Security the next step

The plot in enterprise security tales is taking some very interesting twists

and turns. Not only is there a rise in the number of security threats, but also

in the types. Broadly speaking, you have the regular viruses, worms, and malware

on one side, and a slew of other security threats on the other. These include

disgruntled employees, human error, and even things like natural calamities

(fires, floods, earthquakes). These are all considered as security threats. So

the obvious question is, where do you draw the line? What should be considered

as a security threat and what should not be? You can't combat them unless they

can be classified properly. Technology alone is not the answer to these. What

you need is a combination of technologies and a proper policy framework. In

order to determine which are the going technologies and what's the right policy

framework, we interacted with key CIOs and IT heads from a number of key

verticals across the country. A majority of them were from banking,

manufacturing and IT/ITES industries, while some were from govt, education,

retail and even market research.

Several interesting trends emerged from our interactions. One was that more

than 50% of the respondents said that their respective organizations had faced

one or more major security breaches or attacks over the past six months. Another

key trend was that E-mail has become a major cause of security threat, thanks to

spam. More than 50% of the respondents testified to this. One more significant

trend was that given the variety of security threats, unified threat management

solutions are increasing in popularity. Instead of spending on multiple security

solutions, it's better to go for one that does it all.

IT budgets are also becoming more security friendly. Most of the CIOs we

interacted with had kept aside a part (varying anywhere from 1 to 10%) of their

IT budgets just for security. There were very few who didn't have a separate

security budgets. Given the disruption that's caused by a security threat, it

certainly does make sense to have a separate budget for investing in security

solutions.

All these questions lead one to several questions. How much should be your

security budget? What sort of solutions should you deploy to combat security

threats, and how do you reduce the impact of a security incident? In this story,

we'll try finding answers to all these questions and more.

Identify security threats and their sources



The first step towards effective security management is to identify the

security threats troubling your organization the most. There's no rocket science

in concluding that there's a rise in the number of security threats. Everybody

knows that, but in order to tackle them properly you must be able to determine

which types of threats have gone up more than others for your organization. A

company with a large mobile workforce would have to worry more about laptop

thefts, while an online company would have to worry more about unauthorized

access. To determine what's happening, we asked CIOs to tell us the state of

different security threats in their organizations. We wanted to know which

security threats had increased, which had decreased, and which ones had remained

the same in their case. In a majority of cases, spam had seen a significant

increase over the recent past. They also witnessed a sharp increase in the

access of vulnerable websites by users. Virus and worm attacks, of course,

continued their onslaught.

Interestingly, our respondents weren't full of bad news. There was some good

news too. Around 30% of them said that data theft in their organizations had

actually gone down, while another 32% also said that there was a decrease in the

number of Zero Day Attacks in their companies over the recent past.

After identifying the predominant security threats, the next obvious step is

to determine their source. Where are they coming from? Is it by e-mail,

Internet, mobile users or some other sources? Only after you know the answer to

this question can you take the next step in security for your organization.

The top two sources for security threats need no introduction-Internet and

e-mail. More than 60% of the respondents gave these two a rating of 4 or 5 on a

five point scale as the major sources for security threats. The sources that

follow are more interesting-internal users, mobile laptop users and untimely

patches and updates. More than 40% of the respondents gave these three factors a

rating of 4 or 5 on a five point scale (where higher is more severe). WiFi,

despite all it's hype as being an unsecure medium didn't turn out as a major

source of security threats.

Identify solutions to deploy



It's not just about anti-virus and firewalls anymore when it comes to

security solutions. Today, there's a whole range to choose from-IDS/IPS, e-mail

security, UTM, storage encryption, SSL VPN, information security, network access

control and e-mail archival. Out of all these, UTM solution was on top of the

list for most of our respondnets. More than 60% of the CIOs said that they were

planning to deploy unified threat management in the near future. A unified

threat management device, as the name suggests, can perform multiple functions.

So you can have a single device that combats multiple security threats.

E-mail security was the next in line, but this goes beyond basic anti-spam.

Today, a number of email security solutions are available. These include email

security appliances to combat spam, email archival solutions to ensure

compliance, and email encryption solutions for ensuring secure communication.

Many CIOs we interacted with had plans to deploy an e-mail archival or

encryption solution.

Other security solutions that are hot include storage encryption solutions

and SSL VPNs. This doesn't mean that these are the only solutions available. It

means that there are high chances that you would already have deployed the

regular solutions like firewalls, gateway anti-virus, and IDS/IPS. At least a

majority of our respondents already had these in place. To our surprise, a

majority of our respondents had already information security and network access

control solutions. No wonder then that they witnesses a decrease in the number

of data thefts.

A proactive approach to compliance



In addition our interactions with CIOs, we also had a last minute

interaction with a compliance expert from the Information Security Forum. It's a

non-profit organization that has around 300 members from fortune 500 companies.

The compliance expert made a very relevant point. She said that the biggest

trouble with most organizations is that they react to each regulatory audit that

comes up. They follow a consistent process for complying to an information

security framework. So, they need to follow a more proactive approach towards

compliance to standards. The ISF itself can help companies comply to information

security standards, and there are other widely accepted standards like BS7799

and ISO 127001 that can be adopted. Plus, one of their works is a document

called the Standard of Good practice. This basically looks at helping

organizations assess their information security setups. The document is freely

downloadable from ISF's website at www.isfsecuritystandard.com. In case of

compliance, the guiding principle is to follow a proactive approach rather than

a reactive one.

Incidentally, another area that poses a serious security threat is user

rights management. When a user joins an organization, he/she is granted certain

access rights to IT resources. Over a period of time, the user's access rights

are bound to change. This could be because the user has been promoted, shifted

to a different department or transferred to a different location. It's nothing

new and happens in every organization, but does your IT department also change

the user's access rights to IT resources with a change in profile? Chances are

that the user still has access to a lot of resources that have been carried over

from previous work profiles. So review user access rights regularly to avoid

security problems later. More importantly, you need to do it at regular

intervals. One alarming revelation in strict contrast to this advice was that

nearly 50% of our respondents had no fixed timelines to review their users'

access rights.

Keep a set of access policies handy



The last word in policies is to ensure that you must keep a broad set of

guidelines for users in your organization on Internet usage, email manners,

network access, etc. Half of the security problems in an organization can be

reduced through these. In fact, we asked an open ended question to CIOs about

recalling an action they've done in security that has done wonders. A majority

of them answered with security policies. For instance, one of the respondents

had set policies for web surfing and even limited free IM access to a limited

number of people. Another respondent got his company's security policies drafted

by an outside agency. There were some who had blocked USB ports on desktops,

created network access policies for visitors, blocked access to outside sites,

and took disciplinary action against defaulters of policies.

Inhouse or outsourced security mgmt?



This has always remained a sensitive question, because very few people want

to risk outsourcing security management to a third party. But actually, there

are parts that can be outsourced. For instance, there are companies that can do

regular audits of your network or online portal and give you detailed reports of

the same. This might be more feasible than keeping an internal security expert

for it.