Security Awareness Inspired – Part 2
In my last Blog article I wrote about the challenges of mobility and I outlined how to stay secure online whilst traveling. In general, information access is becoming mobile and device-agnostic. This results into new risk implications.
First, everything is revolving around people and information. Devices like desktops, laptops, tablets or smartphones are irrelevant. The most popular devices today won't likely have the same popularity three years from now. Also the applications don't matter that much, because it is not important if organisations use on-premise mail server today and tomorrow they use a cloud-based email service. It is just about getting the information from one place to another. What matters is the people and the intellectual property, the formula to the new chemical compound for example, or credit card details. It is about the data, and the information.
Secondly, personal and business lives are coming together. People post private- and business-related news from the same social network accounts. In recent surveys many people admitted that they check their email within 30 minutes of getting up in the morning. Personal lives and business lives have crossed over.
Third, there is the need for simple and secure access to information from anywhere, at home, at work, in the park, on the ski slopes, etc...
Lastly, organisations have to be more scalable and more cost effective. CIOs often say their budgets don't get bigger and they have got to get more done. They are always trying (and being pushed by the strategic business organisation) to become more cost effective, more scalable, and more efficient.
These implications are driving the transformation towards information-centric IT function, and having a profound impact on both individuals and organisations. Strategic technology trends like cloud computing, virtualisation and mobility help to simplify information access, and organisations are already aware of the benefits associated with it. However, due to information explosion and significant increases of the threat landscape, information security and data governance remains a strong concern. Organisations want highly available information, but also have to ensure that data is secure, and processed in compliance with mandates and legislations.
To provide the right balance of information confidentiality, availability, and integrity, organisations should adopt at least 5 key strategies to cover the implications outlined above. These 5 key strategies are identity security, device security, information protection, context and relevance (getting the right information to the right person at the right time), and public/private cloud computing. These are key areas to provide organisations with simple and secure access to information, assuring that their information is properly managed and secure from anywhere.
The transposition of mandatory security breach notification requirements (i.e. EU Directive 2009/136/EC which amends E-Privacy Directive 2002/58/EC) into certain country legislations drives security investments of organisations to implement stronger security standards that protect personal information, and prevent data breaches and data loss. In order to prevent data breaches and data loss, it is essential to understand why they occur. Third-party research into the root causes of data breaches, including data from the Open Security Foundation, reveals three main types:
- Well-meaning insiders, i.e. by data exposed on servers and desktops, a lost or stolen laptop, email, web mail, removable devices, third-party data loss incidents by i.e. contractors or outsourcing partners, or by the spread of sensitive data from automated business processes.
- Targeted attacks, i.e. caused by improper credentials from factory default settings, SQL injection attacks on websites or targeted malware such as root kits and hidden remote access tools.
- Malicious insiders, i.e. by employees who knowingly steal data as part of an identity theft ring, terminated or disgruntled former employees, people that store company data on a home system in order to build a library of work samples for future career opportunities or just traditional industrial espionage.
In many cases, breaches are caused by a combination of these factors. For example, targeted attacks are often enabled inadvertently by well-meaning insiders who fail to comply with security policies, which can lead to a breach.
Successful prevention and protection strategies are both risk-based and content-aware. Preventing data breaches is all about risk reduction. To reduce risk, organisations must know where the data is stored, where it is going, and how it is used. Organisations should select solutions based on an operational security model that is risk-based, content-aware, responsive to threats in real time, and workflow-driven to automate data security processes. This helps to monitor systems and protect information from both internal and external threats across every tier of the IT infrastructure.
I hope you find this information useful.The attached whitepaper outlines key strategies for simple and secure access to information - within the context of an information-centric IT function. It also shows how to reduce the risk of data breaches and data loss. Finally it gives clear guidance for practical implementation of risk management using ISO 27002- and ITIL®-based good practices by looking into the use-case of mapping solutions to meet EU data protection and e-privacy requirements and principles.