Last week, experts told the US Senate it was time to assume that American military networks have been breached and that ramping up traditional fortress features like firewalls, AV and gateway devices was effectively a waste of time. Dr. Kaigham Gabriel, head of the Defence Advanced Research Projects Agency, compared current information and network protection efforts to treading water in the open ocean; all that blocking and locking did was slightly delay the inevitable.

This reality check dovetailed rather nicely with the release of Verizon’s annual Data Breach Report for 2012, which found that hacking was linked to almost all of the 855 incidents and 174 million compromised records the company investigated in 2011. Malware featured in 95 per cent of all stolen data incidents.

Hacking and malware have been exchanging places in the top three causes of data breach for years now. While there are plenty of tools out there doing a fine job of removing known threats using established methodologies, it’s becoming abundantly clear that this, on its own, is not enough to protect valuable information assets from falling into the wrong hands.

The reality is that focusing on inbound threats is outdated. As Dr. James Peery, head of Information Systems Analysis Centre at the Sandia National Laboratories in the US puts it, “We’ve got the wrong mental model here.” It’s time to focus on the content, not the threat; controlling access is all well and good, but protecting information is paramount.

If there’s one thing that the Data Breach Report underlines, it’s the reality that data theft and leakage come in a variety of flavours and vectors. Traditional, threat-focused methods are the equivalent of shooting in the dark. In today’s environment, it makes far more sense to protect your content and monitor it in the context of how you need to do business.

Knowing where and how your information is used and understanding the context within which users communicate empowers you to extract maximum value without putting information at risk.

Letting AV and threat-detection policies define your information protection stance is not only outdated, as 2011’s data leakage statistics suggest, it cannot protect your data. It’s time to stop treading water and start swimming.

Nick Peart

Permalink | Leave a comment  »

American companies with 1000+ employees each hold more data than the U.S. Library of Congress; approximately 293 billion emails are exchanged globally every day while Facebook users share 30 billion pieces of content every month.

No one said information management and protection was easy. It’s human nature to want to break things down into more manageable pieces, but reducing data control and protection to an inbound threat issue is a classic case of shooting alligators when what you’re really there to do is drain the swamp.

Managing information in today’s business environment has become increasingly complex: Data leakage is a critical issue for CIOs. Companies are hitting the headlines for all the wrong reasons, and human error is one of the biggest culprits. With many organisations focusing on in-bound threats, there’s a genuine risk that vulnerability inside company walls will be overlooked. As Deloitte’s 2011 Global Security Survey has pointed out, ‘external attacks get most of the headlines, but internal security risks are just as onerous.”

It’s time for a new angle on content control.

Communications tools like email and social media have become an almost reflexive thing for end users – combined with easy access to sensitive information, it’s a heady mix that can spell trouble for those charged with preserving the integrity and security of data. Stopping and blocking might seem like the easiest route to take, but this doesn’t reflect the realities of the way we communicate and do business today. To really protect organisational IP and other high-value information assets, monitoring the data leaving the network is just as important as watching what’s coming in.

There’s no patch for irresponsible or careless behaviour, but you can control the consequences. Technology that recognises the difference between an innocent Tweet and potentially damaging data sharing can be automated to prevent users from engaging in risky behaviours without cramping their style as ambassadors for the company brand online. Similarly, context-aware content controls can help guard against accidental data leakage via email – either through automating the decision to encrypt any data that meets specific organisational requirements or inserting an extra “Are you sure you want to send that?” step into the email process when certain kinds of information are being shared.

As companies increasingly understand that inside risk is as serious a concern as outside threats, context-aware content management plays a key role in ensuring that threat doesn’t impede your capacity to communicate and get on with business. Tackling the obvious risks – i.e. shooting alligators – without addressing the broader issues of information explosion and human error (the swamp) is setting yourself up for failure. Sooner or later, you’re going to run out of bullets. And the swamp will still be there.

Alyn Hockey

Permalink | Leave a comment  »

If Metcalfe’s Law shows that the value of any communications network increases in direct proportion to the number of connected users, Murphy’s Law suggests it’s only a matter of time before one of those connected users does something to compromise the integrity of the information being exchanged.

One significant lesson to be learned from any data breach incident is the high cost of human error. In too many cases, failure to comply with information privacy legislation or the leaking of sensitive data boils down to any organisation’s capacity to get a firm grip on exactly who is handling their data – and why.

