Connections +
Feature

Security Checklist

While no crystal ball can forecast what the next big security risk will be, below are 10 predominant IT security issues/concerns challenging businesses today.


May 1, 2011  


Print this page

Last year was eventful with its fair share of noticeable security events. The year opened with Operation Aurora, a cyber attack that targeted few dozen Fortune 500 companies, costing them several millions of U.S. dollars; followed by Wikileaks, one of the biggest data breaches ever seen, that exposed thousands of secret U.S. government documents; and was punctuated with no less than Stuxnet, one of the most sophisticated cyber-attacks ever engineered that was capable of bringing down several nuclear sites in Iran.

More than any other year perhaps, 2010 demonstrated the importance of IT security to businesses. Besides the notorious cyber attacks and security breaches that made it to the headlines, several thousands of attacks are taking place on the Web every day — 69 attacks every second to be precise. And still, this is only the tip of the iceberg, as most attacks, in fact, go unnoticed or unreported.

With this in mind, we are often asked what kind of computing threat is likely to hit the global market in 2011, and how to anticipate them. 

While no crystal ball can forecast what the next big security risk will be, here are 10 predominant IT security issues/concerns challenging businesses today.

Virtualization — the rush continues:  Virtualization has been around for quite some time now, and has imposed itself as a mainstream technology within organizations, serving numerous purposes besides consolidation and cost-cutting. With no surprise, the rush towards virtualization continues in 2011.

According to a Morgan Stanley study, CIOs will continue to massively virtualize their production servers in 2011, up to 55%, compared to 42% in 2010.

Yet, as popular as it is, the virtualization trend still brings forth numerous security issues. The lack of specific, virtual network skills in security teams and the high cost of new information security solutions are two of the main obstacles outlined by decision makers. In addition, the regulatory compliance issues, the lack of security best practices for server virtualization and the fact that one cannot import the existing security tools from physical to virtual world, are seen as additional challenges holding back the move to virtualized environments.

Cloud Computing: A large percentage of enterprises and SMBs are anticipating the need to build an internal or private IT operated cloud in 2011. Simultaneously, the spectrum of cloud services is also expanding considerably, as more and more applications will be offered in the cloud throughout the coming years.

Yet, cloud computing, like virtualization, represents a very big challenge for security, and enterprises should be warned from the risk of plunging too quickly into the trend. According to Morgan Stanley’s 2010 CIO Cloud survey, data security and the loss of control appear as enterprises’ greatest concerns when it comes to cloud computing — followed by data portability and ownership, regulatory compliance, and the question of reliability.

After all, security is about control, and enterprises should be careful about giving up control of business-critical applications. Companies using in-the-cloud services don’t always know who they are sharing their environment with and that can create a lot of vulnerabilities.

IT Consumerization & Mobility: Many technologies that started in the consumer market have found their way into business environments. Consumer hardware, such as smart phones and consumer services, such as online instant messaging, social networking and IP telephony have now found new functionality in the work place. This trend is also called “IT consumerization.”

Integrating all of these private devices, applications and technologies into the enterprise brings distinct security challenges. In particular, enterprises must ensure that all corporate data and resources transiting on these mobile devices or services are protected, while guaranteeing their employees with access to the network anytime, anywhere.

Mobile computing is already part of the daily work life in most companies. Indeed, the enterprise mobile device population has grown exponentially these past few years to pass the 100% mobile market penetration bar in numerous markets. Simultaneously, CIOs on the other side are struggling to keep up with all the devices their employees bring onto the corporate network. Yet as 2011 may very well see a surge in the number of incidents related to mobile devices, it is vital that enterprises urgently start securing their mobile workforce.

Threat Sophistication: Each passing year, Internet threats are reaching new levels of sophistication. From simple viruses and worms, attacks have become increasingly polymorphic, blended and complex, using multiple hacking techniques in a single attack. In addition, many Internet attacks spread by using automatic “robots” that scan the Web for possible vulnerabilities, making everyone a target for such exploits.

As a result, attacks are becoming harder for the average business to detect. For example, Zeus, a Trojan horse that steals banking information through key logging, was one of the hardest forms of financial malware to detect this year (identified only 23% of the time), and was rated the number one financial Trojan, accounting for 44% of all financial malware infections today. In a different genre, the Stuxnet virus that was used against Iran’s power plants is considered one of the most sophisticated computer threats ever created, exploiting four different vulnerabilities at a time.

