The risks are changing, is the approach?

By Daniel March, Product Champion, QinetiQ Digital Security

The affordability of IT security investment
Today’s common talking points for companies and individuals alike are recession and regulation. Across industry worldwide budgets will be subject to closer scrutiny and it is now generally accepted that the global economy is contracting. Companies are closely examining their IT security spend against affordability and value. The most likely outcome is that IT security investment will be reduced in line with overall IT budgets as expenditure and discretionary spend is put on hold until the direct impact the global economic crisis eases.

In view of this it is imperative for companies to remain focussed on prioritising key information security risks and responsibilities and to ensure that effective mitigation and risk controls are in place.

Assessment of the cost versus benefit risk against IT security budgetary spend has always been a fine balancing act for any company. However, for now and the foreseeable future informed opinion is that the IT security threats faced by companies are on the increase due to a variety of contributing factors. The likelihood of loss or damage to a business will also grow in line with the threat unless countered.

The need to adhere to risk controls and the adoption of mitigating measures, whilst keeping operating costs under control leaves many companies facing some very difficult decisions.

An increasingly threatening landscape
What are the increasing security threats being faced? It is now openly acknowledged that the potential of threat from inside an organisation is mounting, particularly with regard to any data loss or data leakage incidents. There are many contributing factors that are influencing this trend from commercial espionage, fraud, disgruntled employees through to innocent mistakes. In times of job uncertainty the risk of this internal threat is more likely to be realised.

An increasing number of redundancies are likely to leave companies operating with reduced resource levels. Assigning additional tasks to staff such as the updating of access controls can increase the chance of mistakes. IT departments must ensure that access credentials of former employees are promptly removed from corporate systems or the insider threat could soon become an external attack, particularly if an ex-employee becomes disgruntled and decides to make use of their still active remote access in an attempt to damage the business.

Those employees not subject to redundancy may be increasingly tempted to make use of their corporate data access to steal sensitive information either for economic gain or to ensure that they are well equipped to compete in the job market should they face the same situation as their former colleagues. To guard against this risk it is extremely important that organisations adopt Data Loss Prevention (DLP) measures to ensure that their systems and data are protected. Here, technology alone is not the answer. HR and IT departments must work closely to ensure that any potential leaks are immediately plugged before they can become an issue.

A further activity which adds to the data management and protection burden is the increase in merger and acquisition activity of companies. Weaker companies become prime targets to be subsumed into larger institutions. With this activity comes the challenge of the acquirer becoming responsible for a vast amount of regulated and sensitive data often in very tight timescales.

The threats surrounding the protection of sensitive information will increase as some companies decide to offshore their data storage and processing and consider adopting alternatives such as cloud computing solutions (in which computing services are provided via the Internet to a broad range of users) as the cost benefits of doing so are realised.

A further significant factor influencing the consistently evolving threat landscape is the continued blurring between home and office computer and mobile computing device use. The ever increasing mobility of technology - be it sophisticated mobile phones, portable email devices, laptops, remote access, social networking or wireless networking is forcing companies to reassess the risks and rethink the controls required to protect their data in this fast paced and technologically mobile environment.

It is important not to ignore the continuing external attack threats. Targeted hacking and malware attacks are on the increase. Malware is becoming more sophisticated – once the hobby of a socially dysfunctional teenager, Malware is now a full blown underground ‘for profit’ business enterprise often undertaken by organised crime syndicates.

Directly targeted hacking attacks for either political or financial gain are becoming more prevalent. These attacks are often highly sophisticated in nature, often the most damaging are those executed by skilled attackers over an extended period of time in an attempt to remain undetected by common IT security defence mechanisms such as Intrusion Detection Systems (IDS).

The regulatory, compliance and governance minefield
There are few companies that aren’t familiar with the plethora of regulatory requirements, compliance frameworks, legislation, directives and security standards that exist:-
• PCI DSS (Payment Card Industry Data Security Standard)
• Sarbanes Oxley
• BASEL II
• ISO 27001 and ISO/IEC 17799
• Data Protection Act 1998 (UK) and the Data Protection Directive 95/46/EC (EU)

Despite budgetary constraints the introduction of mandatory regulatory regimes often means that companies, if not already doing so, will soon have to comply (and find budget) or face the consequences of non compliance through penalties such as fines or potentially worse, suffer brand damage as the result of a publicised loss of information or data possibly due to a lack of implemented controls.

However, the introduction of mandatory regulatory regimes can prove beneficial in actually helping companies prioritise how they mitigate their risks and therefore how they allocate their budget.

For example, PCI DSS stipulates that a mandatory, independent penetration test must be performed annually to test for the existence of vulnerabilities on IT systems and networks. The standard also stipulates that quarterly vulnerability assessment scans be carried out by a vendor approved by the PCI Council. The standard also recommends that logs for all system components are reviewed daily.

These are all practical measures that should assist in improving the overall IT security of computer networks and systems, but these basic measures alone won’t be sufficient to ensure a company is protected at all times, all year round. A vulnerability assessment will confirm the existence of known system vulnerabilities at the time of the test, but what if a new vulnerability appears shortly after the test? Who will be watching the network and systems?

