Do You Have Enough Safeguards?
In the wake of trends like BYOD and third-party hosting, it has become critical for enterprises to have adequate security measures, writes Atul Khatavkar
In the current environment, information is considered as currency. Information in any enterprise involves its consumers, operations, business relationships, work force, brand image, and financial status, to name a few. Protection of this information is turning complex and enterprises are necessarily being required to be careful of the growing threats. It has become extremely critical to leverage adequate security measures to safeguard an enterprise business.
Cyber criminals leave no stone unturned when targeting any organization. The enterprise mobility wave, coupled with emerging public cloud computing solutions and rise in the usage of social media consumption has unfolded the traditional, closed on-premise enterprise IT infrastructure and is making it more vulnerable to different kinds of security threat vectors.
Modern security breach market has a peculiar behavior. While breaching an organization, cyber criminals, basement hackers, etc. work in an organized way and have enough smarter tools that are often difficult to trace. The easy prey are diverse: from large sectors such as government, financial services and telcos to small retailers and medium businesses who do not have sophisticated security measures. About 85% of the breaches in the enterprise segment today come from the mass market. Newer technologies such as cloud, mobility and big data initiatives are the other pet avenues for cyber criminals.
While the current situation has brought in enough worry, CIOs and CTOs are busy filtering ways to combat issues of enterprise security which involves various layers of this bigger issue. Some may stress on the need to take a multi-layered security approach like employing gateway protection and end point security solutions. While some may give more preference to educating employees about what’s threatening their enterprise’s information security, and how can they mitigate such risks. However, it is the combination of both these measures that must go into the making of the ultimate defense strategy for enterprise security.
Today, organizations are highly reliable on technologies such as cloud with help of third party vendors and solution integrators. The very recent $45 million global ATM heist, in 27 countries is believed to have occurred due to lax security practices at third party vendors. Therefore, while it becomes important for organizations to keep a continuous check on duration vendor contacts, organizations must practice constant checks and time to time due diligence tests on vendors. It is also important to keep the data back-up strategies in place while being compliant to security certifications such ISO 27001, SSAE 16, SAS 70, SOC 2, ISO 22301 etc.
The stronger adoption of BYOD is now leading towards BYOX for social networking on the go. As a result, IT resources are moving outside the firewall. Therefore, it is important to set clear guidelines on defamation, data protection and privacy. Additionally, encouraging direct forms of communication will help in restricting access to data loss. There is a strong need to educate the staff on organizational IT policies.
While mobile computing is being promoted to be able to have real time data and information access, organizations must ensure that devices are hardened and updated to handle malware. Considering SoCloMo trends, CIOs should be abreast of technologies that can help organizations better manage security threats. As the security landscape is getting complex than ever before, CIOs need to leverage sufficient security solutions to safeguard the information at each and every level.
Risks from third party hosting
Of late, CIOs have been debating the data security risks associated with hosting enterprise data on a third-party server while availing cloud services. There is a need to make an intelligent decision where enterprises design an arrangement for themselves that fulfills the whole transaction over the public cloud, but is also secure through appropriate security solutions present on-ground. Enterprises are looking at means to extend typical security controls such as firewalls, IDS/IPS, anti-virus, web filtering, privilege user management, integrated logging and event correlation, etc. into infrastructure of the cloud providers and ensure grounds-up security.
In addition, (federated) identity and access management platforms are being integrated with cloud providers to ensure tighter control over access along with enterprises also integrating security controls such as data tokenization to secure sensitive data co-located even at the SaaS provider’s end.
In the next few years, there will be increased connectivity: everything will be connected to everything over time, and networks will expand. There will be a 10-fold increase in the number of things that are going to be connected in next few years. However, security measures for this are insufficient. There should be better understanding about the network and there should be much more visibility to provide better security. Also, there should be stronger identity and access control for information protection. There should be better control for information movement as well.
Thus, CIOs shall partner with solution providers who can help them build a multi-layer, end-to-end information security process consulting as well as a technology solution with tight integration of all components right from process improvement to technology solutions. Moreover, they will need to provide solutions that will monitor and prevent unauthorized activities from outside and insider threats and solutions that will ensure compliance policies are met and user access is granted as per privilege levels.
Atul Khatavkar is VP, IT Governance Risk Compliance, AGC Networks Ltd.