Web 2.

" > Web 2.

" /> Web 2.

" >
Story image

The new security hurdles

01 Oct 08

Web 2.0, mobile devices and Gen Y staff pose new threats to your security.
Whether you have goals for ambitious growth or just want to ensure future survival, there are some trends businesses can no longer ignore. New technologies, increasing awareness around privacy and the changing workforce are raising security, compliance and policy issues that you either need to address or, at the very least, consider your position on.
Web 2.0 and mobile technologies
The introduction of new technologies to the workplace, including mobile and Web 2.0 tools such as social networking, have brought challenges to businesses and IT staff. According to a recent survey conducted by the Employers and Manufacturers Association (EMA), New Zealand small and medium sized businesses (SMBs) believe security risks from mobile devices and Web 2.0 applications are key areas of concern. For 90 per cent of those surveyed, the key driver to securing and managing information was the risk of losing valuable data. Of those, more than 60 per cent identified social networking, and 68 per cent named mobile applications, as key security concerns.
The millennials
A recent study conducted by Applied Research-West in the US that measured risk surrounding the emerging millennial workforce highlighted differing attitudes between that generation and older colleagues regarding use and adoption of technology. The survey found millennial workers access Web 2.0 applications far more frequently at work than others. For example, 66 per cent of millennials surveyed regularly access social networking sites compared with 13 per cent of other workers. Forty-six per cent instant message on the corporate network compared with 22 per cent of others. For streaming video and photo sharing, there was a 20 per cent difference for each, with the millennials at 38, 37 and 33 per cent respectively. Three times as many millennials downloaded software at work for personal use (75 per cent vs 25 per cent).
Less than half (45 per cent) of millennials stick to company-issued devices or software as opposed to nearly 70 per cent of other workers. And, 69 per cent of millennials will use whatever application/device/technology they want, regardless of source or corporate IT policies (compared to 31 per cent of others), preferring to use personal devices such as personal PCs, USB drives, personal hard drives and smart phones.
Going mobile
With today’s workforce becoming increasingly mobile, more and more workers are using a wide range of mobile devices to access corporate data over insecure public and home networks.
From a security perspective, this has profound implications. As mobile technologies mature and grow increasingly sophisticated, organisations would do well to ask themselves whether today’s smartphones are being used more as computers?
While it’s true that the threats to smartphones are relatively rare compared to those targeting PCs, Symantec sees these devices as the next destination of hackers and has found that threats such as spam and phishing are increasingly ‘going mobile’. It’s not hard to see why.
A 2007 study, based on interviews with 700 mobile workers around the globe and commissioned by the National Cyber Security Alliance and Cisco, found that 73 per cent of the mobile workers said they aren’t always aware of security threats and best practices when working on the go, and nearly 30 per cent admitted they “hardly ever” consider security risks and proper behaviour.
Some industry observers have gone so far as to say that a “perfect storm” is brewing in the area of mobile security. This is the result of a number of key factors: Adoption rates for smartphones are on the rise and researchers at Gartner predict that sometime this year smartphones will out-ship PCs. The technical capabilities of smartphones are catching up to PCs at a rapid rate. Email, instant messaging, online banking, online shopping and web surfing are all possible. Research from Symantec’s Global Intelligence Network shows that, since 2004, the number of threats targeting smart devices has doubled every six months.
What’s at risk?
While many organisations are using smartphones, few are taking sufficient measures to protect them. This can expose them to several key risks:
* Compliance risk. Not considering mobile devices will put system and regulatory audit results at risk.
* Data and privacy risk. Lost phones and mobile threats place key data at risk.
* Business and network stability. Compromised smartphones can disrupt networks.
Mobile devices today are being used the same way as computers and are accessing the same information. Left unprotected, they represent the weakest security link, compromising the entire network and, potentially, a large-scale data leak since they carry employees’ email, contacts and calendar.
Addressing these technologies
Do you know what devices are being used in your organisation? Do you know what applications are being downloaded? Are you tracking the movement of data and information within and outside your organisation? Are policies being adhered to?
Do a thorough assessment to understand how much the ‘consumerisation’ of IT has permeated your organisation.
Acknowledge the potential risks identified by your assessment, quantify the business impact for good or bad, and then design remediation solutions based on the organisation’s risk profile and ease of mitigation.
Implementation and governance
