Acceptable risk

While BYOD has become the norm in many organisations, security threats associated with it tops the charts for 2013

"No doubt, the increasing mobility of data in corporate environments is one of the biggest challenges we faced in the past year. Users are fully embracing the power to access data from anywhere. The rapid adoption of [BYOD] and cloud are really accelerating this trend, and providing new vectors of attack.”

“BYOD can be a win-win for users and employers, but the security challenges are real while boundaries between business and private use are blurring. It raises questions on who owns, manages and secures devices and the data on them.”

Another trend Sophos is seeing is “the changing nature of the endpoint device”, Eschelbeck says. Organisations are no longer purely Windows but support a diversity of platforms.

“Modern malware is effective at attacking new platforms and we are seeing rapid growth of malware targeting mobile devices,” he writes. “While malware for Android was just a lab example a few years ago, it has become a serious and growing threat.”

Tomer Teller, a security evangelist and researcher at Check Point, lists social engineering as the number one cyber security threat of 2013.

“In years past, [the attacker] might call a receptionist and ask to be transferred to a targeted employee so that the call appears to be coming from within the enterprise if caller ID is being used. However, such tactics aren’t needed if the details the cybercriminal is looking for are already posted on social networks,” he says on Forbes.com.

An honest-looking profile of a company or person followed by a friend request can be enough to get a social engineering scam rolling, he says.

Teller lists BYOD as threat number four, after Advanced Persistent Threats – these are highly sophisticated attacks aiming to gain access to a network and steal information quietly – and internal threats.

“Users are increasingly using their devices as they would their PCs, and by doing so are opening themselves up to web-based attacks the same as they would if they were operating a desktop computer.”

“Think about it,” Teller writes. […] your smartphone has a camera. It has a microphone. It can record conversations.”

McAfee Labs predicts an increase in mobile worms that buy malicious apps and steal via tap-and-pay NFC (near-field communications). The company also warns of malware that blocks security updates to mobile phones; and mobile phone ransom-ware “kits” that allow criminals without programming skills to extort payments.

Mobile malware has “exploded”, according to Kaspersky Labs’ security forecast for 2013. About 90 percent of it is targeted at Android devices, and we can expect the Android malware to keep coming in 2013, says the security firm. While most malware so far has been designed to get access to the device, the future might see the use of vulnerabilities that target the operating system and the development of ‘drive-by downloads’, according to Kaspersky.

Social media a threat to brands

Gartner predicts that by the end of 2014, 70 percent of large enterprises will permit access to external social media, compared with 50 percent in 2010. While social media could be used as a platform for delivery of malware, this is not the main concern in this area, says McMillan. There are measures to control malware these days, he says.

A bigger potential issue lies in the merger of people’s professional and social identity.

“On social media, it’s not unusual for people to be a bit more relaxed in the way they express themselves than they would be on, say, public television,” McMillan says.

With social and professional identities merging, you have got to be very careful of the statements that you make. Statements made in public can be taken as a representation of the company, he says.

“Brand does have value to the organisation and you want to protect that as an asset that has real value to the business.”

For many businesses, there is a tension between not wanting to restrict people but at the same time needing to protect their brand, he says.

Uptake of social media technologies is also increasing among Gen-i’s customer base, says van der Steen. Some organisations use it only as a channel to get their message out. Others use enterprise social networks, such as Salesforce’s Chatter and Microsoft’s Yammer. This could often work as an “internal helpdesk”, he says.

One of the biggest risks with social media technologies is that information travels very fast, van der Steen says.

“If somebody slips up you can be sure the whole world knows about it in 30 seconds.”

There are tools to control social media risks, but more than ever, you need to make people aware of the risks, he says.

Big data vs privacy

The same goes for Big Data technology – if your company is using Big Data, educate your people and invest in technology that secures the data, he says. The concern in this area is the proximity to potential privacy issues.

“There can be an awful lot of data available about an individual – near real-time location information, call and text history, Facebook updates,” van der Steen says. “To what point can you use this data – when does it become an invasion of privacy?”

