Escolar Documentos
Profissional Documentos
Cultura Documentos
Made up of more than 1,800 consultants, architects and designers, BT Global Services offers one of the biggest dedicated security practice communities in the world.
Cyber-crime 2.0
Never has corporate data appeared so attractive to people involved in cyber-crime. The early history of the internet saw cyber-crime targeted principally against the individual consumer. But times are changing. A Forrester report in 2010 found that proprietary knowledge and company secrets are twice as valuable as the kind of information typically found on a consumers computer or phone (card details, medical data and so on). Ovum cites figures from the UK government that cybercrime is costing the country 27bn annually1. Extrapolate those figures globally and the numbers become frightening. So if the intellectual property of the business world is such a target, it follows that IT departments should be re-doubling their efforts to keep it secure. Yet thats easier said than done. According to a study by McAfee, 68 per cent of data loss comes from within2. In other words, while IT departments are pulling out all the stops to keep people from the outside getting in, the bigger problem actually comes from their own colleagues. Of course on the whole such leaks are accidental people leave a machine unencrypted or send an email to the wrong person by mistake but even allowing for the inevitability of a bit of human error, 68 per cent feels worrying high. Adding to the complexity, and giving cyber-criminals more opportunities to access company data, is the explosion in the number of devices out there. In Brazil there are now more mobiles than people3. In the US, 85 per cent of children own or have access to a mobile phone while only 73 per cent own a book4. Devices like the iPad are bought for leisure yet are also used (by 51 per cent of people according to recent figures5) to log on to work systems. Are these personal devices vetted by the IT team? Often theyre not.
...while IT departments are pulling out all the stops to keep people from the outside getting in, the bigger problem actually comes from their own colleagues.
1 Source: Silicon.com, www.silicon.com/technology/security/2011/03/09/cyber-espionage-firmsfail-to-take-threat-seriously-39747112/ 2 Source: www.softcat.com/files/pdfs/TheThreatsEnglish.1.pdf 3 Source: TecjEye.net, www.techeye.net/mobile/cheap-handsets-mean-more-phones-thanpeople-in-brazil#ixzz1IGJDVVHJ 4 Source: digital Buzz, www.digitalbuzzblog.com/mobile-statistics-2011-growth-of-mobile/ 5 Source: http://globalservices.bt.com/static/assets/insights_and_ideas/risk_resilience/pdf/btgs_ gs09_6thingsuneed2knowin2010_whitepaperFINAL.PDF
But when you flip this over and look at devices approved and provided by work, a similar problem occurs. As many as 21 per cent of people let their family use their work laptop to access the internet6. Are those family members versed in the companys IT policy? Again, the answer is likely to be no. Revealingly, at an event in London in April 2011 IDC expressed the view that viruses are no longer the biggest security threat. That dubious honour now lies with what it described as security sprawl. So how should these risks be tackled? Firstly by not trying to swim against the tide. Employees, especially the younger generation, have grown up with the internet. Trying to prohibit the use of certain devices or certain ways of using those devices is futile. Theres also a good chance that by seeking to place limits on the way technology is used, you will also place a limit on peoples effectiveness and on their ability to innovate. Instead the best approach is to take the following sensible steps:
Theres also a good chance that by seeking to place limits on the way technology is used, you will also place a limit on peoples effectiveness and on their ability to innovate.
>
Education. Ongoing training should be provided so that people understand your organisations policy on information security, personal email use or plugging personal iPods into computers, for example. Access. You need to get the balance right, giving people the access to the
information they need, with enough leeway to be able to innovate and do their job. But full administration rights to all data are rarely appropriate for the entire workforce.
>
>
>
Monitoring. Security monitoring isnt not an option any more network traffic
should be monitored on a 24/7 basis for two reasons. Firstly, so that you can undertake forensic analysis in the event an issue occurs and secondly, to detect threats in real time so they can be tackled immediately.
Combating these threats requires action by three groups of people within the organisation: > The IT department needs to make sure that all usernames, logins and passwords to company data are cancelled when people leave the organisation. The HR team should double check that access tokens and key fobs have been returned. Individuals need to be aware of the company security policy. It should contain guidelines and advice to help them act responsibly and safely in the way they use and access data and devices. Training should be carried out for new joiners, with refresher courses for existing staff.
>
>
BT Global Services has developed active alliances with more than 100 leading security partners including Check Point, Blue Coat, Crossbeam, IBM ISS, McAfee, EMC/RSA, Microsoft, Oracle / Sun, Juniper, Cisco Systems, HP, Websense, ActivIdentity and Symantec.
5
There are now more social networking accounts than there are people on earth.
