The holidays are here, which means that soon the holidays will be over. At that point, IT and security staffs will be facing a wave of mobile devices given to employees and making their way into the workplace.
This EducationSecurityPortal.com story relates results of a survey by SafeBoot, which recently was acquired by McAfee. Of 1,000 IT managers queried, 46 percent are concerned about post-holiday security threats. Fifty-six percent ban non-authorized devices, but half of these believe the rules are ignored. The company offers four suggestions for staying safe: establish and communicate clear guidelines; use access control and encryption; use "transparent" measures that don't rely on employees to do anything; and employ user-based persistent file and folder encryption to protect servers.
Though the hook of the story is holiday gifts seeping into the enterprise, the underlying theme is danger posed by insiders. Both an RSA Security survey and the 2007 SANS Top 20, according to InformationWeek, conclude that insiders pose the greatest threat. In a majority of cases, the piece says, insiders -- which can be contractors, suppliers, consultants, visitors and others, in addition to employees -- are well-meaning and simply want to do their jobs.
Whether well-intentioned or not, these people exhibit many dangerous behaviors. Fifty-two percent use public computers and 56 percent use wireless hotspots for work-email. Eight percent have lost a portable device containing corporate information, while 63 percent send corporate data on personal e-mail accounts. A striking figure buried toward the end of the piece is that 35 percent of respondents believe they need to evade security policies in order to do their jobs.
Encrypting data is one way to blunt the threat from these behaviors, of course. And the Institute of Electrical and Electronics Engineers (IEEE) last week approved two new standards that might help. IEEE 1619.1 deals with enterprise-level tape drives. IEEE 1619 -- the Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices -- addresses disk drives, according to this LinuxElectrons piece. The new standard, the commentary in the piece says, is designed to help companies comply with Sarbanes-Oxley and other regulatory requirements.
An expansive new security approach, data-leak prevention (DLP), is aimed at plugging all the holes in an organization. The key in DLP is to anticipate points at which data can exit an organization. This is significantly different, and seemingly more sensible, than trying to secure every device attached to the network.
The bottom line is that data increasingly flows into and out of a company. A survey conducted on behalf of DLP provider Reconnex by Enterprise Strategy Group found that 28 percent of companies share a substantial amount of data with partners and 32 percent share a moderate amount. Forty-two percent found that intellectual property is spread through multiple departments. The story in itbusiness.ca points out that this means that there is no single standard of policies and processes.
The story provides many more statistics. The bottom line is that companies try to protect information in this fluid environment, but the efforts are inconsistent and business exigencies often supersede security requirements.
Last week, Fidelis Security Systems introduced its Extrusion Prevention System (EPS), which adds Internet protocol version 6 (IPv6) support. The explosion of Internet end points led to the development of the protocol, which dramatically increases the number of addresses available. The eWeek story reporting the introduction suggests that interest in Fidelis' new product may be far higher among federal agencies -- which face a June 2008 mandate for IPv6 support -- than enterprises.
Of course, not too much can be done at this point about the influx of devices given to employees over the holidays. But it's never too late to think of new approaches and technologies that will keep data safe in the emerging -- and far more dynamic -- environment.