Incredible as it may seem, many organisations seem to have tighter control over the processes for re-stocking their global stationery cupboards than they do for how, when, why and by whom sensitive information should be used and shared. Small wonder, then, that CompTIA’s IT Security in the Workforce study found that one in five organisations say they ‘definitely’ experienced sensitive data loss in 2011, with 32 per cent saying it was ‘likely’ that they had done so.

Nailing down all your company’s information seems like an onerous task. But there are simple steps any organisation can take to reduce the risk of human error without shutting down communications. In the case of misdirected email – a leading cause of data leakage - organisations can use deep content inspection and true file type analysis to establish the sensitivity or integrity of any information before allowing it to be exchanged. Based on company-defined policies and settings, certain types of information can be encrypted automatically, without requiring any intervention by the user.

Organisations can take the extreme approach of configuring email gateways to quarantine all outbound email, forcing users to think twice before and after they’ve hit the send button. Or they can inject flexible controls into the equation and only quarantine mails that match specific criteria, such as those with attachments, messages containing credit card numbers or going to certain addresses. By diverting potentially sensitive content to a personal message manager portal, senders can review messages, releasing them only when they’re absolutely certain it’s appropriate.

These approaches do add an extra step to the email sending process, but it’s a short one and the payoffs in terms of data protection are significant. As the UK’s Information Commissioner’s (ICO) head of enforcement, Stephen Eckersley, has said, “One of the most basic rules when disclosing highly sensitive information is to check and then double check that it is going to the right recipient.”

Just this week, it was revealed that the ICO has issued over £1m in fines for data breaches since April 2010. New EU directives on data privacy will see penalties of up to 2 per cent of global annual turnover for organisations that breach data regulations. Globally, some of the world’s most respected brands have found themselves in the spotlight for all the wrong reasons; financial penalties aside, the reputational damage that follows in the wake of a data breach can linger long after any fine has been paid.

That’s a heavy price to pay for an errant click of the ‘attach file’ or ‘send’ button.

Nick Peart

Permalink | Leave a comment  »

News of a data breach at the UK’s Scotland Yard has pushed the issue of data management and control back into the public eye. The Yard admitted accidentally sharing the personal email addresses of more than a thousand crime victims with other victims on its database. It was an easy mistake to make: In the course of sending a survey to 1,136 people, email addresses were entered in the wrong box, making them visible to all recipients.

In a worst case scenario, the maximum penalty for a data breach in the UK is £500,000.

No one sets out to lose data, but a glance at some of the most recent incidents reveals a common thread: human error. At a time when organisations across sectors are under increasing pressure to adhere to the often competing demands of transparency, cost-effectiveness, privacy and collaboration, data leak incidents are in danger of undermining reputations, brands, revenues and effective business strategies. It’s a high price to pay for an accident and if government privacy agencies are increasingly less forgiving of mistakes, customers – both existing and potential – are even less tolerant. According to research undertaken by the Ponemon Institute in October 2011, data leaks cost a minimum loss of 12 per cent in terms of brand damage; in some instances, this rose to an almost 25 per cent loss of brand value as a direct result of a data leak incident. As I’ve said, it’s a high price to pay for an accident that could easily have been prevented.

Data leak prevention, Web and Email Gateways and strong, flexible policy-based encryption work in tandem with effective education and management policies to reduce the potential for costly human error. Encryption and decryption, for example, can be performed automatically and centrally within flexible policy parameters and without the need for user interaction.

This doesn’t mean limiting end user ability to share and communicate – recognising the content is important, but so too is the ability to apply context to the data before making the decision to encrypt whether or not the end user selects that option.

It’s all about striking a balance between risk and real-world working requirements – and making sure that human error doesn’t get in the way.

Alyn Hockey

Permalink | Leave a comment  »

Faced with increased penalties and significant reputation damage for serious data or information compliance breaches, it’s hardly surprising to find data protection topping TechTarget's list of enterprise IT priorities in 2012.

Challenging times lie ahead for organisations that don’t adapt to the new risks and opportunities that come with new ways of communicating but organisations that focus only on network security risk taking their eye off the ball. IT consumerisation, smart device proliferation, web-based services and workplace mobility all call for a data-centric approach to information management and protection.

Information is only as good as your ability to use it effectively; organisations looking to achieve high-quality data protection need to know, manage and understand the value of all the data entering and leaving their networks, as well as how it’s being used and by whom. The organisations that meet this challenge will be the ones that are most able to make effective use of their data while mitigating the risks inherent in information exchange.

