Content Copyright © 2008 Bloor. All Rights Reserved.
I recently took part
in another webinar, this time with Lumension Security, covering issues around
protecting company information. It was an interesting session as we had input
from a vendor, customer and myself as an analyst. There is a transcript of my
session and the event can be replayed here.
Protecting company information is becoming more and more
difficult. As IT professionals we are faced with attacks from all sides, but
ultimately the biggest threat to our data appears to be from our users.
I believe that the threat from our users boils down to these
two key elements;
incompetent and non-malicious. These people make genuine mistakes based on lack
of training, lack of awareness or being tired. Lost disks are a common example!
competent and malicious. These people are out to get you. They are, thankfully,
a very, very small percentage of any employee base but they do exist.
I had a telephone call from my bank the other day and they
asked me for the first line of my address to confirm who I was. Yes—they
called ME and wanted ME to answer their security question. Of course it could
have been anyone on a phishing trip and I told them I wasn’t going to answer
the question. The caller was most put out and quite frankly surprised I wasn’t
going to give him an answer. In actual fact I believed he was from my bank but
wanted to make my point. Clearly the majority of people quite happily hand over
their security details in these calls.
Unfortunately, managing the threat to company information is
increasingly difficult as I believe we are now in the golden age of computer
crime. We will look back in 10 years time and shake our heads and wonder how we
The value of data is increasing week by week as criminals
enjoy more ways of getting to our property, be it corporate or personal.
Ultimately this is probably the biggest problem we face in information security—how to manage our users effectively
Of big concern is the ability for the authorities to cope
with the problem. More often than not organisations feel alone in dealing with
security problems. If you have a problem who do you call? Is your local police
force going to prioritise your loss of intellectual property over burglaries? I
have personally dealt with cases of data theft and whilst the authorities were
surprisingly helpful their approach was strictly old school policing.
One key dynamic that is going to challenge us further when
we are considering how we protect company data is the new generation of
computer savvy youngsters coming into our work places.
Forget blanket bans on iPods and social networking, if you want
to attract the brightest talent from an increasingly small demographic pool you
need to make your workplace an interesting experience.
But how can this be balanced against the need to protect
I did some research work recently on virtual worlds. It is
not an area I had explored much before and was intrigued to consider the
information security issues of these places. With the use of virtual money
these virtual societies have an emerging and often complex social
infrastructure. Virtual property can be purchased and you can pay for a REAL
interior designer to decorate your virtual house.
This has implications for information security—I could
actively hawk corporate information around a virtual world. What are the legal
implications? How do laws regarding theft and fraud apply to “virtual world”
Worse still, consider the money laundering possibilities. I
came across a character in Second Life who called themselves a drug dealer. Is
this for real? If drugs can be traded in a virtual world then your intellectual
property can as well.
The underground economy is huge. Many criminal organisations
have a sophisticated infrastructure that would shame many ‘legal’ corporations
as they have roles and responsibilities ranging from marketing through to
operations and finance. In fact many of these organisations would win prizes
for their innovation and technical creativity if they were legitimate!
People exploits are growing. Access to your corporate
information is now being facilitated through people-based attacks, be they call
centre staff down the pub, on a social network or at the chief executives golf
club. Let’s face it, how many organisations REALLY vet their staff before
allowing them access to terabytes of corporate data?
The future for the safety of corporate information can be
Over the past few weeks we have seen how inter-governmental
information warfare is now considered part and parcel of more traditional guns
and bombs type warfare. The increasing sophistication of these attacks quickly
translates into the private sector as criminal gangs explore new methods of
getting to corporate information.
In the seventies and eighties the UK was plagued by armed
robberies as banks and building societies were seen as soft touches for gangs
trying to steal money. Despite the formation of specialist police squads (the
Sweeny anyone?) the tide of armed robberies was huge. Nowadays physical bank
security has been tightened up, and new forensic systems are used to mark any
money that may be stolen, to facilitate quicker recovery and prosecutions. Now
it is not worth it for a sophisticated gang to “cross the pavement”, as doing a
bank robbery used to be known. It is much easier to click a mouse and steal data.
I mentioned the authorities earlier, and their ability to
cope with data loss incidents. With the drive to save money in the public
sector how can these authorities keep their skills up to date and hire the
brightest and the best?
The future for data protection is going to be tough as we
face new threats. Of course new and interesting innovations will appear on the
market as vendors such as Lumension attempt to deal with the problem
But ultimately people will be people. Over the past
generations we may feel that we are more sophisticated but are we really?
People still have the same aspirations and desires now as they did 100 years
ago. The inside threat—the biggest threat to our company information—will
always be a significant hurdle for security managers.