|
By Bob Violino
Making sure an organization is protected against constantly evolving security threats is tough under any circumstances. Doing it when budgets are tight is an even greater challenge-and it's one that many CIOs and security chiefs are facing today.
How do they cope, particularly when organizations face new threats such as those associated with social networking and social engineering? Security executives and experts say there are a number of things companies can do to protect assets even with limited budgets, including leveraging security technology across the organization, keeping security patches up to date and reeducating users about how they can help thwart attacks.
Recent research indicates how tough things are for some IT and security executives. A report by Deloitte Touche Tohmatsu released in May shows that 32% of companies in the technology, media and telecommunications industries reduced investment in information security spending in 2008.
The New York-based firm, in its TMT Global Security Survey, says 60% of the respondents say they're falling behind or still catching up to their security threats. That's a sharp increase from 49% in the previous year. The survey also shows that declining security investment is hindering the adoption of new security technologies.
This comes at a time when new threats are emerging from initiatives such as social networking. The Deloitte survey shows that a huge majority of companies say exploitation of vulnerabilities in Web 2.0 technologies and social engineering techniques are regarded as a threat to information security.
Security managers are doing what they can to protect their organizations. "The way to manage a tight budget is to identify the elements of the security program that are essential or that provide significant value and leave them intact," says John Cholewa, director of corporate security at Embarq Corp., a communications services provider in Overland Park, Kan., which has had to make budget cuts for security.
"We place a high degree of emphasis on the continual development and refinement of rules for firewalls and IPS [intrusion prevention systems] devices so we can quickly identify and respond to anomalies in the network," Cholewa says. "Due to the ever-changing threat environment, no company can ever have airtight protection, so we develop rapid and flexible responses" to threats.
County Bank, a mid-sized commercial bank in Fresno, Calif., which was acquired in February by Westamerica Bank, has had to make do with less for IT security, says Charles McCain, former vice president of information security who now serves as information security officer for the acquired entity.
"Right now we're working with a diminished tool set, and that's pretty commonplace; it's been tough in banking," McCain says. "I'd be surprised to find any banks that were expanding their budget [for] information security."
The bank had been using a network scanning software service from Qualys Inc. to help protect its more than 700 workstations and 50 enterprise servers. But the annual licensing fee was not renewed by Westamerica, so County Bank's branches no longer use the service.
The Qualys technology had allowed County Bank to take a proactive approach to security, using the scanning tool to look at every network-connected device in the bank to ensure that they were protected against the latest vulnerabilities, and allowing managers to take remedial action before a security breach occurred.
"Now we can only detect incidents after they've occurred," McClain says. "We haven't had any but that's the state were at now." The bank is making the most of the security technology it still has in place, including intrusion detection on its firewall and antivirus applications.
"We're doing what we can do, monitoring reports and making sure we have the latest updates to the operating system, particularly Windows," McCain says. "We make sure all security patches are current, and jawbone the IT people into making sure they've installed all patches."
Experts says organizations must take better stock of the security technologies and services in use throughout the organization, to see if solutions used by one department or division can be leveraged in other areas to gain more value-or if some products or services can be dropped because they're not needed.
"Companies need to understand what they have in place," says Irfan Saif, a principal at Deloitte & Touche LLP. "Some of these things can be done in a siloed fashion and there may well be some overlap" within different parts of the organization. "They need to make sure they're getting the maximum mileage for their efforts and eliminating the silos where practical to gain efficiencies."
Roger Fye, vice president of IT at Dial Global, Valencia, Calif., an independent radio network owned by Triton Media Group, agrees that in challenging economic times managers must leverage the devices and systems they already have in place.
"Make sure your systems are completely up to date, patched, firmware updates applied, virus signature databases updated and each device properly working and updated," Fye says. "We can also go over our policies, procedures and best practices to make sure everything is up to date and covers even the very latest exploits and possible compromises."
Fye says he's concerned about new threats related to the latest online technologies. "We have noticed that the social networking sites like MySpace and Facebook have become a much greater threat, and we are still trying to formulate best practices in dealing with it," he says.
Since only a faction of Dial Global employees use those types of services for marketing and interactivity with potential clients, "it's been a difficult task to come up with a blanket policy regarding the use of these sites," Fye says. "We cannot globally block access to them and we don't have the technology in place to selectively do it. So, as of now, we have left it open and accessible."
Executives, when planning a security strategy, should assess all the key information security risks the organization faces based on its operating environment and then prioritize those threats, Saif says. That way, the organization can be assured that it's addressing the most significant threats effectively and spending security budget on the right things.
"It's not just about demanding [more] budget," Saif says. "It's deciding what level of risk an organization is willing to take. How much is acceptable risk and how much [is the organization] able to spend to mitigate those risks?"
One of the less costly things organizations can do is step up education and training efforts in security.
"I can't stress [enough] how important it is to continually educate staff and users as to the state of data security and what possible intrusion techniques are being used," Fye says. "Forward applicable articles, reminder memos with specifics of what to be aware of, and just continue to communicate the need for diligence by everyone in the organization in keeping systems clear of malware and critical data secured."
Training and awareness can have a significant impact on improving the overall security posture of a company, Saif says. "A lot of the breaches that have occurred are unintentional; people share information they think it's okay to share," he says. "Educating people on good practices and how to protect company data is probably not done as much as it could be."
McCain says he continually tries to convince users to employ sound security methods, such as adequate password protection and proper management of desktops, and to avoid risky behavior such as bringing their own programs in to the office and installing them on company computers.
Social engineering is a continual threat "and the only way to combat it is a knowledgeable and engaged workforce," Cholewa says. "We spend considerable time and effort creating awareness on the part of employees-letting them know why social engineering is a threat and how it manifests itself."
As part of that awareness effort, managers attempt to social engineer their own employees and provide them with feedback. "Being told you failed a social engineering test, or that you handled one successfully, helps to reinforce the message," Cholewa says. "If employees are tuned in to the threat, they can successfully identify and manage it."
Only registered users can write comments.
Please login or register. |
