The SANS Institute has recently listed their top ten security threats for 2008 and it is clear that the days of an IT department being solely responsible for information security are long past. The cyber threats of today require a partnership between management, the IT department and the user community at large.
In the past, updated anti-virus software, desktop policies/permissions and corporate firewalls were generally thought to be good enough to handle day to day threats. Zero day exploits could require a special response, as would certain large database systems. Times have changed though, and the bad guys have changes tactics.
Gone are the days of the lone hacker working to penetrate your corporate security in the dark of the night. Now the threats can be brute force attacks, corrupted web sites, infected peripherals and, unfortunately, insider attacks.
In one well known case, a security company was hired to penetrate a credit union's cyber security. The credit union had great software, tight firewalls and key card access on all the entrances. The security company was still able to quickly penetrate their systems. Their plan was to leave a scattering of USB flash drives scattered around the parking lot. As employees arrived for work, some of the flash drives were discovered and brought inside the credit union. The first thing the employees did with them? Plug them into their computers to see what was on the drive. Fortunately for them, the virus that was installed was benign and caused no damage.
The rise of interactive websites and business to business (B2B) portals also brings risks. The same coding that allows these sites to be interactive can also allow the bad guys access. The number and sophistication of these tools is increasing everyday. This type of attack can even affect well known and trusted web sites, further causing havoc. As more and more sensitive information is shared in this manner, the targets become increasingly valuable.
Additionally, the advance of technology itself is working against security. Laptops are becoming more common everyday. PDA's and smart-phones are in use at nearly every company. As these devices become more widely used, the chance for theft or loss increases. Hardly a week goes by when there isn't a news report describing the loss of a laptop, or other device, containing sensitive information.
So, what can you do?
First, establish clear corporate policies that describe what is allowed and what is not. Try to avoid knee jerk reactions to specific incidents. Take the time to design well thought out policies and procedures that can be applied company wide. No exceptions! If senior staff won't follow the rules, it is unrealistic to expect the rest of the company to respect them.
Communicate these policies clearly to your user community. Impress upon your personnel that security is a group challenge that must be constantly applied. Encourage feedback, explain the reasoning behind the policies, demonstrate the threats and show how to prevent them. As the risks evolve, conduct periodic retraining, hold Q and A sessions and always keep a receptive attitude. If security procedures become too burdensome, people will find a way around them. A sticky note stuck to a monitor with a user's password is the perfect example of this. Remember, when it's security vs. convenience, convenience will always win.
Finally, keep aware of the latest threats. Email, websites, instant messaging and voice-over-IP (VOIP) all allow nearly instantaneous communication. These technologies are no longer used solely by the IT departments and management, but by nearly all levels of employees within an organization. More and
more, these technologies are being taken for granted. Your security staff will need to keep abreast of the latest threats, counter measures and monitoring tools.
Planning, communication, training. Corporate information security is an ongoing, company wide responsibility. Working together, management, technical staff and the user community can keep your company safe.