Last week’s Cost of a Data Breach Study update had one particular statistic that stuck with me and to which I keep being drawn to when discussing it with others. In the UK study, they discovered that where an organisation that suffered a breach had a Chief Information Security Officer (CISO) or someone with the equivalent level of responsibility in place, the cost per record dropped by an average of £18. I think the key word in the previous sentence is “responsibility” for a few reasons.
Firstly, we have the increasing amount of fines and penalties that can be applied to the individuals involved in failing to deliver against expectations. These have gone beyond the original highly regulated industries and out into the broader business context. With the coming updates to EU legislation, it’s likely to get more attention in the boardrooms of Briton, not less.
Secondly, and contrary to popular thinking, stopping data loss and protection of the key information assets an organisation has goes way beyond using scanners to prevent credit card details being emailed out. Primarily, it’s not a technical problem, it’s a people-process-technology challenge.
In the past, I have heard references to people-process-technology being like a three-legged stool of which you can’t remove any without falling off! This can be considered a fair comparison but, for me, the ‘people’ part of this stool is the most critical starting point. People have negotiation skills. People have perspective. People drive change.
When it comes to the role of technology in stopping data loss I view it like an exoskeleton to the people involved. That may sound a little sci-fi but what they need to be able to do is say “this stuff is important, please tell me how it’s being used, where it’s going and who uses it”. Technology enables them to reach into network pipes with gigabits of data pumping through them. Technology enables them to piece together a process involving four employees and an outside contractor. Technology enables them to see the HR director does not like using the VPN from his second home in the Cotswolds.
The reason I view it as an exoskeleton is that the knowledge of what’s important comes from the people involved, as does the appropriate response and the negotiation to get from where they are today, to a more secure future-state.
The relentless growth in information and systems shows we’re not moving towards a state where data loss won’t happen anymore. However, this report shows that if you put someone in charge with responsibility and authority to make change happen when it does occur, the impact to an organisation’s bottom-line is significantly reduced. I’m happy to predict the gap between those that take it seriously and those that stick their head in the sand will only get larger in the coming years.
Experts predict that by 2020 the UK will have over 25 million new apps, 31 billion connected devices and over 50 trillion gigabytes of data. This means that by 2020 the amount of data we use will have grown to over 35 trillion gigabytes, a 44-fold rise on 2009 figures.
Predicting the future of data growth is relatively easy, but proposing ways of making that data secure is the complicated bit.
Data is extremely valuable to businesses and a data breach or a loss can be very costly. In fact recent Symantec research into the cost of a data breach found that the average data or system failure costs UK organisations £1.9 million or £71 per record.
At a time when businesses in the UK remain economically cautious, data and IP protection is critical, not only if a business wants to remain competitive, but also if they want to avoid potentially large fines as a result of not complying with data regulation.
It’s important to note that the vast majority of data breaches are preventable, but securing information clearly continues to challenge organisations at all levels.
Symantec’s recent cost of a data breach study shows how companies with information protection best practices in place can greatly lower their potential data breach costs.
Here are some of the key findings from Symantec’s cost of a data breach study:
- System failures overtook employees as the most common threat to a business’s data. In this year’s study, 37 percent of all data breach cases involved a system failure, up 7 per cent on 2009 and accounts for the biggest rise of any cause of a data breach attribute. It replaced negligence, which at 34 percent dropped 11 points. Lost or stolen devices and third-party mistakes each fell slightly. Malicious or criminal attacks rose 5 points to 29 percent.
- Recognition of the risk of insecure mobile devices connecting to company networks jumps to 64 per cent. The likelihood of insecure mobile devices including smartphones and tablet computers causing a data breach is 84 percent – an increase of 9 percent on 2009. Organisations are recognising this risk with 64 percent stating mobile device encryption was very important or important, an increase of 13 points from 2009.
- Lost business ranked as the biggest contributor to overall data breach costs. Recovering customers, profits and business opportunities after data breaches posed the greatest cost hurdles for companies in 2010. Lost business accounted for 48 percent of the total, an increase of 2 percent from 2009. Other contributing factors were costs sustained in the immediate aftermath of the event, such as resetting accounts and communicating with customers (known as ex-post response) at 23 percent and costs related to detection / escalation at 20 percent.
With access control now covered, it’s time to consider another big issue with regards the adoption of cloud – controlling the information that is sent to the organisation. This can create a particular problem when users are dealing with the challenge of mobile devices as well. If an organisation doesn’t approve personal mobile devices then users who wish to view personal documents will often use cloud-based file sharing services, such as Dropbox, then enabling them to download these documents to their mobile device. This can lead to sensitive data sitting on public cloud services.
