management has become a major issue for Meggitt Avionics. The firm uses single sign-on technology from Imprivata, which includes biometric authentication to control access to the corporate network, applications and sensitive data.
“Security must be part and parcel of everyday life,” says Stewart Gale, network services manager at Meggitt Avionics. “All our users understand the importance of data security and that any transmitted data has to be approved and cleared before being moved anywhere.”
A similar ethos is prevalent at the Scottish Government, where the IT security focus has shifted from protecting the network to securing data. This has required greater controls around process, says Ben Plouviez, head of information services at the Scottish Government.
“In the traditional security model we work inside a heavily fortified perimeter that is supposed to keep us safe from the bad people. It’s a model that is showing its age technically as well as failing to meet business needs,” he says.
The trick, according to Plouviez, is to understand the value of the information held and build appropriate security into the data so that if it does go walkabout, the consequences are minimised. “I don’t worry too much about the penetration of our network because if security resides with the piece of data, it will not really be an issue,” says Plouviez.
Fraud, espionage and sabotage continue to be major security challenges and an increasing focus for organisations. However, with cost-cutting measures now high on the corporate agenda and employee redundancies becoming more commonplace, new security threats are starting to emerge. Information theft is set to grow as the economic climate worsens, says David Feldman, vice president of technical services at security consultant PineApp.
“Internal security breaches are on the increase as disgruntled, laid-off workers seek to capitalise on their employer’s data,” he says. These internal threats have the potential to cause greater harm than attacks from external sources since employees often know where the most sensitive data is stored. In tough times, the security message has to be one of increasing vigilance and reducing vulnerabilities.
But IT will get little thanks for providing iron-clad security if in doing so it undermines productivity and business effectiveness. The key is to develop an approach to security that takes into account business needs, user requirements and information resources. Research suggests that insiders are responsible for about 90 per cent of all system attacks. However, almost two thirds of attacks are inadvertent – the result of poor user education rather than malicious intent or nefarious activity, says Feldman.
The majority of users are not intentionally trying to lose, steal or corrupt data – rather, they have little understanding of the impact of their actions. By combining information security strategies that reflect users’ needs with training that highlights potential risks, organisations can improve staff effectiveness and data protection without significant IT investment.
Indeed, many organisations waste a lot of resources securing systems that have no need to hold or process sensitive data in the first place. Delivering security value involves thinking more broadly about all the available mechanisms to reduce risk – not just the implementation of yet another security measure.
At the Scottish Government, the rollout of an electronic records system gave managers the opportunity to review and revise the sensitivity of the information being held.
According to Plouviez, it is the amount of personal and delicate data squirrelled away in unstructured data that interests him. “We are trying to identify and, as far as is consistent with our good business practice, delete the transitory, ephemeral and unimportant stuff that finds its way into our records,” he says. “We have to spot the data that is really at risk, rather than try to guard it all.”
With the recession likely to increase the strain on enterprise security in all its forms, IT chiefs will face some tough decisions. Nick Seaver, security director at professional services firm Deloitte, sums up the challenges: “To add value, organisations need to consider not just the technical aspects and options to implement security technologies and controls, but also whether changing technology, processes and people in the wider organisation may be more efficient.”
In the second part of our definitive guide to security, we explore how security issues are being tackled at some of the UK’s leading organisations
Threatened from all sides
The economic downturn is making business data more susceptible to attack from both internal and external sources. So how should IT leaders go about building a good all-round defence?
Five principles underpinning robust security strategies
Security is not a standalone discipline any more, and security professionals today need to understand the broader business context if they want to succeed in their job. Security also needs to be adaptable to changing technological and economic environments.
Avoid the temptation to adjust your risk appetite. In tough economic times, business managers tend to be more inclined to accept risks. Rather than spend the money on mitigation, they are willing to take their chances and hope the risk doesn’t materialise. Security leaders need to stand fast – this is in fact the worst possible time to take chances because your organisation is much more at risk in such times. The threat of insider fraud and security breaches grows as economic times get harder. The prospect of losing their job or the pressure to perform and compensate for the lean workforce is reason enough for some employees to cut corners to meet targets or to take revenge on companies they feel have treated them badly.
