Security the next step

With a sharp rise in the number of security threats, CIOs are blocking a part of their security budgets for security. But which security solutions to go for and which compliance standards to adopt? We'll tell you in this story

Tuesday, August 14, 2007

The plot in enterprise security tales is taking some very interesting twists and turns. Not only is there a rise in the number of security threats, but also in the types. Broadly speaking, you have the regular viruses, worms, and malware on one side, and a slew of other security threats on the other. These include disgruntled employees, human error, and even things like natural calamities (fires, floods, earthquakes). These are all considered as security threats. So the obvious question is, where do you draw the line? What should be considered as a security threat and what should not be? You can't combat them unless they can be classified properly. Technology alone is not the answer to these. What you need is a combination of technologies and a proper policy framework. In order to determine which are the going technologies and what's the right policy framework, we interacted with key CIOs and IT heads from a number of key verticals across the country. A majority of them were from banking, manufacturing and IT/ITES industries, while some were from govt, education, retail and even market research.

Several interesting trends emerged from our interactions. One was that more than 50% of the respondents said that their respective organizations had faced one or more major security breaches or attacks over the past six months. Another key trend was that E-mail has become a major cause of security threat, thanks to spam. More than 50% of the respondents testified to this. One more significant trend was that given the variety of security threats, unified threat management solutions are increasing in popularity. Instead of spending on multiple security solutions, it's better to go for one that does it all.

IT budgets are also becoming more security friendly. Most of the CIOs we interacted with had kept aside a part (varying anywhere from 1 to 10%) of their IT budgets just for security. There were very few who didn't have a separate security budgets. Given the disruption that's caused by a security threat, it certainly does make sense to have a separate budget for investing in security solutions.

All these questions lead one to several questions. How much should be your security budget? What sort of solutions should you deploy to combat security threats, and how do you reduce the impact of a security incident? In this story, we'll try finding answers to all these questions and more.

Identify security threats and their sources
The first step towards effective security management is to identify the security threats troubling your organization the most. There's no rocket science in concluding that there's a rise in the number of security threats. Everybody knows that, but in order to tackle them properly you must be able to determine which types of threats have gone up more than others for your organization. A company with a large mobile workforce would have to worry more about laptop thefts, while an online company would have to worry more about unauthorized access. To determine what's happening, we asked CIOs to tell us the state of different security threats in their organizations. We wanted to know which security threats had increased, which had decreased, and which ones had remained the same in their case. In a majority of cases, spam had seen a significant increase over the recent past. They also witnessed a sharp increase in the access of vulnerable websites by users. Virus and worm attacks, of course, continued their onslaught.

Interestingly, our respondents weren't full of bad news. There was some good news too. Around 30% of them said that data theft in their organizations had actually gone down, while another 32% also said that there was a decrease in the number of Zero Day Attacks in their companies over the recent past.

After identifying the predominant security threats, the next obvious step is to determine their source. Where are they coming from? Is it by e-mail, Internet, mobile users or some other sources? Only after you know the answer to this question can you take the next step in security for your organization.

The top two sources for security threats need no introduction-Internet and e-mail. More than 60% of the respondents gave these two a rating of 4 or 5 on a five point scale as the major sources for security threats. The sources that follow are more interesting-internal users, mobile laptop users and untimely patches and updates. More than 40% of the respondents gave these three factors a rating of 4 or 5 on a five point scale (where higher is more severe). WiFi, despite all it's hype as being an unsecure medium didn't turn out as a major source of security threats.

Page(s)   1  2