In a survey released by RSA, the security division of EMC, more than 80% of security leaders said risks are being overlooked as cost and revenue pressure rises. The study, which was conducted by IDG Research Services has revealed “a significant gap between the speed at which … organisations are adopting new connectivity, collaboration and communication technologies and their readiness to deploy them security.”
The IDG Research survey As Hyper-Extended Enterprises Grow, So do Security Risks, among 100 top security executives at companies with revenues >$1 billion, showed that over 70% believe escalating levels of connectivity and information exchange powered by new web and communication technologies, such as cloud computing and virtualisation, are transforming their organisations into hyper-extended enterprises.
While the majority have increased the use of virtualisation, mobility and social networking and a third having increased the use of cloud computing, many of the respondents admitted to not having adequate strategies to assess the risks involved in adopting these technologies.
For example, less than half have developed security policies for employees regarding the use of social networking tools and sites.
Another major finding is that over 80% were concerned that pressure to cut costs and generate revenue has increased their exposure to security risk, with over 70% having experienced a security incident in the last 18 months.
News security strategies needed
RSA has also published a study from its Security for Business Innovation Council on how to adopt new strategies for making the leap to new web and mobile technologies without compromising information security.
Charting the Path: Enabling the “Hyper-Extended” Enterprise in the Face of Unprecedented Risk is based on in-depth conversations with the Security or Business Innovation Council, and offers seven steps to face the information security challenges that come with these new technologies:
- Protect data more efficiently by taking a risk management assessment approach;
- Security teams must focus on the quality and efficiency of their services and be able to articulate the value they provide – i.e. make sure they are competitive with external security providers;
- In stead of blocking the use of new technologies, security teams should enable secure use through establishing a roadmap for the business to adopt new technologies;
- Shift from protecting the container to rather protecting the data itself;
- Adopt advanced security monitoring techniques moving away from techniques such as signature-based anti-virus and blacklisting to more “accurate techniques such as behaviour-based monitoring and whitelisting”;
- Collaborate to create industry standards; and
- Share risk intelligence.
Is the security industry complacent about the new risks?
Andrew Moloney, EMEA marketing director at RSA, told Infosecurity it is not necessarily about complacency: “It’s more just a factor of the times we find ourselves in.”
“We’re going through an unprecedented level of change in the economy and in demands being placed on businesses to find more efficient methods of working. And at the same time, there’s an emergence of new technologies, which offer the ability to do that. The issue at the moment is that we have got out of step, from a security perspective, with the demands of the business. So less complacency and more business pressures driving us toward adopting these new technologies perhaps faster than otherwise done, because rather than these technologies being about technology for technology’s sake, they offer very clear returns on the bottom line and business is driving adoption of technology.”
The security implications of not keeping up to date with the use of new technologies could be severe, and the risk landscape is not a straightforward one.
Moloney said the security is being affected by a combination of an exponential growth in the amount of digital data being created at the same time as that data is no longer necessarily stored within the four walls of a company, but in the cloud, on a personal device or with a business partner.
“This leads to heightened risk around information and fundamentally a new strategy is required in order to protect that information”, Moloney commented.
Asked how companies can protect their data, Moloney told Infosecurity that a relatively new type of security technology can identify and classify data.
“Using data loss prevention technologies, we can now make the process of seeking out the information we care about and then apply a policy to that information in real time. That policy could be around restricting access, it could be monitoring its flow, it could be around enforcing encryption policy, for example, or even enforcing deletion after a certain period of time, so you’re not holding on to information you don’t need.”
“It is about holding policies on the information you care about as opposed to form a strategy of trying to secure everything”, he added.
Moloney believes a behaviour-based monitoring approach could be an important part of a security strategy: “If you monitor behaviour, it’s very difficult for fraudsters and criminals to evade that, because behaviour will always catch you out.”
Commenting on the call for an industry standard on securing new web and mobile technologies, Moloney mentioned ISO 27001 and ISO 27002.
“Those standards prescribe a risk-based approach to defining security strategy and security control, and risk analysis is at the crux of an effective security strategy because risk is a fluid concept. Attack vectors change, and fraud techniques change, and so your risk assessment will constantly change and evolve as well. The standards would say do the risk assessment, but it’s the risk assessment hat prescribes the right strategy – it’s having a comprehensive and common strategy around, for example, risk assessment.”
The RSA report also called for sharing of risk intelligence. Infosecurity notes that stock-listed companies could be reluctant to share such information openly, but Moloney said there are already such systems in place that do not expose the victim’s identity:
“We run something called the e-fraud network, and the e-fraud network is essentially an anonymous information sharing service which interconnects all the fraud detection systems that we operate in financial institutions around the world. It’s the software that’s sharing the information with the counter parts around the world, but it’s doing it anonymously.”
For example, if the Bank of America is attacked, Barclay knows within minutes that there is a potential threat out there.
Moloney stressed, however, that the underlying message of the reports is not about deploying the right security technology, but to have appropriate strategies, which again have to be linked with the businesses’ strategies.
As Roland Cloutier, vice president CSO, at EMC Corporation, was quoted as saying in the RSA report: “Security officers have to be out there explaining to other executives and senior people in the company how they’re going to approach the move to the cloud, and the risks associated with moving faster than they’re able. And if the business wants to move faster, you better have an answer about what resources you’ll need to get it done faster, because if the business asks you ‘Well, how we can get it done faster?’ and you say, ‘I don’t know’, you’re going to be a former CISO.”