Firms being left behind by criminals

Response times are too slow to worry hackers, say experts

Leading security technologists have warned that criminals' ability to innovate is threatening to outstrip firms' efforts to secure their enterprise.

This bleak prognosis is based on the rapid adoption of new working practices and technologies – many of which will have unforeseen security implications – and the difference between the pace that new security threats emerge and the time it takes organisations to respond.

From a purely technological perspective it is almost possible to admire the ways attackers are creating tools and using modern enterprise IT infrastructure to propagate their attacks, said Dan Hubbard, vice president of security research at Websense. They are evolving " at a faster pace" than the security industry, he said. "They haven't got business processes holding them back; they're free to innovate."

That pace of innovation is challenging organisations' ability to teach staff to behave securely, warned Mark Bregman, chief technology officer, Symantec. There is a limit to how quickly employees can take on board new secure working practices, he suggested. Many enterprises are finding they are "about at that limit now", he added.

And as the pressure to deliver a more business-responsive IT infrastructure intensifies, the level of risk businesses are introducing is accelerating, said Bob Gliechauf, vice president of enterprise security and services at Cisco.

Two of the greatest threats are posed by virtualisation and cloud computing.

Server virtualisation has become a mainstream technology, helping to squeeze more value from existing IT assets. But simultaneously it is introducing new risks that are not fully appreciated.

It is much like the days when firewalls were first introduced in to the enterprise, suggested Gliechauf. The firewalls were set up by IT to lockdown the network; as business users complained that this prevented them doing their jo bs, those controls were weakened, and then the firewalls were rebuilt iteratively, to balance risk and control. "With virtualisation we're becoming blind again," he said.

Cloud computing presents similar risks, said Websense's Hubbard. Services such as Amazon's S3 and EC2 let users establish virtual machines, capable of running an entire operating system and potentially involving all manner of enterprise data streaming out of the organisation, while all IT would see is web traffic. "That's pretty frightening," said Hubbard.

But Symantec's Bregman cautioned users about getting too downbeat. "It can often feel like we're falling further behind," he noted. "But new technology presents opportunities as well as threats."

For example, Bregman suggested that virtualisation technology might actually provide a mechanism that allows organisations to secure end-points. With firms increasingly open to the notion that users might want to connect any device of their choice to the corporate network, it would be possible to deliver a locked down virtual machine to run on those devices, rather than adopting the traditional approach of only supporting specific images on designated clients.