The plot in enterprise security tales is taking some very interesting twists
and turns. Not only is there a rise in the number of security threats, but also
in the types. Broadly speaking, you have the regular viruses, worms, and malware
on one side, and a slew of other security threats on the other. These include
disgruntled employees, human error, and even things like natural calamities
(fires, floods, earthquakes). These are all considered as security threats. So
the obvious question is, where do you draw the line? What should be considered
as a security threat and what should not be? You can't combat them unless they
can be classified properly. Technology alone is not the answer to these. What
you need is a combination of technologies and a proper policy framework. In
order to determine which are the going technologies and what's the right policy
framework, we interacted with key CIOs and IT heads from a number of key
verticals across the country. A majority of them were from banking,
manufacturing and IT/ITES industries, while some were from govt, education,
retail and even market research.
Several interesting trends emerged from our interactions. One was that more
than 50% of the respondents said that their respective organizations had faced
one or more major security breaches or attacks over the past six months. Another
key trend was that E-mail has become a major cause of security threat, thanks to
spam. More than 50% of the respondents testified to this. One more significant
trend was that given the variety of security threats, unified threat management
solutions are increasing in popularity. Instead of spending on multiple security
solutions, it's better to go for one that does it all.
IT budgets are also becoming more security friendly. Most of the CIOs we
interacted with had kept aside a part (varying anywhere from 1 to 10%) of their
IT budgets just for security. There were very few who didn't have a separate
security budgets. Given the disruption that's caused by a security threat, it
certainly does make sense to have a separate budget for investing in security
All these questions lead one to several questions. How much should be your
security budget? What sort of solutions should you deploy to combat security
threats, and how do you reduce the impact of a security incident? In this story,
we'll try finding answers to all these questions and more.
Identify security threats and their sources
The first step towards effective security management is to identify the
security threats troubling your organization the most. There's no rocket science
in concluding that there's a rise in the number of security threats. Everybody
knows that, but in order to tackle them properly you must be able to determine
which types of threats have gone up more than others for your organization. A
company with a large mobile workforce would have to worry more about laptop
thefts, while an online company would have to worry more about unauthorized
access. To determine what's happening, we asked CIOs to tell us the state of
different security threats in their organizations. We wanted to know which
security threats had increased, which had decreased, and which ones had remained
the same in their case. In a majority of cases, spam had seen a significant
increase over the recent past. They also witnessed a sharp increase in the
access of vulnerable websites by users. Virus and worm attacks, of course,
continued their onslaught.
Interestingly, our respondents weren't full of bad news. There was some good
news too. Around 30% of them said that data theft in their organizations had
actually gone down, while another 32% also said that there was a decrease in the
number of Zero Day Attacks in their companies over the recent past.
After identifying the predominant security threats, the next obvious step is
to determine their source. Where are they coming from? Is it by e-mail,
Internet, mobile users or some other sources? Only after you know the answer to
this question can you take the next step in security for your organization.
The top two sources for security threats need no introduction-Internet and
e-mail. More than 60% of the respondents gave these two a rating of 4 or 5 on a
five point scale as the major sources for security threats. The sources that
follow are more interesting-internal users, mobile laptop users and untimely
patches and updates. More than 40% of the respondents gave these three factors a
rating of 4 or 5 on a five point scale (where higher is more severe). WiFi,
despite all it's hype as being an unsecure medium didn't turn out as a major
source of security threats.
Identify solutions to deploy
It's not just about anti-virus and firewalls anymore when it comes to
security solutions. Today, there's a whole range to choose from-IDS/IPS, e-mail
security, UTM, storage encryption, SSL VPN, information security, network access
control and e-mail archival. Out of all these, UTM solution was on top of the
list for most of our respondnets. More than 60% of the CIOs said that they were
planning to deploy unified threat management in the near future. A unified
threat management device, as the name suggests, can perform multiple functions.
So you can have a single device that combats multiple security threats.
E-mail security was the next in line, but this goes beyond basic anti-spam.
Today, a number of email security solutions are available. These include email
security appliances to combat spam, email archival solutions to ensure
compliance, and email encryption solutions for ensuring secure communication.
Many CIOs we interacted with had plans to deploy an e-mail archival or
Other security solutions that are hot include storage encryption solutions
and SSL VPNs. This doesn't mean that these are the only solutions available. It
means that there are high chances that you would already have deployed the
regular solutions like firewalls, gateway anti-virus, and IDS/IPS. At least a
majority of our respondents already had these in place. To our surprise, a
majority of our respondents had already information security and network access
control solutions. No wonder then that they witnesses a decrease in the number
of data thefts.
A proactive approach to compliance
In addition our interactions with CIOs, we also had a last minute
interaction with a compliance expert from the Information Security Forum. It's a
non-profit organization that has around 300 members from fortune 500 companies.
The compliance expert made a very relevant point. She said that the biggest
trouble with most organizations is that they react to each regulatory audit that
comes up. They follow a consistent process for complying to an information
security framework. So, they need to follow a more proactive approach towards
compliance to standards. The ISF itself can help companies comply to information
security standards, and there are other widely accepted standards like BS7799
and ISO 127001 that can be adopted. Plus, one of their works is a document
called the Standard of Good practice. This basically looks at helping
organizations assess their information security setups. The document is freely
downloadable from ISF's website at www.isfsecuritystandard.com. In case of
compliance, the guiding principle is to follow a proactive approach rather than
a reactive one.
Incidentally, another area that poses a serious security threat is user
rights management. When a user joins an organization, he/she is granted certain
access rights to IT resources. Over a period of time, the user's access rights
are bound to change. This could be because the user has been promoted, shifted
to a different department or transferred to a different location. It's nothing
new and happens in every organization, but does your IT department also change
the user's access rights to IT resources with a change in profile? Chances are
that the user still has access to a lot of resources that have been carried over
from previous work profiles. So review user access rights regularly to avoid
security problems later. More importantly, you need to do it at regular
intervals. One alarming revelation in strict contrast to this advice was that
nearly 50% of our respondents had no fixed timelines to review their users'
Keep a set of access policies handy
The last word in policies is to ensure that you must keep a broad set of
guidelines for users in your organization on Internet usage, email manners,
network access, etc. Half of the security problems in an organization can be
reduced through these. In fact, we asked an open ended question to CIOs about
recalling an action they've done in security that has done wonders. A majority
of them answered with security policies. For instance, one of the respondents
had set policies for web surfing and even limited free IM access to a limited
number of people. Another respondent got his company's security policies drafted
by an outside agency. There were some who had blocked USB ports on desktops,
created network access policies for visitors, blocked access to outside sites,
and took disciplinary action against defaulters of policies.
Inhouse or outsourced security mgmt?
This has always remained a sensitive question, because very few people want
to risk outsourcing security management to a third party. But actually, there
are parts that can be outsourced. For instance, there are companies that can do
regular audits of your network or online portal and give you detailed reports of
the same. This might be more feasible than keeping an internal security expert