To this end, more traditional, network-based data protection approaches should be implemented in tandem with contextual information management systems. This allows organisations to simultaneously control and empower their data without impeding its flow. Stopping and blocking might seem like the easiest route to take, but it simply isn’t up to the task and doesn’t reflect the technological realities of the way we do business today – or in the future.

Alyn Hockey

Permalink | Leave a comment  »

With various retail bodies reporting a recession-busting increase in online Christmas sales this year, there’s a good chance your employees are scoring some of their best deals from the office desk.

To be fair, figures from Sage Pay suggest it’s all happening over lunch time, but it does underline the blurring line between home and work life that our WorkLifeWeb research has been picking up in recent years. Employees increasingly expect to be trusted to undertake personal tasks at work – and our research shows that blocking personal browsing or social media use in the workplace has the unwanted side-effect of eroding employee job satisfaction and sense of trust.

The really interesting thing is that while most organisations cite security concerns as a key driver behind blocking web access, many studies have found that blocking can expose organisations to greater vulnerability, as employees look for ways to circumvent the rules, either by using their own, unsecured devices or finding workarounds for acceptable usage policies.

It doesn’t have to be that way. Flexible policies help businesses to solve the security-communications dilemma, allowing them to give staff the kind of web access they need without having to worry about data loss or brand damage. Highly granular policies mean companies can allow employees to access Facebook, Twitter, LinkedIn , YouTube or any other web site without having to worry about them posting damaging or sensitive information or downloading malware, spyware or other web-based nasties - such as the pre-Christmas phishing sites masquerading as popular stores that seem to multiply at this time of year.

Evolving technologies, business and employee needs are forcing organisations to re-think their data security strategies. Flexible policies can help find the right balance between open communications and strong security without undermining employee relations.

Richard Turner

Permalink | Leave a comment  »

With cybercrime now one of the top four economic crimes facing governments and companies globally and a quarter of all economic crime committed in the past year cyber based, the need for greater information security strategy and awareness has never been greater.  

The UK Government’s recent announcement of strategies and initiatives to safeguard critical infrastructure and systems is a welcome indicator of the shape of things to come, as information security climbs rapidly up the corporate and government agenda. The UK Government's announcement of a pilot programme to bolster co-operation between state and private information security professionals, along with the proposed establishment of a cyber crime unit within the National Crime Agency by 2013 are very welcome developments.

Today, key industry figures have gathered in London for the Cyber Security Summit . At a time when the online rules of engagement are changing, governments and businesses around the world are looking to meet challenges head-on, it's clear that the information security market is set for significant growth over the coming years. Exciting times lay ahead for the industry and Clearswift is very excited to announce the beginning of a new chapter for us, following our acquisition by mid-market growth investor Lyceum Capital.

The deal will allow Clearswift to increase our focus on content-aware security solutions as well as broaden our software range, acquire further technical capabilities and develop our geographical reach.

As part of this new chapter, we welcome highly experienced software entrepreneur and former CEO of IRIS Software, Martin Leuw as our new Chairman. Under Martin's leadership, IRIS grew in value from £30m-£500m in 10 years, transforming it into one of the UK's largest privately-owned technology companies. Martin is joined on our board by Lyceum Partners Jeremy Hand and David Harland.

Clearswift will be gaining some excpetional experience and knowledge to support the business through the next phase of growth and we're looking forward to a bright future. Our heritage in content inspection and flexible policies, backed up with excellent service, makes us exceptionally well positioned to meet customer needs in a world where social media and web technologies are rapidly transforming the way we all do business.

Full details are available here

Richard Turner

Permalink | Leave a comment  »

I read a fascinating fact last week. Apparently 90% of the world’s data has been created in the last two years alone.

Incredible. But actually not as surprising as it first appears when you think about the massive growth in online and social networking over recent years. As a widely adopted consumer trend, such technologies have inevitably infiltrated the business world; becoming a highly valuable and living, breathing part of many organisations.

But this data overload presents its own challenges. A recent article in Computer Business Review discussed the needs of a company’s marketing department regarding social media access. The marketing department is often one of the biggest supporters of social media in the workplace; at its most basic level it provides an ideal platform to engage with a wider range of customers and contacts. But at the same time marketing can also be the department with the most challenging task, ensuring the company’s reputation and brand are safeguarded and protected.

Flexible policies combined with security technology can go a long way towards helping address these issues. Overarching stop and block policies for social media not only cut off a valuable way of communicating with customers, partners and, of course, colleagues but it also prevents some departments from carrying out their roles to their fullest potential.

