Threat analysis, data harvesting, mobility and the commoditisation of IT security products have been cited by analyst firm IDC as the biggest threats to Australian security in 2012.
Speaking at the recent NetIQ Rethinking Security conference in Sydney, IDC Asia-Pacific associate vice president Simon Piff told delegates that, according to a recent IDC APAC research report entitled ICT Top 10 Security Predictions, mobility and BYOD had increased the complexity of security this year.
In-depth: Information security 2011 Research Report.
The enterprise adoption of consumer devices such as the iPad by C-level executives was making things harder for IT managers, according to Piff.
This was because CEOs wanted tablets so they could read their emails. In some cases, IT managers were asked to make their CEOs exempt from the organisation’s security rules so they could access their email anywhere.
“Embedded in the `I want an iPad with email’ discussion is the unspoken but implicitly expected security,” he said.
“You cannot be secure and connected at the same time- it doesn’t happen.”
Piff added that the minute executives were allowed to have smartphones and tablets on the network, the IT manager needed to accept that there would be a level of insecurity in the organisation.
Commoditisation of IT security features
According to IDC APAC predictions, the commoditisation of security features such as firewalls was leading people to assume that if it was being delivered by the IT department then this made it secure.
“These days people think they have a firewall because they’ve got some [security] software on their laptop,” he said.
“Some people no longer think about security because they make assumptions that they are protected.”
However, according to Piff, there were really only two types of organisations in the world — the company that already knows it has been hacked and the other type which does not know it has been hacked.
Piff’s advice to IT managers is they should move into a position of understanding the natural state of their IT environment so they could see when things started to appear abnormal on the network.
The need to secure the human
According to Piff, the human factor was essential when creating IT security policies.
For example, he suggested that people don’t use cloud-based storage offerings such as Dropbox to store corporate data.
“Dropbox might be secure but which country is it located and under which legislation?”
“If I want to be a cybercriminal, the easiest thing I could do is create storage in the cloud solution that is marked as secure and you’re going to give me all the data anyway.”
Piff added that the motivation of cybercriminals had changed from simply hacking sites to making money out of business critical data.
“Criminals used to rob banks by breaking and entering but now they don’t have to,” he said.
“The likelihood of getting caught online is lower because of the use of Web proxies and the payoff is much greater than physically robbing a bank.”
According to the IDC predictions, data harvesting was still more likely to come from malicious employees.
For example, organisations needed to watch out for rogue employees who had just been fired and — while they still had access to a PC — may be downloading information on to a USB stick and then running off to a rival company to try and get a new job.
Data loss was also occurring due to “sheer stupidity” by employees. For example, Piff cited the case of a former MI5 boss Stella Rimington who lost a laptop containing sensitive information on MI5 employees.
Follow Hamish Barwick on Twitter: @HamishBarwick