The plot in enterprise security tales is taking some very interesting twists and turns. Not only is there a rise in the number of security threats, but also in the types. Broadly speaking, you have the regular viruses, worms, and malware on one side, and a slew of other security threats on the other. These include disgruntled employees, human error, and even things like natural calamities (fires, floods, earthquakes). These are all considered as security threats. So the obvious question is, where do you draw the line? What should be considered as a security threat and what should not be? You can't combat them unless they can be classified properly. Technology alone is not the answer to these. What you need is a combination of technologies and a proper policy framework. In order to determine which are the going technologies and what's the right policy framework, we interacted with key CIOs and IT heads from a number of key verticals across the country. A majority of them were from banking, manufacturing and IT/ITES industries, while some were from govt, education, retail and even market research.
Several interesting trends emerged from our interactions. One was that more than 50% of the respondents said that their respective organizations had faced one or more major security breaches or attacks over the past six months. Another key trend was that E-mail has become a major cause of security threat, thanks to spam. More than 50% of the respondents testified to this. One more significant trend was that given the variety of security threats, unified threat management solutions are increasing in popularity. Instead of spending on multiple security solutions, it's better to go for one that does it all.
IT budgets are also becoming more security friendly. Most of the CIOs we interacted with had kept aside a part (varying anywhere from 1 to 10%) of their IT budgets just for security. There were very few who didn't have a separate security budgets. Given the disruption that's caused by a security threat, it certainly does make sense to have a separate budget for investing in security solutions.
All these questions lead one to several questions. How much should be your security budget? What sort of solutions should you deploy to combat security threats, and how do you reduce the impact of a security incident? In this story, we'll try finding answers to all these questions and more.
Identify security threats and their sources
The first step towards effective security management is to identify the security threats troubling your organization the most. There's no rocket science in concluding that there's a rise in the number of security threats. Everybody knows that, but in order to tackle them properly you must be able to determine which types of threats have gone up more than others for your organization. A company with a large mobile workforce would have to worry more about laptop thefts, while an online company would have to worry more about unauthorized access. To determine what's happening, we asked CIOs to tell us the state of different security threats in their organizations. We wanted to know which security threats had increased, which had decreased, and which ones had remained the same in their case. In a majority of cases, spam had seen a significant increase over the recent past. They also witnessed a sharp increase in the access of vulnerable websites by users. Virus and worm attacks, of course, continued their onslaught.
Interestingly, our respondents weren't full of bad news. There was some good news too. Around 30% of them said that data theft in their organizations had actually gone down, while another 32% also said that there was a decrease in the number of Zero Day Attacks in their companies over the recent past.
After identifying the predominant security threats, the next obvious step is to determine their source. Where are they coming from? Is it by e-mail, Internet, mobile users or some other sources? Only after you know the answer to this question can you take the next step in security for your organization.
The top two sources for security threats need no introduction-Internet and e-mail. More than 60% of the respondents gave these two a rating of 4 or 5 on a five point scale as the major sources for security threats. The sources that follow are more interesting-internal users, mobile laptop users and untimely patches and updates. More than 40% of the respondents gave these three factors a rating of 4 or 5 on a five point scale (where higher is more severe). WiFi, despite all it's hype as being an unsecure medium didn't turn out as a major source of security threats.
Identify solutions to deploy
It's not just about anti-virus and firewalls anymore when it comes to security solutions. Today, there's a whole range to choose from-IDS/IPS, e-mail security, UTM, storage encryption, SSL VPN, information security, network access control and e-mail archival. Out of all these, UTM solution was on top of the list for most of our respondnets. More than 60% of the CIOs said that they were planning to deploy unified threat management in the near future. A unified threat management device, as the name suggests, can perform multiple functions. So you can have a single device that combats multiple security threats.
E-mail security was the next in line, but this goes beyond basic anti-spam. Today, a number of email security solutions are available. These include email security appliances to combat spam, email archival solutions to ensure compliance, and email encryption solutions for ensuring secure communication. Many CIOs we interacted with had plans to deploy an e-mail archival or encryption solution.
Other security solutions that are hot include storage encryption solutions and SSL VPNs. This doesn't mean that these are the only solutions available. It means that there are high chances that you would already have deployed the regular solutions like firewalls, gateway anti-virus, and IDS/IPS. At least a majority of our respondents already had these in place. To our surprise, a majority of our respondents had already information security and network access control solutions. No wonder then that they witnesses a decrease in the number of data thefts.
A proactive approach to compliance
In addition our interactions with CIOs, we also had a last minute interaction with a compliance expert from the Information Security Forum. It's a non-profit organization that has around 300 members from fortune 500 companies. The compliance expert made a very relevant point. She said that the biggest trouble with most organizations is that they react to each regulatory audit that comes up. They follow a consistent process for complying to an information security framework. So, they need to follow a more proactive approach towards compliance to standards. The ISF itself can help companies comply to information security standards, and there are other widely accepted standards like BS7799 and ISO 127001 that can be adopted. Plus, one of their works is a document called the Standard of Good practice. This basically looks at helping organizations assess their information security setups. The document is freely downloadable from ISF's website at www.isfsecuritystandard.com. In case of compliance, the guiding principle is to follow a proactive approach rather than a reactive one.
Incidentally, another area that poses a serious security threat is user rights management. When a user joins an organization, he/she is granted certain access rights to IT resources. Over a period of time, the user's access rights are bound to change. This could be because the user has been promoted, shifted to a different department or transferred to a different location. It's nothing new and happens in every organization, but does your IT department also change the user's access rights to IT resources with a change in profile? Chances are that the user still has access to a lot of resources that have been carried over from previous work profiles. So review user access rights regularly to avoid security problems later. More importantly, you need to do it at regular intervals. One alarming revelation in strict contrast to this advice was that nearly 50% of our respondents had no fixed timelines to review their users' access rights.
Keep a set of access policies handy
The last word in policies is to ensure that you must keep a broad set of guidelines for users in your organization on Internet usage, email manners, network access, etc. Half of the security problems in an organization can be reduced through these. In fact, we asked an open ended question to CIOs about recalling an action they've done in security that has done wonders. A majority of them answered with security policies. For instance, one of the respondents had set policies for web surfing and even limited free IM access to a limited number of people. Another respondent got his company's security policies drafted by an outside agency. There were some who had blocked USB ports on desktops, created network access policies for visitors, blocked access to outside sites, and took disciplinary action against defaulters of policies.
Inhouse or outsourced security mgmt?
This has always remained a sensitive question, because very few people want to risk outsourcing security management to a third party. But actually, there are parts that can be outsourced. For instance, there are companies that can do regular audits of your network or online portal and give you detailed reports of the same. This might be more feasible than keeping an internal security expert for it.