This data is collected by many different parties, for example mobile networks, Facebook, Google, credit card companies and your supermarket. How much of the data can be used to influence behaviour, he asks. Individuals can be highly targeted. At the supermarket for example, your smartphone app might tell you that the apples you like are on sale and they are in aisle three.

“That’s great, but where do you draw the line?” he says. “And who owns the data?”

The technology in this space is still maturing.

On Facebook you can download an extract of all the data they have on you, van der Steen says.

“It’s quite shocking. They know when you check in; people tag you [in posts and photos], [the technology] can even recognise your face in photos. You need to be cautious about who you want to share this information with.”

Layered security approach

CodeBlue’s SMB customers typically don’t have a large IT department with their own security specialists – “they expect us to manage their security”, says Funnell. The company uses a “layered” approach that covers desktops, server environment, internet, mail and data, he says.

“Historically, there has been a disaster recovery approach, after the horse has bolted, if you like. We are offering DRS – data resilience services.”

This means building a solution that has data and applications available when and where staff need it. Resiliency is built in, “so it’s very unlikely that data is unavailable”. Should something unexpected happen, like an earthquake, and the data is unavailable, users can do a quick restore.

CodeBlue uses remote management and monitoring software from Switzerland-based Kaseya. All of clients’ workstations, notebooks and servers are connected to the Kaseya environment.

“We monitor them every five minutes. Along with that Kaseya delivers things like antivirus and antimalware. It gives us one pane of glass – we can see, monitor and manage those different security layers through Kaseya,” Funnell says.

Security as a restriction

The landscape has changed from organisations trying to build forts around them, to businesses being more productivity-driven, says van der Steen.

“If you put top security in place you will remove any increased productivity. It’s a balance of how much risk is acceptable for the business in order to increase the business benefits. The more security you put in place the more restricted [the workplace] becomes.”

Traditionally, the focus was on controlling costs and managing risk – for Gen-i as well, he says.

“Now the market, our clients, demand that we think with them – how we can help increase productivity.”

You will get to a point where it doesn’t make sense to invest more in security tools if that means restricting productivity.

“Every business needs to make the decision what level they are comfortable with – what is acceptable risk?” he says.

"No doubt, the increasing mobility of data in corporate environments is one of the biggest challenges we faced in the past year. Users are fully embracing the power to access data from anywhere. The rapid adoption of [BYOD] and cloud are really accelerating this trend, and providing new vectors of attack.”

“BYOD can be a win-win for users and employers, but the security challenges are real while boundaries between business and private use are blurring. It raises questions on who owns, manages and secures devices and the data on them.”

Another trend Sophos is seeing is “the changing nature of the endpoint device”, Eschelbeck says. Organisations are no longer purely Windows but support a diversity of platforms.

“Modern malware is effective at attacking new platforms and we are seeing rapid growth of malware targeting mobile devices,” he writes. “While malware for Android was just a lab example a few years ago, it has become a serious and growing threat.”

Tomer Teller, a security evangelist and researcher at Check Point, lists social engineering as the number one cyber security threat of 2013.

“In years past, [the attacker] might call a receptionist and ask to be transferred to a targeted employee so that the call appears to be coming from within the enterprise if caller ID is being used. However, such tactics aren’t needed if the details the cybercriminal is looking for are already posted on social networks,” he says on Forbes.com.

An honest-looking profile of a company or person followed by a friend request can be enough to get a social engineering scam rolling, he says.

Teller lists BYOD as threat number four, after Advanced Persistent Threats – these are highly sophisticated attacks aiming to gain access to a network and steal information quietly – and internal threats.

“Users are increasingly using their devices as they would their PCs, and by doing so are opening themselves up to web-based attacks the same as they would if they were operating a desktop computer.”

“Think about it,” Teller writes. […] your smartphone has a camera. It has a microphone. It can record conversations.”

McAfee Labs predicts an increase in mobile worms that buy malicious apps and steal via tap-and-pay NFC (near-field communications). The company also warns of malware that blocks security updates to mobile phones; and mobile phone ransom-ware “kits” that allow criminals without programming skills to extort payments.