Flexibility is the key to social media success for businesses. It supports productivity, maintains staff morale and also helps ensure that where there are instances of malicious or accidental data leakage, safeguards are in place to protect the brand.

Flexibility is often needed on a department by department basis. Clearswift solutions allow for rules to be tailored right down to employee level and it’s even possible to enable time quotas and rules for specific websites and services. This allows individual departments, such as the marketing team, the freedom to allow communication in precisely the way they need while maintaining administrative simplicity.

If businesses are to capitalise fully on the benefits of social media, they must adopt a flexible policy approach that goes hand in hand with investment in staff training and education around acceptable use and information security issues. Too often, policy is only ever referred to when something goes wrong – when it’s too late. Staff across the whole of the business must be fully aware of policy, understand the rules and, most importantly, why those rules exist.

Nick Peart

Permalink | Leave a comment  »

With 91 per cent of businesses leaders saying security concerns are hindering new technology adoption , it’s interesting to note Gartner’s recent call for increased flexibility and adaptability among CIOs struggling to cope with the consumerisation of IT in the workplace.

As CIOs face mass mobility and a proliferation of employee-owned devices in the workplace, Gartner analysts are saying that, rather than stick your head in the sand and hope the challenges go away, it’s time for companies to accept reality and adapt their security policies to deal with it. Gartner vice president Nick Jones has said that CIOs need to ‘explore new ways to provide, fund and manage mobile devices to allow employees more choice and support BYO (‘bring your own’) programmes.’

Faced with the inevitable, Gartner envisages four possible management styles emerging among CIOs attempting to deal with consumerisation: Control-oriented, choice-oriented, innovation-oriented and hand-off. Of these, the ‘innovation oriented’ approach resonates the most with me: According to Gartner, organisations taking this approach empower users to exercise more control over their devices and applications, using strong policy orientation to ensure responsible behaviour. Business doesn’t wash its hands of responsibility for critical issues; it does, however, foster a usage philosophy under which policy dictates technology, not the other way around.

Education and communication play key roles in achieving this mentality. Rather than operating at a remove from the rest of the business, CIOs should engage with and work with staff, proactively educating them about the risks associated with device proliferation – and facilitating the behaviour changes needed to make things work securely. Blocking won’t make the challenges go away, but will ensure you never really find solutions that work for your business.

Policy, not policing will allow those 91 per cent of business leaders to truly innovate and evolve in step with emerging technologies and services.

Nick Peart

Permalink | Leave a comment  »

It’s not that long since I wrote a blog post bemoaning Australia’s privacy laws as ‘toothless tigers’, pointing to our country’s lack of mandatory disclosure legislation as an ongoing challenge for information security. As such, I welcome Home Affairs Minister Brendan O’Connor’s recent announcement that disclosure and privacy reforms could be fast-tracked - if the department was presented with evidence that enterprise information security was inadequate. For all that, I’ll be keeping the bubbly on ice for the time being...

While I do welcome the prospect of reforms that feel like they’ve been in the discussion stages forever finally seeing the light of day, you have to question the adequacy of a process that calls on those with the most to lose to own up to their failings so you can expedite the process by which they’ll be penalised.

The Australian Law Reform Commission first published its recommendations for data breach notification legislation back in 2008. And with public consultation for the privacy reforms ending on November 3rd, it’s hard not to be cynical and wonder whether we’re looking at another long period of talk with little in the way of action. Meanwhile, SC Magazine reports that security specialists claim the scale of Australia’s data theft problem goes well beyond anything our government or even the local media know about.

Australians were first asked to consider whether privacy was a legal right back in 1937. On that occasion, Chief Justice Latham said that “Any person is entitled to look over the plaintiff’s fence and to see what goes on in the plaintiff’s land. If the plaintiff desires to prevent this, the plaintiff can erect a higher fence.”

All well and good when few homes had even a telephone, but in a digital age, it’s increasingly difficult for individuals to erect higher fences around all the personal data they’re obliged to submit for even the simplest of day-to-day tasks. Financial services verification routinely involves the furnishing of further identifying details, from passports to driving licences, place of work, payroll numbers, even your mother’s maiden name. And while logic says the onus for building adequate fencing around that data lies with the organisation that holds it, the law suggests otherwise – and the absence of any clear mandatory penalty underlines a highly unsatisfactory state of play.

While we’ve been strolling towards a solution, it’s not only technology that’s outstripping us; other countries and regions such as the EU and US have implemented some major changes in recent years, where prompt responses and fines for data breaches are the standard minimum requirement to keep organisations of all kinds on their toes.