Modify your plans to account for prolonged economic uncertainty. Develop a flexible and nimble approach for taking on large investment projects. Whether you are working with a vendor or doing it yourself, it’s essential that you divide up large projects into small, digestible chunks. This becomes a necessity in tough economic times, where you may not have the budget or resources to work on the project a few months down the road. You want to have the flexibility to adjust the timeline and the investment at short notice.
Spend your budget on projects that affect the bottom line of the business. Most security projects cannot be justified strictly on the basis of return on investment. But certain projects can create efficiencies and have tangible cost savings while maintaining or even improving security.
Take an information lifecycle approach to data protection. The cont inued high volume of data breaches has kept many security professionals on their toes and in a reactive mode. Many look for quick fixes and overnight solutions to a complex problem that requires careful consideration and a multi-year approach.
Encryption is a good first step towards data protection, but it will not guard against insider abuse or access control violations. A much more comprehensive but time-consuming strategy will focus on the process of managing the data lifecycle, starting from classification and ending with disposal. It will augment that process by deploying tools for areas such as access control, data protection, and data leakage. Most importantly, the strategy should provide adequate user security awareness and training to ensure that the users become the first line of defence.
Embrace new business models, but help the organisation manage the accompanying risks. It’s a common story – a data processing operation is outsourced; security gives its blessing based on the assumption that since the data is non-critical, it poses little risk to the company. By using an offshore provider, the cost of the operation is cut in half. Other managers get wind of it and want to outsource some of their operations as well. Some of this data is highly critical and if breached or disclosed to the wrong entity, could have devastating financial and reputation consequences for the company. Security is then tasked with judging the merits of outsourcing such data.
Instead of saying no or making the outsourcing decision on behalf of the business, IT needs to work with business to define parameters and appropriate protections for the data that can be outsourced.
Accept changing technology paradigms while guarding privacy and confidentiality. Social networks, blogs, and other Web 2.0 technologies such as wikis are great for collaboration, communication and connecting with others, but they also blur the traditional boundaries between work and personal life.
Phishing attacks against users of social networking sites will become more sophisticated. It is important for information security professionals to ensure that these tools are made available to knowledge workers, but in conjunction with controls to ensure that sensitive corporate or private information is protected. The first crucial step is to develop a policy and educate and train the users. Additionally, data loss prevention tools, web crawlers and other filters can be used to prevent sensitive information being disclosed through these mechanisms.
Visit www.forrester.com/computinguk for several complimentary reports made available to Computing readers by Forrester Research.
Five tips for securing information and mitigating risk
Adopt single sign-on
Connecting people to resources and allowing access to authorised data is one of the main issues facing the IT department, and one that has the biggest security implications. Single sign-on uses strong authentication measures – such as biometrics, tokens and smartcards – to ensure the identity of the person connecting to central services and accessing corporate data.
Use encryption
Rather than fire fighting to keep the perimeter safe, organisations are increasingly looking to secure data where it resides through encryption. However, to do this successfully, companies will need to understand the value and sensitivity of the data it holds in order to apply the appropriate levels of protection.
Deploy multiple virus checkers
Viruses, trojans, malware and spyware will never go away, so constant vigilance is a must. However good an anti-virus engine may be, it will not catch everything. But combine it with another leading security software application and exposure to risk can be significantly reduced.
Develop a security culture
Social networking has the potential to become one of the greatest threats to enterprise security. Any technology that allows employees to mix their work and personal life could be dangerous if not carefully managed. However, many companies are employing people specifically for their social networking skills and contacts, so this is an area that needs to be addressed rather than feared. Using education to establish security as an integral part of the corporate culture is the easiest way to minimise risk and make everybody aware of the appropriate level of security required.
Audit information assets
Organisations have to define what constitutes an information asset in terms that reflect its value to the business. The only people who can do this are the creators and owners of the data; the IT department does not have the ability to fully comprehend the commercial value of the corporate data it looks after, but it can advise on the best way to keep it safe and secure.