Home & Office

Common oversights in enterprise data security

Mobile and social media policies as well as outsourced data, among top security risks businesses today face, industry watchers note, adding mindset of finding solutions only when breaches occur needs to change.
Written by Kevin Kwang, Contributor

The confluence of factors from proliferation of mobile devices such as tablets and smartphones, the rise of social media to more cybercrime have created a "perfect storm" in terms of protecting enterprise data.

As such, companies need to shift from adopting reactive measures to embracing a proactive mentality to ensure data security is not compromised, observers urged. Specifically, areas such as mobile device management, social media engagement policies and outsourced data sitting atop cloud computing services have been called out as key areas that enterprises need to look into.

ZDNet Asia spoke to several industry insiders to delve deeper into various oversights and provide best practices for companies to adopt.

Coping with "mobile tsunami"
Ang Poon-Wei, senior market analyst of enterprise infrastructure ICT security at IDC Asia-Pacific, noted that the increased availability of myriad mobile devices--from smartphones to tablets--can only add complexity to the already complex IT infrastructure.

He said in his e-mail that provisioning access for these mobile devices will have to be balanced with IT security concerns, which not only include having to consider authentication of devices but also security policies for when these devices are used outside the corporate network.

Benjamin Mah, director of business development for enterprise security at Oracle Asia-Pacific, added that the "mobile tsunami" problem is compounded when these mobile devices are also for personal use and, as such, deemed accessible to third parties such as one's family and friends.

Citing Apple's iPad as an example, he told ZDNet Asia during an interview that a user's family members may access the device for recreational purposes even though corporate data resides on it. This, he added, can inadvertently lead to sensitive data being compromised.

Despite the potential security risks, Mah said most companies are still at the "start of the curve" in terms of recognizing and introducing policies to manage these threats. Currently, many organizations are just reinforcing existing mobility-related policies, which he said is a "good first step". That said, the Oracle executive suggests they go on and investigate further to define better policies that relate with the changing user patterns on mobile devices.

Social media conundrum
According to Rob Forsyth, managing director of Sophos Asia-Pacific, social media only saw a spike in usage in the last 24 months. Nonetheless, it has effected a "societal change" in how people communicate and share information, regardless of whether they do so in the capacity of a consumer or business user.

He went on to say that while information posted on its own on sites such as Facebook or Twitter might not pose an immediate risk, his "big fear" is of aggregation. Elaborating, he said that cybercriminals can now track someone's data or location by pulling the user's various social feeds together and analyzing these to find loopholes into the organization's network or data repositories.

In fact, according to Symantec's 2011 State of Security survey, 46 percent of the respondents identified social as one of the "somewhat or extremely significant industry trends affecting difficulty of security". The same percentage pinpointed "well-meaning insiders" as "somewhat or extremely significant" security threats today, it revealed.

"While these [social media] communication channels present unique marketing and collaborative opportunities, the potential for clicking on malicious links or posting sensitive information worries IT," the security vendor noted.

An example of employees leaking sensitive information via social media sites is Microsoft's Joe Marini. The former Redmond program manager on its Windows Phone team had to leave the company following his tweets about an unreleased Windows Phone-powered Nokia device in September, thus violating the software giant's social media and blogging policy, according to a report by ZDNet Asia's sister site CNET.

Forsyth added that the fault does not rest entirely on the company or the employee when such fallouts happen, and both parties have their part to play. To better mitigate such risks, the Sophos executive said public education through the media and private education during induction training for new hires would help people mind their online conduct.

Markus Hennig, chief technological officer at Astaro, now a Sophos company, concurred. He said raising the awareness of data security amongst employees is "crucial" and training would educate employees on the current threats and how to prevent network attacks.

"This way, employees will better accept and understand the importance of the security protocols that are implemented at their workplaces," he said in his e-mail.

Beware "remote hands"
Oracle's Mah also pointed out another current big trend in enterprise IT--cloud computing--leads to data security concerns. He said by outsourcing internal company data to third-party vendors providing these cloud services, how the data is managed and who accesses the information on the backend, or "remote hands", are often a mystery.

An earlier report, for instance, detailed how file-hosting sites would generate uniform resource identifiers (URIs)--the secret unique links used by the owner of a document to share a file--in a predictable fashion. Five researchers from Belgium and France claimed in a study that they were able to disclose hundreds of thousands of private files in less than a month, according to the article.

In response to the research team's findings, Symantec's Ronnie Ng, systems engineering manager at Symantec, urged companies that make use of such cloud services to understand the ownership of data privacy and security is shared between service providers and the organization.

Mah also called on businesses to invest in management systems that would allow IT administrators to oversee the data hosted externally as well as check that policies and processes are being followed according to the agreed upon service level agreements (SLAs).

Cybercrime here to stay
From an external threat perspective, IDC's Ang said that cybercrime is a "lucrative" business and is no longer limited to individual hackers due to the proliferation of the Internet, which provides prospective hackers access to affordable malware toolkits.

He said such kits can be bought for about US$700 but, more importantly, the organization selling these kits would have the option of accessing what the hacker created via a "backdoor" included in the kit.

"As a result, the average Joe who decides to try his luck on getting rich through cybercriminal activities is also helping these organizations [selling malware kits] to extend their coverage," Ang said.

Eric Hoh, vice president of Symantec's Asia South region, added that as attackers use more "insidious, sophisticated and silent methods" to steal data and wreak havoc in the enterprise landscape, businesses are countering such threats by increasing staffing levels and budget for the IT department.

"They are adding the most employees in areas of network, Web and endpoint security…[while] security budgets are also growing in Web, network security and data loss prevention. It is clear that organizations are stepping up their efforts in improving their protection," he noted.

Proactive security posture needed
Ultimately, Ang reckoned that companies need to move away from reactive security measures and waiting for something to happen before trying to fix it.

"The impact of this [mindset] is still crippling businesses these days and the fact that there is already technology out there which facilitates proactive 'immunization' have done little to help [the situation]," he said.

Mah added that many of the current security policies are kept on the shelf without being used or reviewed over time for relevance--a state he attributed to the "don't touch until it's broken" mentality that Ang alluded to.

The IDC analyst urged IT vendors, channel partners or IT security administrators to educate users and utilize security technology that provides a certain level of "immunization" from threats, even if it might take some effort to review existing business processes, consolidate IT infrastructure and implement education sessions.

Editorial standards