Mobile malware has “exploded”, according to Kaspersky Labs’ security forecast for 2013. About 90 percent of it is targeted at Android devices, and we can expect the Android malware to keep coming in 2013, says the security firm. While most malware so far has been designed to get access to the device, the future might see the use of vulnerabilities that target the operating system and the development of ‘drive-by downloads’, according to Kaspersky.

Social media a threat to brands

Gartner predicts that by the end of 2014, 70 percent of large enterprises will permit access to external social media, compared with 50 percent in 2010. While social media could be used as a platform for delivery of malware, this is not the main concern in this area, says McMillan. There are measures to control malware these days, he says.

A bigger potential issue lies in the merger of people’s professional and social identity.

“On social media, it’s not unusual for people to be a bit more relaxed in the way they express themselves than they would be on, say, public television,” McMillan says.

With social and professional identities merging, you have got to be very careful of the statements that you make. Statements made in public can be taken as a representation of the company, he says.

“Brand does have value to the organisation and you want to protect that as an asset that has real value to the business.”

For many businesses, there is a tension between not wanting to restrict people but at the same time needing to protect their brand, he says.

Uptake of social media technologies is also increasing among Gen-i’s customer base, says van der Steen. Some organisations use it only as a channel to get their message out. Others use enterprise social networks, such as Salesforce’s Chatter and Microsoft’s Yammer. This could often work as an “internal helpdesk”, he says.

One of the biggest risks with social media technologies is that information travels very fast, van der Steen says.

“If somebody slips up you can be sure the whole world knows about it in 30 seconds.”

There are tools to control social media risks, but more than ever, you need to make people aware of the risks, he says.

Big data vs privacy

The same goes for Big Data technology – if your company is using Big Data, educate your people and invest in technology that secures the data, he says. The concern in this area is the proximity to potential privacy issues.

“There can be an awful lot of data available about an individual – near real-time location information, call and text history, Facebook updates,” van der Steen says. “To what point can you use this data – when does it become an invasion of privacy?”

This data is collected by many different parties, for example mobile networks, Facebook, Google, credit card companies and your supermarket. How much of the data can be used to influence behaviour, he asks. Individuals can be highly targeted. At the supermarket for example, your smartphone app might tell you that the apples you like are on sale and they are in aisle three.

“That’s great, but where do you draw the line?” he says. “And who owns the data?”

The technology in this space is still maturing.

On Facebook you can download an extract of all the data they have on you, van der Steen says.

“It’s quite shocking. They know when you check in; people tag you [in posts and photos], [the technology] can even recognise your face in photos. You need to be cautious about who you want to share this information with.”

Layered security approach

CodeBlue’s SMB customers typically don’t have a large IT department with their own security specialists – “they expect us to manage their security”, says Funnell. The company uses a “layered” approach that covers desktops, server environment, internet, mail and data, he says.

“Historically, there has been a disaster recovery approach, after the horse has bolted, if you like. We are offering DRS – data resilience services.”

This means building a solution that has data and applications available when and where staff need it. Resiliency is built in, “so it’s very unlikely that data is unavailable”. Should something unexpected happen, like an earthquake, and the data is unavailable, users can do a quick restore.

CodeBlue uses remote management and monitoring software from Switzerland-based Kaseya. All of clients’ workstations, notebooks and servers are connected to the Kaseya environment.

“We monitor them every five minutes. Along with that Kaseya delivers things like antivirus and antimalware. It gives us one pane of glass – we can see, monitor and manage those different security layers through Kaseya,” Funnell says.

Security as a restriction

The landscape has changed from organisations trying to build forts around them, to businesses being more productivity-driven, says van der Steen.

“If you put top security in place you will remove any increased productivity. It’s a balance of how much risk is acceptable for the business in order to increase the business benefits. The more security you put in place the more restricted [the workplace] becomes.”

Traditionally, the focus was on controlling costs and managing risk – for Gen-i as well, he says.

“Now the market, our clients, demand that we think with them – how we can help increase productivity.”

You will get to a point where it doesn’t make sense to invest more in security tools if that means restricting productivity.

“Every business needs to make the decision what level they are comfortable with – what is acceptable risk?” he says.

Join the Computerworld New Zealand newsletter!

Error: Please check your email address.
Show Comments
[]