Most people don’t want to bite the hand that feeds them, but biting the hand that no longer feeds you is another matter entirely. So the ex-Fanny Mae IT contractor, recently charged with trying to trash his previous employers’ data files, won’t be the only disgruntled worker to take action this year. Apparently, during 2009, attempts to damage or steal sensitive and valuable corporate data will be the biggest risk to the systems of many organisations - according to information security experts. So Lesley Meall, FSN contributing editor finds out where organisations should be focussing their security spend, and why.
“We are in a recession and this introduces new challenges for IT security,” says Yuval Ben-Itzhak, a security industry veteran and the chief technology officer at Finjan, a provider of enterprise security solutions. “The trend for an increasing number of attacks is the same as the previous recession,” he says, but the nature of the problem has changed. “Now attacks are more likely to be on data,” he reports, because it has a much higher value than hardware theft, can be less obviously damaged or stolen, and it can easily be traded.
As if this were not bad enough, many organisations will find that this recession comes with an added sting in the tail, because a lot of the people who are currently loosing their jobs know a lot more than their employers do about their corporate information systems. “There are a lot of highly skilled, highly motivated people out there, who are less than happy,” warns Mark Fullbrook, the UK director of Cyber-ark software, a specialist in identity management and data security.
“Because so many organisations now need to do lay-offs in information technology, a new threat landscape is looming,” says Ben-Itzhak, and the alleged malware incident at Fanny Mae will probably be just the tip of the iceberg. “The risk posed by ex-employees is the new threat driver,” confirms Eric Domage, research manager for security products and services at IDC. “IT retaliation is very easy,” he says, and organisations should be taking the threat very seriously. “Think of it as an emergency,” he urges.
Deleting sensitive data before leaving the company, taking valuable data when leaving, encrypting data to make it inaccessible after you’ve left, retaliation hacking by ex-employees, and frustration hacking by those facing decreased salaries and increased workloads, are among the many variations being experienced by chief security officers and chief technology officers, according to research and anecdotal reports – and recovery labs are already experiencing a spike in demand.
Minimise the risk
So, what can organisations do to minimise the risk? “They must review their IT security measures, in light of the changing threat landscape,” asserts Ben-Itzhak, and undertake a thorough audit covering every member of staff, every application and data port they have access to, every device they are authorised to use (to access, output or transport data), and then identify their individual needs and the levels of security that should be applied.
How you approach this process, how extensive the exercise is, and how much it takes from your overall IT spend will vary between organisations, and will be determined by factors ranging from the software and systems already in place to any associated budgetary constraints. But in the current climate, Ben-Itzhak recommends paying particular attention to user authentication and data leakage prevention mechanisms – and including IT contractors and senior IT employees in the exercise.
The options for improved user-authentication vary widely. Some enterprise applications offer built-in features: the HR system iTrent (from Midland HR), for example, can be configured to control user access right down to the level of individual data fields, to monitor user activity and create an audit trail. But many organisations will want (and need) to supplement application-specific features, with a variety of add-on mechanisms that can be combined to provide the most appropriate level of security for each unique situation.
“Different levels are required for software applications, screens, and data fields, different people require different levels of security, and an individual may be granted different access levels depending on their physical location,” observes David Ting, chief technology officer with Imprivata, a network security specialist. So better passwords, smart cards, hardware tokens, and biometric devices such as fingerprint readers and cameras linked to facial recognition systems, all have a potential role to play.
Preventing data from leaving the enterprise on unauthorised physical devices also calls for a multi-tiered approach. “Dealing with the threat posed by mobile devices and removable storage calls for a number of different solutions,” suggests Jon Rolls, vice president of product management with the network administration expert ScriptLogic, “because organisations need systems that are flexible enough to protect business data without hindering business needs.”
Assess the options
But in the current climate, less may be more even when it comes to information security. “In 2006 and 2007 people were rushing to add lots more security products to corporate systems,” says Ben-Itzhak, but he suggests that it now makes more sense to reduce complexity and cost by rationalising things. For some organisations, this may equate with trying to minimise the number of security providers, and running the remaining products on as few boxes as possible; for another, it could mean switching to a system that offers a single unified endpoint security and network access control solution.
Although none of these approaches is without cost, the cost of inaction is potentially much greater. So it is perhaps unsurprising that - despite cuts to technology budgets in all sorts of areas - IDC is expecting organisations to increase their IT security spend in 2009 by an estimated 7 per cent. If the prospect of finding that additional capital makes you go weak at the knees, it may be a relief to discover that your may be able to increase your information security spend without increasing the overall IT budget, by thinking more about your procedures and reassessing your priorities.
“When it comes to information technology, organisations devote a lot of time and effort to relatively trivial issues,” suggests Fullbrook, “such as stopping people from occasionally wasting time on Facebook,” and in the current economic climate, this is not necessarily the best use of resources. “Instead of focusing on a problem that might cost them a few hundred pounds, they should focus on the sort of risk that could cost them tens of thousands,” he asserts.
“You should be concentrating your efforts [and your IT security spend] on the areas that represent the greatest risk,” he says, which could mean scaling back projects that are not as important this year as they were when you budgeted for them last year. “If you can take a small amount of money from a large project, where it wont have much impact, and put it into a small project that’s going to have a dramatic impact on reducing your exposure to security risks, then I think that’s a no-brainer,” says Fullbrook.
Domage also believes that organisations could improve their data security without spending money, but rather than divert capital resources, he suggests that they make much better use of the software and systems they already have in place, by utilising their built-in security features. “People need to think more about the best way of protecting their data,” he advises, rather than panic and throw “crazy amounts of money” at the problem.
“Nothing protects data better than encryption,” says Domage, and most organisations can encrypt their data without buying any new products or services. “Data encryption doesn’t have to be a big-budget exercise,” he asserts, because there are plenty of free encryption tools available online, and software such as email management and operating systems often include encryption features. “If you’ve already paid for Windows and it’s got embedded encryption, use it,” he suggests, adding: “Spending isn’t the best way to deal with an emergency, thinking is.”
