Security continues to be a major concern in ZDNet Asia's latest survey on the region's top IT priorities, with internal risks being the most important among them.
According to the study, which polled 722 respondents across the Asia-Pacific region in August, 4.7 percent of respondents said security was currently a priority.
When asked what their top three security priorities were, 52.8 percent said they regarded protecting the network from insider threat as the No. 1 priority. Other concerns included securing network access from outside the LAN (49.7 percent) and secure employee communications (44.2 percent).
Source: ZDNet Asia IT Priorities Survey 2008/09
Across the Asia-Pacific region, security issues were strongest in Singapore (13.6 percent) and Greater China (12.2 percent).
By company size, security issues were about as important across all sizes of organizations. More respondents in midsize businesses (10.3 percent) regarded security as a priority, compared to small (8.0 percent) and large (8.9 percent) businesses.
"Over much of the last decade, security strategy has primarily been a matter of 'keeping the bad guys out'...security strategy must evolve to realize that bad--and good--guys might be anywhere," he added.
"This requires a much more sophisticated security strategy, not simply access control rules, such as 'deny' and 'allow'," Warrilow said.
Elaine Lee, IDC Asia-Pacific's market analyst for hardware and software, noted that as the insider threat grows, "organizations now have to look into their employees' behavior".
"Employee, the trusted entity, can be a very dangerous insider threat with the availability of his power, trust and knowledge in the organization," Lee said. "As such, management must pay close attention to many aspects of an organization, including its business policies and procedures, organizational culture and technical environment."
Protecting against internal risks Eric Hoh, vice president of Asia South region at Symantec, added that to guard against insider threats, enterprises require more than network security. "They must protect their sensitive information itself," he advised.
Enterprises can turn to data loss prevention (DLP) to address this issue, Hoh said. He highlighted three key steps to get started on DLP:
1. Discover and protect confidential data "Enterprises first need to accurately discover confidential data wherever it is stored, used, copied or sent. Once this data is identified, enterprises can then take proactive steps to protect confidential information before it has a chance to be transmitted," Hoh explained.
2. Monitor all data usage and prevent confidential data exiting "Preventing confidential data from being transmitted outside the enterprise first requires comprehensive monitoring of multiple exits and endpoints," he said, adding that e-mail is "only part of the problem". Web applications such as instant messaging and blogs, as well as other electronic channels, may also be points of weakness, he noted.
"Storage devices such as USB devices, CD/DVDs and [Apple] iPods also provide easily accessible endpoints to which confidential data can be copied. It's not enough simply to monitor security violations; the key is to prevent sensitive data from being transmitted by blocking it, in effect closing the door before the proverbial horse is out of the barn," Hoh said.
3. Change employee behavior via awareness and education "The effectiveness of even the best technology and processes can be undermined if employees do not understand the value of their company's information assets and their role in mitigating risk," he said. "With heightened awareness, however, employees can also become a company's strongest line of defense and its most valuable security asset."
According to the Symantec executive, while formal security awareness training programs and clear security policies will be useful, the "most effective education comes through intervention at the time of action".
"Many data breaches are the result of simple user error. People make mistakes. They forget. They misunderstand. But they can also correct themselves--if they know they erred," Hoh said.
According to IDC's Lee, other security challenges that Asian companies face include "localized language malware, which international vendors might be slow in releasing patches or miss completely".
Another security concern is the issue of criminal activities in emerging countries such as "China and India where IT adoption is in [the] infant stage and outsourcing is booming", she said. China, with less established security infrastructure and policies, is "one of the top countries for hosting phishing Web sites."
Lynn Tan is a freelance IT writer based in Hong Kong.