Internet attacks today not only impact individuals, but are increasingly targeting organizations. They are essentially driven by globally dispersed cyber-criminals, organized in networks and motivated by rapid, difficult to track financial profit, and intellectual property theft. In 2010, cyber crime cost businesses over two billion dollars in financial loss. We can only expect this figure to increase in 2011, prompting enterprises to opt for a proactive and solid network protection, such as Intrusion Prevention (IPS).

IT Consolidation & Security Complexity: Managing the complexity of security is a growing concern, frequently raised by organizations of all sizes. According to the Information Week 2010 Survey of security decision makers, it is by far the biggest information and network security challenges companies face currently.

This is understandable. Security environments today have become more complex than ever, as businesses constantly struggle to raise their level of security and cope with the latest security threats.

As they add more layers to their security infrastructure and deploy a variety of point products for specific protections, organizations often end up managing 15 different systems, vendors and platforms.

Not only does this become very difficult to manage, it is also not very efficient and can be very expensive, financially and operationally. Administrators need to manage a multitude of network security technologies and point products, such as: IPS, Firewall, VPN, Anti-virus, Anti-Spam, Network Access Control (NAC), Data Loss Prevention (DLP) and URL Filtering, to name a few. Not only do organizations need to deploy these various technologies on the network level, but are also faced with managing these protections on a growing number of endpoints, such as smart phones, laptops, and other portable devices used for business. 

As if this wasn’t enough, network traffic itself has become incredibly complex. More and more applications are driven over the network, some for personal use, and some for business use.

In addition, today, applications are delivered by both external vendors, cloud based applications and internally.

Data Security & Data Loss: From customers’ databases, credit card information, business plans and financial records to corporate e-mails, the amount of electronic data is clearly proliferating within enterprises. Safeguarding these multi-gigabits of sensitive data is an absolute must for businesses, if they don’t want their innermost corporate secrets to be leaked and exposed to the outside world.

The major sources of data loss across organizations and enterprises include: Subs and laptops, corporate e-mail, public webmail, Wi-Fi networks, CDs and DVDs.

In fact, approximately one of five e-mails that leave the corporate network contains content that poses a legal, financial or compliance risk.

Luckily, there are security measures, such as media/hardware encryption or a preventative data loss solution that can help organizations alleviate that risk. The Wikileaks case should serve as reminder to all companies about the need for a layered and holistic approach to data security so that sort of lighting doesn’t strike.

Web 2.0 & Social Media: Web 2.0 has become an integral business tool today and has found brand new legitimacy within the workplace.

An average user spends about one quarter of his working day surfing on the Web, sharing content, downloading files, chatting, blogging or watching online videos.

Facebook, which is leading the social networks race, has become the third largest populated application platform in the world and monopolizes about 7% of all business network traffic every day.

Businesses should prepare to face the increased risks associated with enhanced social networks and Web 2.0 application usage. In 2011 it will be vital for enterprises to start reinforcing their and their employees’ security policies. This level of application control enables organizations to enforce better, more effective security, without inhibiting employees.

Because traditional tools like IP-based firewall policies and URL filtering have reached their limits in the Web 2.0 environment, organizations need new security controls that can differentiate between the thousands of applications running on the Internet.

Governance, Risk & Compliance: Enterprises’ bottleneck: Organizations today not only struggle to keep up with all the various vertical regulations, but also with a variety of other laws and directives.

Such regulations are meant to protect customers, employees, partners or investors from fraud and identify theft. Yet for organizations, they end up being a big burden for IT staff and security budgets.
For instance, organizations that reside in countries with data breach disclosure laws tend to have higher data security spending than in countries that don’t have such laws.

As companies start massively virtualizing their data centres and IT environments, the level of security complexity will continue to rise.

Cost Reduction:

Despite the economic recovery in progress, businesses are still under pressure to drive down infrastructure and operational costs. IT budgets remain tight, and CIOs are looking for the biggest cuts in their budget line items: current operating costs.

For IT administrators this translates into a simple adage: do more, with less.

Given the increased financial pressure on enterprises, the spotlight will certainly remain on cost-saving technologies, such as virtualization and cloud computing.

Green IT: Last but not least, Green IT remains one of the top 10 trends that will be emphasized this year. With soaring energy prices and increased consumer awareness of the danger to the environment, organizations will have to get serious about the migration to green tech. Yet, this green IT trend is also conveniently used by savvy IT leaders to marry ecological aspirations with financial reality.

CNS

Paul Comessotti is Canadian Regional Director and Kellman Meghu is Canadian Security Manager, Check Point Software Technology Inc.