Five Warning Signs Your Security Policy Is Lacking
Warning signs of a weak security policy from SunGard Availability Services.
According to Cryptzone, an IT security firm based in Sweden, 2012 will be an especially challenging year for corporate IT security professionals. Among the trends they can expect to see are more employees demanding to use their own devices at work, and more sophisticated targeting among hackers who will opt away from indiscriminate strikes.
Here are Cryptzone's eight predictions of the top IT security trends to watch for in 2012:
- Targeted attacks. In 2011, we saw a number of examples of targeted attacks, such as Anonymous targeting Sony, and the terrorist attack of AT&T. This trend will continue to rise - rather than hackers attacking randomly, they will have specific targets, whether linked to political issues or personal vendettas. More companies will therefore be targets of these pre-designed attacks, with the purpose to steal intellectual property. Attacks against well-known brands will become more common, as unsuspecting recipients receive malicious emails containing hostile code. Companies therefore need to start thinking about zero-day threats and how to secure their data.
- Bring your own device (BYOD). Organizations will continue to adapt their enterprise mobility strategies. With more users bringing their own devices to work and expecting to use them to gain productivity and efficiency in the workplace, IT departments will have to manage device diversity. One security policy for everyone using mobile devices is not a suitable approach when users form such a heterogeneous group. With smaller budgets to issue corporate-approved devices, organizations not only have to take into consideration the protection of their own data, but also make sure users understand what will happen to their personal data should the device be stolen. In many cases the employers will expect to be notified of the loss immediately and may opt to delete all data without exception. Therefore every user who requests access to corporate resources through a mobile device should sign a corporate policy before access is granted. This will avoid some nasty surprises and employee grievances.
- Greater security for production systems. Production systems have traditionally been considered to be at relatively low risk of IT security incidents. However, with more and more of these systems running on a Windows platform, they are becoming just as vulnerable as other hardware. Following attacks against such devices as Windows-operated robots and X-ray machines, organizations will start to look for security solutions that are not reliant on an Internet connection for security updates.
- Intranets on the iPad. During 2012 and 2013, more and more organizations will offer end users the opportunity to interact with intranet sites or collaboration tools, such as SharePoint, on their private or corporate iPads. This will provide productivity gains for organizations and faster response times, as users respond to corporate documents on a more convenient device both at the office and while traveling. Organizations will have to consider the security implications this poses.
- Incident response management. Evolving IT security threats are a given for 2012. Most CIOs recognize that data breaches are an inevitable risk. Organizations cannot hope to protect against all threats, so how organizations respond to an incident will become increasingly important. Establishing and communicating incident handling policies and procedures that can be quickly adapted as the threat landscape changes will be crucial to damage limitation. Creating a culture where staff are not afraid to raise security concerns or report security incidents promptly should figure prominently on the compliance agenda.
- Context awareness for access rights. Managing access rights is becoming more of an issue as perimeters become more porous. Many companies think role-based access is the answer, but this is too often just another name for groups in the network Active Directory, which are already quite complex to manage. Often groups and roles overlap, are duplicated, need sub-dividing or simply remain unused. Greater context awareness will be the answer during 2012, whereby rules are used to derive access rights in real time, based on the context of the user, document and/or request. The power of this approach can be seen by considering what happens if you set just five go/no-go rules; this gives as many as 32 different outcomes.
- Content security vs. hardware security. During 2012, hardware security will remain a priority. However, organizations increasingly will look into approaches where the security focus is around actual content rather than the storage device. The same data is often replicated many times throughout an organization, and even beyond the organization's boundary to third parties. That can make it difficult for the end user to understand where data may be stored most securely. Instead of looking at storage security, CIOs will identify content at risk and secure the content, so when it is replicated security stays/travels with the content to all its ultimate destinations.
- Shortened product development lifecycles. Companies will increasingly expect vendors to adapt software even more quickly in response to evolving working practices and emerging IT security threats. Those vendors best able to demonstrate technical and business agility to "tweak" their offerings for immediate threat protection will gain a clear competitive advantage. More software adaptations will focus towards usability for less technical users. In order to thwart cybersecurity threats everyone within an organization needs to be more vigilant and equipped to take sensible precautions to better secure corporate information. Technology has to be kept as simple as possible for users to adopt as second nature, without significantly impacting their productivity.