Data breaches are, sadly, inevitable. It’s impossible to prevent an employee from accidentally leaving sensitive paperwork on public transport, for example. But there are still some practical solutions. In the first instance, it’s important that legislation is in place; after that, it’s ultimately up to businesses to take responsibility for themselves by taking practical steps to educate employees and create visible security across the organisation. Businesses should apply visible security strategies, informing users of policies, using tools to remind staff of what constitutes a breach and enabling managers to get a better handle on their data and where it is.

Businesses in Australia are playing their part, but more certainly needs to be done when it comes to legislation and education. As of April this year, twice as many breaches were reported compared to 2010. The law needs to be reinforced and reviewed to accelerate post-breach actions so that companies can take responsibility and put solutions in place. The time for talk has passed.

Phil Vasic

Permalink | Leave a comment  »

Last week, the US-based National Institute for Standards and Technology (NIST) issued new guidelines on monitoring information security across computer networks, devices and software. In the wake of a series of high profile data breaches, the recommendations reiterate the ongoing need for companies to take control of their IT security strategies and policies.

A key message in the guidelines is that an effective, continuously monitored information security programme helps organisations move from purely compliance-driven to data-driven risk management.

This is an important shift for many organisations; while no one can deny the ongoing, growing need to comply with increasingly complex regulations, there’s more to security than box checking. As the NIST points out, data-driven risk management gives organisations the information they need to “support risk response decisions, security status information and ongoing insight into security control effectiveness.”

On the face of it, it all sounds very complicated. Monitoring all risks while negotiating a path through compliance leaves a lot of organisations bound up in so much red tape that they simply opt for what looks to be the easiest route: lock, block and limit communications. As we’ve seen so many times before, this is a self-defeating approach that ultimately holds companies back.

We operate in a dynamic business environment, not a vacuum; companies need to be flexible and agile. This calls for equal measures of self knowledge and threat understanding – and effective monitoring can help get you there. Security should be about policy, not policing, and quality risk assessment drives quality policy, which in turn allows your organisation to communicate with confidence.

Monitor. Communicate. Educate. Security policy should drive technology, not the other way around.

Nick Peart.

Permalink | Leave a comment  »

Public sector organisations have unique information security challenges. Trusted to legitimately gather and use citizens’ private information, they are also required to adhere to standards of openness and transparency in everything they do. It’s a tough line to walk, as the Scottish Council of Dumfries and Galloway recently discovered, when it accidentally published the personal details of almost 900 employees – in response to a Freedom of Information (FoI) request.

Among the data made public: names, dates of birth and salaries. All up on the council’s web site for over two months before people noticed and complained.

The difficulties of being both transparent and secure were underscored by the Information Commission’s Ken MacDonald, who said that “Being open about council pay is a fundamental way that citizens can hold local authorities to account, but that should never be at the expense of upholding individuals’ privacy rights.” MacDonald added that the council was now reviewing its procedures in light of the lessons learned and that appropriate checks to ensure that personal data is handled in compliance with the Data Protection Act were put in place.

On this occasion, the council avoided a financial penalty, but the incident serves to highlight the difficulties faced by public sector organisations in fulfilling their mandate to serve citizens while protecting their privacy. There’s an inherent risk in sharing information online that can only be mitigated by putting the right security procedures and controls in place – and enforcing them.

A key component of this is education and the creation of visible, flexible policies that take into account the real-world communications needs of any workforce while underlining why such policies are necessary. At a time when purse strings are tight, those charged with delivering public sector data security must increasingly look to solutions that enable them to unite technology with strong policy and people, striking a balance between compliance, risk and work requirements. Fortunately for public sector organisations and businesses alike, the guidelines are already out there. That’s half the battle – the really important thing is to ensure that they’re adhered to. By making security policies relevant to all users, organisations can support productivity and transparency while ensuring private data remains private.

Richard Turner

Permalink | Leave a comment  »

Last week, The Guardian reported that the Metropolitan Police’s Central e-Crime Unit (PCeU) had saved the UK economy £140m in the previous six months by cutting illegal trade and online practices – including preventing data loss through cyber crime.

Although it’s heartening to see that the Met’s e-crime team is likely to exceed its targets for the year, figures like this leave me wondering why so many organisations view information security as a burden to the bottom line, an additional cost that must be absorbed under infrastructure spending. It’s time for this perception to change.