Few companies have the resources available to fund a 24 x 7 Digital Security Team in-house, so the decision is often taken to outsource some elements with trusted third parties.

All of the threats and regulatory regimes outlined above can be managed in various ways. But how do you optimise IT security spend to maximise value? What are the options? Outsource, in-source, open source, off-shore, cloud computing, invest in your people, technology or processes?
 
Considering your options
One issue that endures is the need for continued protection of and investment in people, processes and technology in order to safeguard companies’ information assets in the face of the changing threat landscape.

Corporate data loss, be it through negligence, hacking attack or malware is one of the major recurring themes in the media today. To avoid being one of those companies who are named and shamed, a company must take the necessary steps to mitigate the risk. With each data breach costing companies an average of $6.6 million per breach (source: study conducted by Ponemon Institute and PGP Corporation) can companies really afford to be complacent?

So what action should companies take in the face of this changing threat landscape, whilst maintaining cost effectiveness? Let us examine the pros and cons of two popular options.

Outsource? Offshore?
Outsourcing to a trusted Managed Security Service Provider (MSSP) is an option for companies that cannot reconcile the cost of running their security operations on a continuous, around-the-clock, basis.

MSSPs can provide the required around-the-clock vigilance, ensuring that selected services integrate with the host of differing security devices and technologies deployed on a company’s networks. Through familiarity with the company’s operation and their own operating processes and experience, MSSPs quickly recognise unauthorised and anomalous activity both within the network and from activity external to it, and then taking pre-agreed and appropriate action to endeavour that the threat is neutralised.

MSSPs also satisfy many of the requirements stipulated in common regulatory controls and standards to deliver regular Vulnerability Assessment (VA) scans, (quarterly for PCI DSS), and are able to  provide around the clock intelligent monitoring of system logs and networks.

Penetration testing is another area that is commonly outsourced and with good reason. Using an in-house team to test a company’s network and systems for the existence of vulnerabilities, whilst a useful activity, may not be as cost effective as commissioning a test from a third party for the impartiality it brings and the use of a third party is often stipulated by regulatory regimes.

When deciding whether to outsource certain elements of your IT operations and services, all of the implications of doing so must be carefully considered. If cost is the only consideration without full and proper regard to risk, you might be making an expensive mistake.

Other issues to consider when outsourcing are obvious and should include; Where will the data be going? Can the third party really be trusted to safeguard sensitive information? Are there any audit or jurisdiction implications? Does the third party hire skilled professionals or just operators?  Also consider not just the financial stability of the organisation itself, but also the economic and political stability of the country where the data will be stored or where services will be performed. Risk factors such as war, terrorism, environmental disregards and natural disaster also need be taken into account.

Cloud based solutions?
Cloud computing is fast becoming the ‘buzz’ IT phrase of 2009. Computing in the ‘cloud’ is a style of computing where easily scalable and often virtualised services are provided to companies and individuals via the Internet. It is not, by any means a new approach. If you currently have your website hosted by a third party, or use webmail – this all occurs in ‘the cloud’. The scale, type and competitiveness of the offerings are however changing.

Companies can make considerable savings by opting for cloud based applications and services, but once again – be mindful of the derived benefit and the potential pitfalls.

One of the major advantages with this approach is scalability. Storage and processing can be added incrementally without having to buy a new server each time. One of the major disadvantages is that you do not know physically where your data is or will be – just somewhere… in the cloud.

The cloud computing sector is under-regulated from an audit and compliance perspective. So how can companies audit cloud based services as there are no audit standards specific to the ‘cloud’? This is particularly pertinent when companies need to demonstrate that they meet any regulatory requirements from bodies such as those mentioned previously. Can services and applications move easily from one vendor’s cloud to another or are companies locked in? Is the data stored in a proprietary format?  What about availability considerations – the provider’s security and resilience may not be as robust as expected?  What about privacy concerns? Can any national agency demand to see content stored on any computer, even if it is being hosted on behalf of another country or state? Do not necessarily expect privacy in the cloud.

Continuous and effective protection
Companies should be encouraged to take advantages of emerging technological opportunities where security has been assessed. But their adoption has to be balanced with the risk - technological competence, financial health of suppliers and outsourcers – all more acutely important in the current climate.

Despite the possible need to reduce staffing numbers it is extremely important that in an environment where there are increasing targeted attacks and sophisticated Malware, the services provided by a competent security team is essential.

Merger and acquisition activity will probably increase and individuals in the acquiring company will be responsible almost overnight for the custody of often sensitive data – so understanding data protection obligations and how to handle that data, has to be right first time, every time.

The distinction that previously existed between home and office use of technology has caused the demarcation between company and external networks to become blurred. New ways of storing and processing information in places such as “the cloud” has become pervasive. The company must take a more integrated view of their security across all channels both within and outside of their extended boundaries in order to tackle the current technologically and socially amorphous environment.

And finally, a significant priority for CXOs must be to ensure the continuous and effective protection of their networks, systems and information. This is challenging, exciting and ultimately satisfying for companies who have worked out exactly what is needed to keep their business information safeguarded and to provide their customers with the assurance that their online services are secure, and perhaps more importantly, the perception and reputation that their company is one that is ‘safe’ to deal with and to invest in.