With O3 users accessing the Internet via a gateway, it will be possible for Symantec to look at the traffic being sent to and from cloud services, enabling us to develop the next release of O3 and give the ability to protect information being sent to the cloud.
Symantec is planning a new release of O3 at the end of the year which will make it possible to plug this gap. As the traffic passes through O3 we will enable organisations to monitor against their Symantec DLP policies and if this breaks company policy either block the file being uploaded or call PGP encryption. If this call is made then it will seamlessly encrypt the document as it is passed to the cloud service and then decrypt it when it is being downloaded. This will ultimately allow the information to be protected when being stored in the cloud service but for it to be invisible to the user and not affect their experience.
We will then look at an app for the iOS to allow these sensitive files to be downloaded to a secure area of the mobile device where it will remain encrypted and protected. This zone will also be used to facilitate the O3 single sign on and allow access to this from mobile applications.
Finally, visibility into cloud access is an area which many have been keen to see developed. With the introduction of the O3 gateway, we will be able to audit which cloud services users are accessing, as well as, tracking the policy decisions and configuration made by admins. It will then be possible to feed this information into security incident and event management tools to allow organisations to see their cloud logs alongside their policy and access logs for internal information. This will be continuously expanded to address the compliance challenges that many have with accessing cloud based applications.
In conclusion, the cloud is ripe and with O3 it is now possible to take a layered approach. It has been developed to provide an easy to implement and manage cloud gateway that gives organisation the control of access to the cloud – directly addressing the biggest adoption of cloud services.
One of the biggest issues with adopting cloud provision is the lack of control over which users have access to remote cloud solutions. With enterprise directories for example, when an employee leaves or changes roles updating the server-based directory is easily achieved using the enterprise tools available. However, extend that function to the cloud and suddenly the number of user identities to manage increases exponentially often requiring different IDs and passwords for different services. In some cases, worryingly, this can lead to escrow problems with employees leaving an organisation but continuing to have access to sensitive applications and data held and accessed in the cloud.
On the flip-side, users themselves faced with multiple credentials and needing to remember vast numbers of passwords to login to all their cloud services can often find themselves effectively “locked-out”. To overcome the issue employees, unwittingly commit the mortal sin of setting the same password across multiple systems. The result? It’s simple – if someone gains access to their password they are exposed in multiple places.
Symantec again took its lead from the enterprise end user in developing O3 to address this very problem. By providing single sign on from the organisation to the cloud, it allows organisations’ IT provisioning teams to connect to existing directories enabling these to be mapped to policy controlling access to a cloud service. For example, only those in the sales group can access Salesforce and only those in Finance group can access NetSuite. However, they won’t be able to do this from mobile devices.
Similarly employees will be able to login to the O3 gateway with their corporate credentials and then use this to access the cloud services they need, rather than having to set and remember multiple account details to access many systems.
03 will fundamentally not only reduce today’s password burden but also counteract the possible exposures businesses are all too often lending themselves to.
Next week: 03 – The Ultimate Combination.
Cloud computing has presented both the biggest hype and promised the biggest business opportunities organisations have had in a long time; certainly in the past few years. Now that businesses better understand the benefits of this new technology, they are increasingly looking to cloud services for the business agility and efficiency they now know it to offer. You could say, cloud is coming of age and can no longer be ignored.
Likewise the iPad has presented us with the most disruptive piece of hardware technology released in the last ten years. It has driven the explosion of devices adding to the list of business tools that boost employee productivity as well as delivering on the consumerisation promise. The adoption of mobility is also driving the move to cloud services as more and more information compels companies to consider storing, processing and provisioning workloads in the cloud.
But the growth of multiple device types such as smart phones and tablets at work indicate an increased acceptance of this new reality by management. The rapid evolution of all these factors however have left information security officers with challenges over how to control the security, risk and compliance across the new platforms. The traditional security approach of “Just Say No” doesn’t work for this new world where the business wishes to make these steps for valid business and user problems. For this reason we need to find a way to allow information technology and information security to gain more control over this brave new world whilst still allowing for its adoption. Companies at a high level now understand too that a new work order of this kind needs a more encompassing IT support infrastructure.
Taking its lead from the needs of industry, Symantec developed 03 – a new layer of security control for the cloud. It aims to address the issues via a new layer that doesn’t depend upon agents within the device.
Over a series of two View from the Bunker blog’s, I will consider the key objectives of O3 and how by providing and increasing access control, information protection and visibility of traffic to and from the cloud, a layered approach is now required approach.
Check back on March 16th to read my next instalment!
Mobile adoption has reached the tipping point, but businesses accept it’s time for a security reality check
Mobile is redefining the network perimeter. Instead of a barbed-wire ring of defence at the edge of the network, the boundary of an organisation’s infrastructure is now a fluid zone where endpoints come and go. One thing that’s for sure is that the mobile device is now a mainstream business tool but it’s difficult to know with any certainty what websites those devices are accessing when they’re not attached to the corporate network.