There’s more to information security than in-bound threat detection; it’s about the values and benefits beyond it, some of which aren’t always immediately obvious if all you’re looking at is bottom line cost. Consider the following:

Your organisation’s ability to comply with increasingly stringent data privacy legislation doesn’t only affect internal policy, but also has a knock-on effect on your ability to trade and partner with businesses in other jurisdictions.

Our recent WorkLifeWeb research revealed that a significant number of businesses felt security concerns were hindering their adoption of new, collaborative technologies. Social media opportunities are a poster child for this: Security fears mean an increased number of businesses are blocking staff use of these services, even as management says it plans to invest more on social media in the coming year. With the right software and policies in place, social media doesn’t have to be a workplace dilemma – you can give staff the kind of access they need without having to worry about security.

You’ve got policy, you’re just not enforcing it. The really surprising thing about many of the recent, high-profile data breaches hasn’t been the fines, it’s been the fact that many of the organisations in question actually had data protection policies in place – they simply failed to enforce them. A comprehensive data protection policy is only as good as you organisation’s willingness and capacity to ensure it’s adhered to. You spent time and money developing your policies, why aren’t you extracting the value from your investment?

It’s time to view information security as an investment rather than a cost. The technology’s there: encryption, Data Loss Prevention (DLP), email and web gateways, anti malware protection...educate yourself and your employees and you’ll soon get a clear view beyond the bottom line.

Nick Peart

Permalink | Leave a comment  »

In November this year, the European Commission (EC) will publish its new version of the Data Protection Directive, the legislation on which the Data Protection Act is based, and amongst the new measures will be instructions on data processing. The updated version will include a 'mandatory data breach disclosure' law for every organisation in the public and private sectors. Adoption of the law is expected by early 2013.

Currently, it is optional for private companies to report data breaches so it is fair to assume that there are many leaks which occur that we never get to read about in the papers. This will all change once this legislation is passed. All companies’ data discrepancies will then be open to public inspection and the impact of any kind of data breach can be felt not only on the bottom line but also at a brand and reputation level. However, there are a few simple measures you can take now to avoid any corporate embarrassment down the line.

Firstly, make sure employees understand IT policy; those that are responsible for data need regular clarification on what activities may put data security at risk as well as what is and what isn’t permitted by the business. This can be achieved through frequent communication and training. In addition, once you have formulated a policy make sure it’s enforced. In extreme circumstances, this may mean having to take disciplinary action if rules are transgressed, but if you’re too lenient then nobody will take the policy seriously.

Interestingly, this EC news comes out in a week where analysts are predicting an increasing appetite for cloud computing. Ovum is claiming that spend on cloud services is growing 29% year-on-year, by 2015 it will have reached $66 billion. When you consider that the security of data is the number one concern about moving to the cloud, we have a curious dilemma for corporate UK. Businesses will not only be using services which potentially leave them more prone to data loss but if the worst happens they will be legally enforced to tell the world about it.

Richard Turner

Permalink | Leave a comment  »

It’s not that long since responsibility for information security lay firmly at the door of the IT department. Not viewing it as a business critical issue, boardrooms were happy to take a watching brief; after all, they had a company to run.

Recent times and a changing threat landscape have driven a change in attitude, however. From privacy and compliance legislation to high profile data breaches, intellectual property protection and network security, it’s a lot easier to make the business case for IT security. As such, security has climbed up the business agenda for many organisations, moving from a ‘nice to have’ to an essential component of the day-to-day business.

There’s nothing like the threat of financial penalties, criminal proceedings or serious reputational damage to focus the business mind on the need for a high quality, unified security strategy. The current economic climate has, however, put some IT departments under significant pressure to run security programs on ever-tightening budgets. A survey released by PricewaterhouseCoopers this week found that only half of global respondents said they planned to increase their spend on security over the next year; in the UK, that figure’s 35 per cent. This despite the fact that 85 per cent of PwC’s respondents claimed to have experienced a security breach of some kind over the previous six months.

To maximise return on information security investment, it is vital that any programme has senior management buy-in. Security is no exception and, in order to retain priority status, needs to evolve alongside the changing technologies that have become pivotal in the workplace. But it’s a two-way street: just as security technologies and policies need to evolve, so too do the humans involved. Security should never be a silo-based activity; the key to gaining buy-in across all levels of the organisation is advocacy from the highest level.

Nick Peart

Permalink | Leave a comment  »

Anonymous. LulzSec. Stuxnet. A Digital Pearl Harbour. Cyber attacks are bigger than the global drugs trade.

Recent high profile data breaches might well suggest that some corporate networks have all the security of a sieve, but is a lot of the rhetoric and war-room talk that accompanies so much of the discussion of cyber security really necessary?