9 Source: Daily Telegraph, www.telegraph.co.uk/technology/twitter/8379101/Japan-earthquakehow-Twitter-and-Facebook-helped.html 10 Source: Silicon.com, www.silicon.com/technology/mobile/2011/04/01/social-network-accountsoutnumber-people-on-earth-39747241/ 11 Source: Twitter, http://blog.twitter.com/2011/03/numbers.html 12 Source: Financial Times, www.ft.com/cms/s/0/240f19d4-5afc-11e0-a290-00144feab49a.html 13 Source: Financial Times, http://www.ft.com/cms/s/0/240f19d4-5afc-11e0-a290-00144feab49a. html#axzz1Lw1iTcsD 14 Source: Asian Security Review, http://www.asiansecurity.org/articles/2010/feb/08/social-mediasecurity-risks-revealed/
One of the most common tactics is clickjacking. Criminals take advantage of the popularity of users posting shortened URLs (common services are bitly and TinyURL). These shortened URLs do not show the true destination of the link for example, a link to an article on the BBC website wouldnt start with www.bbc.co.uk, instead it would be something like http://tinyurl.com/6dvr4lk. Hackers can use this to disguise the fact that clicking on a link will actually take you through to a malicious site. So how should IT departments train staff to minimise the risks?
Clickjacking hackers can use this to disguise the fact that clicking on a link will actually take you through to a malicious site.
>
Education
Again clear policies and education are paramount. Marketing staff need to exercise the same level of vigilance in opening messages, and clicking links received in messages, as they would with their own email. When it comes to phishing attacks against consumers the message seems to be getting through. In the UK for example, while the number of phishing attacks has risen to an all-time high, online banking fraud losses were down to 46.7m last year, a 22 per cent decrease from 200915. The people running your social media marketing activity need to show the same level of caution.
>
>
Blurred boundaries
You should also be alert to your employees use of social media outside of work. The information they include in things like their Facebook profiles can potentially be used by hackers to build up a detailed picture of their habits and lifestyles, helping them to more effectively target social engineering attacks.
>
Your IT Team. You need to sit down and understand exactly what you want to
achieve by using cloud services. Clear guidelines should be drawn up. What type of data do you want to move to the cloud? Where will that data actually be hosted? What are the regulatory implications if data is stored in different countries? You may feel that the perimeter of the cloud is fit for keeping out unwelcome intruders, but how do you make sure that data within the cloud itself is secure?
How do you make sure that data within the cloud itself is secure?
>
Your supplier. Do you know who within the supplier organisation will have access
to your data? Can your supplier provide audit logs (in the event of data theft such logs can help to pinpoint the perpetrator)? You should also ask your provider for compliance certification, or information about a recent audit that can be shared with your auditor.
>
Your employees. Be aware of employees taking a DIY approach. Companies that dont make remote access simple may see employees saving company documents to their own personal cloud services (such as Microsoft SkyDrive). The problem is that many of these consumer-focused services only use password-protection. For companies in highly-regulated industries like financial services, this could create serious problems.
16 Source: Silicon.com, www.silicon.com/technology/networks/2011/02/04/cloud-computing-toboom-in-2011-39746924/ 17 Source: Silicon.com, www.silicon.com/management/cio-insights/2011/03/21/cloud-securitywhy-cios-must-tighten-their-grip-39747169/ 18 Source: Silicon.com, www.silicon.com/technology/networks/2011/02/04/cloud-computing-toboom-in-2011-39746924/ 19 Source: Silicon.com, www.silicon.com/technology/security/2011/02/03/cloud-computing-whatyou-should-and-shouldnt-be-worried-about-39746908/
Even within the course of their work, employees might have cause to use cloud services that the IT team has not authorised. For example, if theyre collaborating on a project with a smaller organisation which is using Google Docs. The cloud services of Amazon and Google (aimed largely at SMEs) have had well-reported security issues, with a lightening storm once knocking out part of Amazons service20. So once again, communicating clearly with employees is key. Help them understand your policy on cloud computing. The brutal truth is that security risks are not going to go away. In fact the global picture is one of threats remaining as numerous and as potentially harmful as at any time since the birth of IT. Meanwhile the increasing number of devices we own and use, and our growing desire to work on the move, have led to added complexity. Yet the typical approach to tackling this issue placing all our faith in technology to deal with the dangers ignores a crucial ingredient in the battle to keep data secure. That ingredient is people. Your staff play a role that is every bit as important as the security hardware and software that your business has invested in. So in the year ahead, place your emphasis on education and awareness. Do this and you will allow technology to be a tool to boost efficiency, productivity and innovation, without compromising security. Go on, embrace the sprawl.
...allow technology to be a tool to boost efficiency, productivity and innovation, without compromising security.
You can assess your operational security today, rapidly identifying weaknesses in your security management and measure its adoption across the organisation. The BT Secure Networking Quick Start Service will help you take cost-effective remedial and preventative measures. The service is based on a unique set of tools, experience and knowledge, drawing on the expertise of consultants from across the BT Group who have come together to form a Global Centre of Excellence. Find out more about the BT Secure Networking Quick Start at www.globalservices.bt.com/uk/en/products/Secure_networking_quick_start
Offices worldwide
The telecommunications services described in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plcs respective standard conditions of contract. Nothing in this publication forms any part of any contract. British Telecommunications plc 2011. Registered office: 81 Newgate Street, London EC1A 7AJ Registered in England No: 1800000 Designed by Westhill.co.uk Printed in England PHME 62497