IT has to ensure that proper controls are in place and employees are fully aware of – and educated on – the policies that help govern activities. Create an IT risk management culture, rather than a policy that amounts to a repository of documents. Establish ‘ownership’ for the IT risk challenge and reward appropriately.
These aren’t dire circumstances and shouldn’t be conveyed as FUD (fear, uncertainty and doubt). According to the study, both the younger and older generations of workers are recognising the benefits of increased productivity, accessibility and time savings (five to six hours per work week) through the next wave of social technologies. And it’s really an issue of balance – making the most of the benefits, while controlling risks and providing a governance structure that harnesses the capabilities and proficiency of millennial workers.
Privacy and data loss prevention
Given that businesses are driven by information and we rely greatly on digital media, a company’s data is its most valuable resource, but also among its most vulnerable assets.
Until recently in New Zealand, our sole means of legal privacy protection was The Privacy Act. It came into force in 1993 at a time when the World Wide Web wasn’t as ubiquitous as it is today. In response to privacy concerns around evolving technology in New Zealand, this year the Privacy Commissioner, Marie Shroff, released updates to The Privacy Act recommending mandatory security breach notification, privacy audits and national do-not-call lists. Action is also being taken between countries, with a memorandum of understanding having just been signed between the New Zealand and Australian privacy commissioners to help tackle privacy challenges.
Staying ahead of the game
What does this interest in the protection of personal information mean for local companies? With New Zealand looking to enforce mandatory security breach disclosure, it’s important organisations get ahead of the curve and put in place a practical and cost-effective plan to minimise the possibility of data breaches and data loss.
Data loss prevention is critical to protecting and controlling an organisation’s most sensitive data. The Privacy Commissioner suggested the following influence New Zealand’s approach to mandatory security breach notification:
* Risk assessment – “the notification should be mandatory where the risks to the individual warrant the notification and where that notification will serve a useful purpose”.
* International compatibility – maintain alignment with the approach in Canada or that recommended in Australia.
* Emphasising agency responsibility – agencies should be required to notify the affected individuals rather than the Privacy Commissioner’s office itself.
Open doors
Unlimited access to the internet and unprecedented mobility mean that just about anyone can share, access and distribute information in unlimited volumes. Contrary to popular perception, human error is the source of most data loss, not external security breaches. The limitations of traditional IT security in controlling data loss explain why companies are turning to DLP.
DLP technology helps organisations answer these basic questions: Where is our confidential information? How is this data being used? How can we best prevent it from being lost?
DLP allows you to see which databases, file servers, laptops and desktops hold sensitive data. For example, it tells you when someone is sending out sensitive material by email or copying a customer list to a USB drive. It then allows you to enforce policies through actions that include: blocking network transmissions that contain confidential data; preventing sensitive information being copied to USB drives and DVDs; automating enforcement actions, such as sender notification and routing of emails for encryption, and ensuring that sensitive data is not left exposed on file systems.
What’s more, the most advanced DLP goes beyond protecting information to also helping identify risk, establishing policies and processes, educating staff and integrating security technologies and controls.
Different approach
Unlike standard IT security, DLP requires input from a wide range of roles and responsibilities, including business unit managers, compliance and risk, HR and legal – not just IT security.
Before implementing DLP technology, these stakeholders must first identify the data that most needs protection. They also have a role to play in incident response and remediation, which represents nearly 80 per cent of the work of DLP.
For example, when an employee is found copying files to a memory stick, who needs to know about it? How do you follow up and educate the employee? And, if the violation reoccurs, how do you escalate the remedy?
Organisations still need a strategy that relies on traditional antivirus software and antispam software, but combined with unified, integrated DLP technology.
DLP has moved past the hype, with real deployments in organisations with thousands of employees automating the process of data protection and significantly reducing risk.
As more organisations understand the value of DLP, adoption of the technology will increase exponentially, just as we have seen in other areas of security. It comes down to protecting information and preventing its loss or theft, which ultimately means every organisation will have DLP in  some form.
Adoption will certainly be accelerated in New Zealand if the government legislates the disclosure of data breaches in particular – you can’t disclose something that you don’t monitor.