There’s only so much hype people can take before they switch off or start making assumptions about the true value of the message. And it’s only fair to say that a lot of the fear and negativity that’s associated with digital and network security could be having the opposite effect on end users. In the face of the seeming inevitability of an attack, it seems that many end users are adopting a resigned approach that borders on carelessness or worse: passing the buck and assuming someone else will look after it.

Clearswift’s recent WorkLifeWeb research found that 31% of employees surveyed said they believed information security to be entirely the responsibility of their company. 21% of those employees admitted to not thinking about security at all when using the web or email at work, with 19% saying they’d work around any company blocking policy. Hardly surprising, then, that 50% of managers believe employees are oblivious to security concerns.

It’s that last figure that’s so interesting to me, because it raises some pretty obvious questions: If your employees are oblivious to security concerns, whose fault is that? Similarly, why is it that, with more managers expressing concern about data loss via employees than via external hacking, other Clearswift research has found that 38% of employees had received no training at all on security issues in their current job?

As Andrew Wyatt put it in a recent blog post here, technology on its own is a skimpy fig leaf. Modern information security is about a lot more than just inbound threat detection. It’s about the value and benefits beyond it. Being able to implement flexible policies that work with, rather than against, employees; simplifying solutions and reducing administrative burdens so IT staff can dedicate more time and effort to proactive vigilance; educating your workforce and creating a visible, flexible policy that they are not only aware of but understand the need for...

These are just some of the more positive steps that companies can take towards securing their information assets. Hype might help to sell products. It might even help to push security higher up the business agenda in some firms, but unless we start to see a trickle down to all levels of the business, it’s a waste of breath. Worse still, with 87% of businesses we surveyed saying security fear was the biggest single inhibitor of the adoption of the kinds of technologies that 57% of them described as critical to their future success, it’s worth remembering that some cures are worse than the disease.

By Nick Peart

Permalink | Leave a comment  »

Earlier this week, I commented on some of the trends revealed by our WorkLife Web research. One area I didn’t touch on, however, was the insatiable demand for consumer mobile devices such as iPads and smartphones and how these are impacting on the workplace.

This ‘consumerisation of IT’ – where users bring their own devices to work – poses a number of new challenges to businesses, creating new headaches for IT security staff as they battle to secure boundaries and prevent data loss via unauthorised devices. In fact, 87% of the companies we surveyed said they are so concerned about security and data loss that it’s preventing technology adoption.

Another interesting aspect of this year’s WorkLifeWeb research is its reflection of what appears to be a growing divide between workers and management when it comes to social media use in the workplace. While 48% of managers say social media use is either allowed or encouraged, only 25% of employees agree that this is the case. This development of a social media stalemate between managers and employees is further highlighted by the fact that while 60% of companies state that they allow personal device use at work, only 40% of employees think this is the case.

There is clearly a growing tension between the two groups: one feels the need to manage, restrict and control, while the other believes it should be trusted to use technologies that can empower and enhance communications. This friction currently looks unlikely to abate. Perhaps companies should note that stricter social media policies would detrimentally affect over 40% of the workforce.

On the whole, the 2011 research indicates that companies are clamping down on new communication channels rather than embracing them. This in turn is stifling potential avenues of growth. One saving grace is that while this is happening, the research shows that businesses do recognise the important role that social media has to play. We can only assume that the clampdown is a knee jerk reaction rather than a long term trend.

Permalink | Leave a comment  »

Last week Adrian Leppard, City of London Police Commissioner, wrote an article that discussed how an increasing number of criminals were targeting businesses that failed to encrypt customer data to a high enough standard. He commented that the financial loss and reputational damage inflicted on a company from a data breach will always outstrip the investment cost of putting in place the correct security systems and policies. This is a very valid point.

There are many sector specific security standards in the marketplace, with the Payment Card Industry Data Security Standard (PCI DSS) being one of the best known. This mandatory regulation was put in place by prominent industry players such as American Express, Visa and MasterCard Worldwide, to establish a common framework for data security compliance.

By becoming PCI compliant, your business adheres to the PCI DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. In operational terms, it means you are playing your role in ensuring your customers' payment card data is kept safe throughout every transaction, and that they – and you – can have confidence that they're protected against the pain and cost of data breaches.

