Many times in their daily jobs, IT operations and information security (infosec) professionals get so immersed in “the trees” (i.e., the hot issues of the day) that they sometimes lose sight of “the forest” (the broader challenges that impact our businesses as a whole). While every organization has its trees, however different they may be from company to company, they all have a similar forest.
At a high level, every organization today is dealing with similar infosec issues: mobile computing, BYOD (bring your own device), cloud computing, employee security awareness and training, data protection, and so on. This is what Wisegate, the online professional networking organization for IT and infosec professionals, points out in its recently released report, Preparing for the Top IT Security Threats of 2013. The report highlights the typical infosec concerns that are at the top of many CIOs’ and CSOs’ agendas for the year ahead, as well as the strategies that these leaders are using to reduce risk for their organizations.
According to the report:
The nature of the present-day threats aren’t necessarily new, but it’s the attack vectors and manifestations that change over time. For example, data loss is a perpetual concern—as a threat to business privacy and security—just as it has been for decades. But the fact that workers increasingly use their own smart phones to access corporate data puts a new spin on the old problem of potential data loss.
The infosec leaders who contributed their perspectives represent a wide range of businesses and agencies. While their organizations must find ways to mitigate risks associated with the latest viruses and the next round of DDoS attacks, these aren’t necessarily their most urgent security concerns to address. Rather, according to the report:
It’s broader areas such as mobile computing, BYOD (bring your own device), cloud computing, and data protection that will need their heightened attention in 2013. Within these areas many CSOs are planning to devote more resources, develop policies and procedures, evaluate and implement solutions, and provide awareness training.
The main threats that CSOs see today have one underlying root cause: the universe of available IT resources—devices, applications and services—is no longer fully under the control of an official IT department. Business units and even individual end users are deploying their own resources, such as smart phones, SaaS applications and cloud-based data storage that may not meet corporate security standards but still have access to the company network or data. This introduces a wide range of IT security threats that are completely unintentional but no less real.
The executives’ other areas of related concerns include:
- Social media and the blurring of personal and work identities
- The use of consumer-grade applications for work purposes
- A general lack of IT security awareness among workers
- Protecting corporate data in the face of the other factors listed above
Beyond outlining and defining their security challenges, the report highlights the strategies of several CSOs to proactively attack the challenges they face with the consumerization of IT. Not surprisingly, their plans begin with better security awareness, end user education and a corporate culture that puts an emphasis on security. The report points out:
In many cases, employees just don’t see the risk associated with smart devices. Intuitively they understand why a company-owned laptop might need to be encrypted, but they don’t understand why they can't have Angry Birds and a PCI-compliant application on the same iPad.
While many organizations throw money at technology to mitigate risks, one of the infosec managers in the report believes technology is not the only solution. This manager says, “constantly trying to fix people problems with technology is just throwing money down the drain. Technology is important, but at the end of the day employees must be more aware. Moreover, training and awareness need to be more than just a compliance sheet tick mark. Too often, companies equate ‘training’ with the needed ‘behavioral change,’ and they aren’t necessarily the same. Employees need to understand how their actions help or harm their own security posture and then adopt more secure behaviors.”
He goes on to say, “In particular, workers are being exploited through social engineering and spear-phishing attacks. To counter this menace, employees must understand that not everything coming through email, even though it looks legitimate, actually is legitimate.”
The crux of the observation is that organizations need to emphasize employee training in order to reduce the likelihood of exploitation by unseen attackers.
Other threat areas that the Wisegate CSOs are proactively working on to mitigate their risks include:
- Having the IT Department be a “first adopter” of new consumer-based technologies in order to get out in front of what employees want to try
- Segmenting the network to address non-business related network traffic
- Increasing network visibility to better observe and understand what is happening on the network
As many of you know and understand, sometimes the best solution to a problem is the simplest. The Wisegate members understand this as well and conclude their report with the following sentiments:
It’s important to get out in front of potential threats, and involve everyone in the organization. Increasing employee security awareness and getting workers to adopt more prudent behaviors will go a long way in complementing the technology-based solutions that organizations deploy to protect their network and information assets.