There’s no disputing a company’s data is as valued as its best worker. But that “best worker” employee could be the source of data being compromised. Hunter Bennett, vice president of managed hosting of Scottsdale-based OneNeck IT Services, offers this rundown of risks that are too close to home for any business:
- internal breaches from employees (70 percent of security incidents in the United States);
- social media hacking, since so many companies allow access internally;
- continued spyware/malware threats on personal computing devices; and
- mobile computing that is ripe for security exploitation.
Pat Clawson, chairman and CEO of Scottsdale-based Lumension Security, says organizations should wage the battle to protect on three fronts: intellectual property that cyber criminals could swipe and sell, valuable customer data and employees’ personal information.
Today, hackers electronically mine data at a very high speed and an attack can happen from any computer anywhere in the world. “We have seen the evolution of the hacker,” says Clawson. “They have gone from bad guys getting famous by making a lot of noise — and money — to a much quieter hacker who steals data without the victim’s knowledge.”
The idea that anti-virus is all a company needs to protect its network is out of date, he says. Today’s risks come from people who have figured out how to get around anti-virus software by creating custom pieces of malware that have not been seen before and likely will never be replicated anywhere else — effectively bypassing anti-virus. It’s critical to take security farther than anti-virus software can and supplement it with strategies like intelligent whitelisting, where only what is known to be good is allowed to run on the device, Clawson says.
More companies are taking the security outside their walls. “Going with managed hosting versus customer onsite is almost always much more secure,” Bennett says. This is largely because the customer gains the immediate benefit of maturity and scale from an enterprise managed hosting operation instead of what a customer’s personal security budget can afford. Since managed hosting providers often host hundreds or thousands of systems for customers, they typically invest in a security management practice that includes enterprise-class tools and personnel who manage security policy across the customers’ systems, he says.
In-house or not, the concern is no longer limited to what originates on a desktop. Mobile devices are a very high risk, largely because they are an extension of traditional networks. According to the “State of the Endpoint,” a 2012 Ponemon Institute study commissioned by Lumension, concern about securing mobile devices and platforms saw a huge jump from 9 percent in 2010 to 48 percent in 2011. Providing enterprises with the ability to rein in those devices to manage and secure them will be the No. 1 request from many security manufacturers in 2012, Clawson predicts.
As the advent of virtual desktop infrastructure continues to increase, allowing users to access their desktops via smartphones or tablet computing devices, “I can see the need for increased corporate security on mobile devices and appropriate corporate security management on mobile devices increasing,” Bennett says.
While IT could try to prohibit the use of personal iPads and the likes of Twitter and Facebook in the workplace, a more realistic approach is to stop fighting it. Instead of denying these tools, Clawson says, organizations should adapt their security strategy to allow these new practices.
In this era of more operations moving to the “cloud,” there are some precautions that still need to be taken. Every cloud provider should be able to articulate security policies and procedures in a formal security policy that can be provided to customers and even prospects, Bennett says. Talk to the provider’s security and compliance officer to get examples of the internal security controls being followed. There are plenty of resources online to help quiz a provider about its security policies, he says.
Recent incidents serve as a reminder that companies need to refocus budgets upward in order to align them with the importance of effective cyber-attack plans. After all, “you wouldn’t spend $100 on windshield wipers and $10 on your brakes, would you?” Clawson asks.
Pat Clawson, chairman and CEO of Lumension Security, offers these five steps as a starting point to staying protected no matter the size of an organization:
1. Prioritize the IT assets. There are certain employees and devices that contain more sensitive data than others. Thus, a proper security plan needs to put more emphasis on strategic assets as opposed to treating all IT assets equally.
2. Educate company employees. Security breaches will happen to every company at some point in its lifespan. Typically, the breaches occur due to careless behavior by employees as opposed to a sophisticated, well-thought-out attack.
3. Take a layered approach. Companies need to implement a “defense-in-depth” approach with a platform that includes anti-virus, patch management and application control. All of these solutions must talk to each other in order to be successful.
4. Realize security is also a Mac issue. “Consumerization” has had a deep impact on security and the enterprise. Within the past three years, more Macs and social applications have entered the corporate environment than ever before, and there is plenty to gain from hacking these systems.
5. Ensure organizations and people remain secure. Never an easy task, making sure the leadership team realizes the company is vulnerable is step No. 1. Then, take the initiative to educate the team and company users, and stand ready to go from defense to offense.