Unfortunately, too many companies have a rather lax approach to compliance, seeing it as another bureaucratic tick box rather than a business imperative. This seems a rather strange attitude to take when you consider that non-compliance means you are not only jeopardising the security of your customer data but are also gambling with your reputation and brand. All companies that handle customer data should conduct regular data discovery exercises to ensure that unprotected cardholder data is found and correctly secured.

Another consideration is that criminals are always using new methods to obtain data, which is why data standards constantly evolve: PCI DSS is currently in version 2.0. Security vendors should therefore pay close attention to evolving standards to ensure the solutions they offer are relevant and mitigate client risk.

Police Commissioner Leppard made the point that what is needed is not just a change of process, but a change in attitude; only reacting when things go wrong is not the mark of a strong business. In essence, having the foresight to implement a flexible security strategy is one of the first steps you should take if customer retention is important to your business model.

By Richard Turner

Permalink | Leave a comment  »

This week saw the release of Clearswift’s annual WorkLifeWeb research, a study examining attitudes to social media and personal technology in today’s workplace. This year’s research highlights some interesting shifts compared to last year’s research, marking what appears to be a new phase in the adoption of social media by businesses.

One of the leading stats for this year is the fact that organisations across the globe appear to be clamping down on social media usage following recent high profile data breaches: 68% of companies now monitor employee internet activity while 56% completely block access to social media sites.

The 2011 report highlights a significant switch in perspective by global businesses. In Clearswift’s 2010 study just 9% of companies engaged in blocking employee access to social media, yet in the latest research this figure has risen to 19%. So what’s provoked this change in attitude and overwhelming sense of caution?

Perhaps it’s the glut of high profile data leaks hitting the headlines over the past year? The hacking of corporate networks seems like a regular occurrence these days, and inevitably makes management more nervous and vigilant when it comes to employee-use of technologies that might expose them to more risk – especially if those employees demonstrate a blasé attitude towards security policies. It seems that 2011 is the year of prudence, with the mitigation of risk a higher boardroom priority.

Ironically, the study also found that companies see social media as critical to future success: one in four companies are planning to invest more in social media this year than last and 41% agree that the benefits of social media outweigh the drawbacks. A ‘socianomic paradox’ has emerged; on the one hand 80% of managers acknowledge the business benefits of social media tools, yet a paralysis has set in due to security fears, resulting in a new dilemma for many boardrooms.

Given that these are technologies that will influence the way we work and operate for years to come, it’s a dilemma that’s unlikely to disappear any time soon.

Andrew Wyatt

Permalink | Leave a comment  »

Last weekend, Microsoft’s Malware Protection Centre (MPCC) detected a new worm that exploits weak passwords to infect Windows workstations and servers.

Dubbed ‘Morto’ the worm is similar to Slammer or CodeRed from years back, but with a twist: The attack exploits Remote Desktop connections, giving it command-and-control to access the network through the infected machine. Once in, Morto connects to a remote server, updating its components and downloading further information. The worm can then terminate processes for local security applications as well as perform Denial of Service (DoS) attacks against specified targets.

Clearswift Chief Software Engineer Paul Singh says this is the first time we’ve seen an attack of this nature. “This is probably a proof of concept attack that has worked a bit better than the perpetrators expected,” he says. While the attack utilises RDP, the weak point is not remote desktop access over the internet; the initial “in” for Morto is most likely to come via an infected email or visiting an infected site, says Singh. “As such, using VPN as a defence mechanism isn’t relevant. Perimeter security that scans email and web traffic to prevent infections in the first place is important.”

Singh says that Morto highlights just how easy it is to crack the most commonly used passwords. Worse still, the worm exposes “How lazy some administrators are, as Morto is targeting the passwords for admin accounts.”

“Recent attacks on popular sites like Gawker, RockYou and PSN gave hackers access to passwords that can be used to increase the statistical probability of guessing admin passwords correctly,” says Singh. And while some might question the relevance of Gawker users’ choice of passwords to IT admins, the list of user account names and password combos Morto has tried includes some real eye-openers: admin, root, owner, 1234, 123, password and 123123...

According to Singh, the simple solution to attacks of this nature is to adopt a more robust, well-defined and enforced password policy in the workplace. This can include clear guidelines around password complexity and the setting of basic password requirements such as length, mixing upper-and-lower-case letters and numbers.

Singh adds that the worm was detected through the unusual levels of network traffic it creates on certain ports: RDP scans, downloads, receiving commands and DNS queries for command-and-control servers. “This highlights the need for IT departments to constantly and proactively examine log files for unusual activity,” he says.

You can read more about Morto here.

Pamela Weaver

Permalink | Leave a comment  »