Symantec’s State of Mobile survey, which polled over 6,000 C-suite level executives, shows that 59 per cent of enterprises are now making business applications accessible from mobile devices. With figures like these you would assume the corresponding IT department is making sure that each endpoint has the correct protection in place.
However, the reality is at odds with this sentiment. The report sees IT admitting its hands are full managing mobile, with 48 per cent saying it is somewhat to extremely challenging and that an increasing number of staff are involved in mobility IT.
What we do have at our disposal is the benefit of hindsight. Our experiences in the PC world have shown us the importance of building a scaleable security framework that can embrace all future requirements. Mobile should, essentially, be seen as just another asset and part of the overall IT strategy. Responding to each challenge in a piecemeal approach is unsustainable.
At the end of the day, IT organisations need to balance the security of the endpoint device with the security of the actual information. The challenge is finding an enlightened approach to applying policies and their associated layers of security technologies.
What is interesting is that the report uncovers a subtle shift to businesses providing more smart devices in the coming year that are for business purposes only. Perhaps this is the inevitable evolution from BYOD (where the challenges of managing this outweigh the value to the business) to CYOD – choose your own device.
It seems that the lean is to keep our business and personal world separate. The report predicted an expected drop in the number of personally owned devices being bought into businesses over the next 12 months, as well as reining in the use of social networking services on them, so they are more specifically business focused.
In light of this, it’s likely that the biggest challenge for businesses will be keeping pace with the demand to have the latest and greatest new smart toy. When I spoke to a group of CSO’s recently they mentioned the correlation they are seeing between a new version of a device being released and lost and broken devices being reported to the business (i.e. the user is looking for the upgrade).
What is clear is that we cannot ignore these trends otherwise we drive the use underground, in this case – under the desk computing. Such a task may be a lot easier said than done, but the alternative is the inevitable security breach that at best consumes valuable IT time and at worst results in major financial loss.
Top Enterprise tips:
o Enable broadly: Mobility offers tremendous opportunities for organisations of all sizes. Explore how you can take advantage of mobility and develop a phased approach to build an ecosystem that supports your plan. To get the most from mobile advances, plan for line-of-business mobile applications that have mainstream use. Employees will use mobile devices for business one way or another – make it on your terms.
o Think strategically: Build a realistic assessment of the ultimate scale of your mobile business plan and its impact on your infrastructure. Think beyond email. Explore all of the mobile opportunities that can be introduced and understand the risks and threats that need to be mitigated. As you plan, take a cross-functional approach to securing sensitive data no matter where it might end up.
o Manage efficiently: Mobile devices are legitimate endpoints that require the same attention given to traditional PCs. Many of the processes, policies, education and technologies that are leveraged for desktops and laptops are also applicable to mobile platforms. So the management of mobile devices should be integrated into the overall IT management framework and administered in the same way – ideally using compatible solutions and unified policies. This creates operational efficiencies and lowers the total cost of ownership.
o Enforce appropriately: As more employees connect their personal devices to the corporate network, organizations need to modify their acceptable usage policies to accommodate both corporate-owned and personally-owned devices. Management and security levers will need to differ based on ownership of the device and the associated controls that the organization requires. Employees will continue to add devices to the corporate network to make their jobs more efficient and enjoyable so organizations must plan for this legally, operationally and culturally.
o Secure comprehensively: Look beyond basic password, wipe and application blocking policies. Focus on the information and where it is viewed, transmitted and stored. Integrating with existing data loss prevention, encryption and authentication policies will ensure consistent corporate and regulatory compliance.
On 12 January the internet made history. The Internet Corporation for Assigned Names and Numbers (ICAAN) – which controls how urls are managed – launched new generic Top Level Domain (gTLD) names.
This represents an explosion in the size of the internet. We will no longer be limited to the likes of .com, .net and .org – soon all types of words and languages will be able to form the end part of domain names. This could be anything from a corporate brand name such as .symantec, to an interest such as .football. The opportunities are endless and this is, undoubtedly, an exciting time for the internet.
However, as the internet grows, so do the potential security threats that need to be addressed. The explosion of domain names could open the door to ‘cybersquatters’ who have managed to register a company’s brand name against a gTLD. This could lead to an increased chance of phishing attacks from what may appear to be bona fide websites, putting both businesses and consumers at risk. Fraudsters may also seize this as an opportunity to avoid law enforcement agencies, by hopping from registry to registry as scam websites are shut down.
To avoid increased online incidents in relation to their brands, organisations may have to resort to strategically registering their brand with multiple gTLDs to try to cover all possible scenarios.
