Data theft tops IT security agenda

Corporate IT professionals are concerned about data theft and regulatory compliance, but threats to their VoIP networks provoke less fear.

The findings come from a Cisco-sponsored survey of 100 IT security chiefs in UK companies of over 1,000 staff.

Thirty-eight percent of respondents placed theft of information as their primary concern, while 33 percent cited regulatory compliance as their main focus, especially if their companies had a US presence. Forty-three percent of respondents — up from 33 percent in 2006 — said they were now more concerned with internal threats, such as staff passing on confidential information or stealing intellectual property.

Paul King, senior security advisor for Cisco, said there had been an increasing realisation of the growth of information theft, coupled with a growing recognition that staff could divulge sensitive information. "We've seen the perception of the insider threat increase at the same time that the threat to information has increased," King told ZDNet UK. "Probably the easiest way to steal information is from an insider."

But VoIP seems to be posing little concern to businesses. If voice is overlaid onto a data network, it can potentially open up a whole new attack vector for hackers. But the survey respondents dismissed the risk.

None of those surveyed described themselves as "extremely concerned" about the security of VoIP or unified communications systems, and just 49 percent agreed that security should be a consideration when implementing IP-based communications.

This did not necessarily mean that security was not a concern when putting VoIP systems in place, according to King. "The respondents were putting VoIP into the perspective of being another application on the network, rather than specific potential attacks on [VoIP] protocols. If you have a voice application, it's got to be secured like any other application."

Through misuse of tools such as Vomit, an open-source diagnostic tool, hackers can intercept internet calls at layer 2 in the OSI model. However, King argued that this can be mitigated through hardening that layer in the networks. "VoIP apps are in the same category as database apps, email and instant messaging — mission critical applications," said King. "If my network weren't secure at layer 2, people would be able to see each other's emails and so on."

King added that some IT security professionals would not sanction VoIP use in their organisations. "I've heard people say that they wouldn't implement IP communications because of security considerations. I'd disagree with them — but you might find I'm a little biased on that one," said King.

Attack vectors opened up by Web 2.0 programming platforms, such as XML, were also not a major concern for IT professionals, according to Cisco. "People are aware of that threat. We don't advocate telling employees not to use web apps, because they'll do it anyway. Tell them how to do it safely. We allow Cisco employees to use Web 2.0 technologies, like instant messaging — but we advise them not to use public IM for business, but to use our internal system."

The survey was conducted by Vanson Bourne.