While choice is always good, the huge growth in internet websites could result in security challenges for both businesses and consumers, and reinforces the need to be aware of the risks and of safe online practices.
Companies have for some time understood they need to safeguard their IT systems from infiltration and viruses. But in today’s sophisticated cyber environment, the protection of data and data integrity needs not only to match the skill and cunning of the cybercriminal; it also has to be in accordance with strict security rules and regulations. Organisations need look no further than the few months leading up to the end of 2011 to see that cyber threats are becoming more frequent and more complex. The Duqu worm discovered in September 2011 is just one high profile danger facing organisations.
In this sense it is true to say that Governments and enterprise businesses face unprecedented challenges in ensuring the confidentiality of data as it is processed and exchanged across data centres. The use of cryptography in the form of encryption offers the most convenient way to protect sensitive data in transit over high-speed backhaul and backbone connections and that is why we went to the trouble of attaining Common Criteria certification EAL +3 for our automated policy management solution, Control Compliance Suite.
Provision of this worldwide standard verifies that the software has completed a rigorous independent testing process of specification, implementation and evaluation, and conforms to standards sanctioned by the International Standards Organisation.
But why should this matter?
Perhaps a good person to weigh in on this is Jane Doorly, Vice President European Research, IDC who commented on the importance of compliance today: “In recent years, there has been a higher level of adoption and spending in technologies and services that enable companies to meet their compliance objectives. As a result of this trend, we have seen the importance and relevance of independent testing and Common Criteria certification increase, making it a vital element of an organisation’s purchasing process.”
To our mind, being awarded a security accolade of this kind is not just a testament to the hard work and commitment that goes into making products good, it’s about meeting today’s security needs for the customer and industry. In an uncertain world where assets are being stolen for profit, intellectual property infiltrated just to prove it can be done and data integrity tampered with, it is crucial that customers have a high level of confidence and trust in their security solutions. What stronger confirmation is there that a product is up to the job than having an international standard stamp of approval?
According to the World Economic Forum’s Global Risks 2012 report released earlier this month, cyber crime is a real risk to global stability – something that Symantec has recognised since its inception. It is vital that businesses – especially smaller ones – take action now to protect themselves.
We are becoming increasingly reliant on technology, and the WEF has highlighted that the proliferation of devices exposes us to a greater risk of cyber attacks. Any connected device, whether that is your smartphone, tablet or PC, is open to attack.
These increased threats can cause untold harm not only to individuals, but also governments, global businesses and the critical infrastructures they operate. While these organisations have the time and resources to protect themselves, it is often small businesses driving growth – playing a valuable role in the UK economy.
Whilst many small businesses do not believe themselves to be a target of cybercrime because of their size, there is clear evidence that they are in fact increasingly the focus for direct targeted attacks. Small businesses may not have the dedicated teams of larger organisations and may therefore need to seek help in understanding and mitigating today’s threats.
As the report itself warns: “As power shifts from the physical to the virtual world, a new paradigm for ensuring a healthy digital space must emerge.”
That is why, at Symantec, we are actively involved with helping governments and businesses of all sizes to combat cyber security threats. But security vendors cannot act alone; we must all work together to protect ourselves.
You can read the full WEF report here: http://reports.weforum.org/global-risks-2012/#=
The proliferation of security issues over the last decade is mind-boggling. Phishing, malware, malicious web sites and, more recently, targeted attacks such as Stuxnet and Duqu are keeping security specialists on their toes. Back in 2005, Symantec would identify and block approximately one such attack in a week. Now we block 20 threats per second on average.
Add to this other challenges such as new technology adoption such as cloud solutions, consolidation among businesses and budget cuts and it no wonder that those in our profession are often spreading themselves thin. As more people want to bring consumer mobile devices into the enterprise, who and how do you deal with accountability for security? And as businesses merge, how do security teams bring disparate security strategies together?
Well perhaps we can’t do it all; at least, not like we used to. In 2012 we have to go back to basics and work out a new way to deal with all of these issues. The world is changing so fast and the cracks are already beginning to show.
This means taking a step back from all the spinning plates that we have been served and working out where we can simplify and be more efficient both in terms of time and cost, while working out what the business really needs and then matching those demands.
Back to basics is all about taking a step back, assessing the business landscape, technology enablers and reviewing our security strategy. It’s all too easy to get caught up reacting to the current challenges that we end up with an ugly security elephant. By stepping back and consolidating the strategy, process and tools, it is possible to gain more consistent visibility of what’s going on so we, ultimately, get the right balance for a business.
I am sure that by the end of 2012 there will be 101 more issues to be dealing with, so let’s try to get our houses in order now to ensure the next 12 months become less not more daunting.