Exploring the trade-off between productivity and network security?

People power

Made up of more than 1,800 consultants, architects and designers, BT Global Services offers one of the biggest dedicated security practice communities in the world.

1

Be careful what you wish for

Fifteen years ago we were enslaved. To access information we had to be in front of our computers, at our desks, in our offices. Today the balance of power has been turned emphatically on its head. Technology now serves us wherever and whenever we want it to, via a huge range of devices.

Yet while people have become increasingly central to this evolving story, the way business thinks about security isn’t keeping pace. For many CIOs this mind-boggling freedom of information can appear pretty scary. They don’t quibble with the idea that productivity has been enhanced by technology, but they do have a sense that being able to access data anytime, anywhere has created more security threats. So can the two things co-exist? What exactly are the new risks? And what role do people play in keeping data secure?

2

Cyber-crime 2.0

Never has corporate data appeared so attractive to people involved in cyber-crime. The early history of the internet saw cyber-crime targeted principally against the individual consumer. But times are changing. A Forrester report in 2010 found that proprietary knowledge and company secrets are twice as valuable as the kind of information typically found on a consumer’s computer or phone (card details, medical data and so on). Ovum cites figures from the UK government that cybercrime is costing the country £27bn annually1. Extrapolate those figures globally and the numbers become frightening.

So if the intellectual property of the business world is such a target, it follows that IT departments should be re-doubling their efforts to keep it secure. Yet that’s easier said than done. According to a study by McAfee, 68 per cent of data loss comes from within2. In other words, while IT departments are pulling out all the stops to keep people from the outside getting in, the bigger problem actually comes from their own colleagues. Of course on the whole such leaks are accidental – people leave a machine unencrypted or send an email to the wrong person by mistake – but even allowing for the inevitability of a bit of human error, 68 per cent feels worrying high.

Adding to the complexity, and giving cyber-criminals more opportunities to access company data, is the explosion in the number of devices out there. In Brazil there are now more mobiles than people3. In the US, 85 per cent of children own or have access to a mobile phone while only 73 per cent own a book4. Devices like the iPad are bought for leisure yet are also used (by 51 per cent of people according to recent figures5) to log on to work systems. Are these personal devices vetted by the IT team? Often they’re not.

1 Source: Silicon.com, www.silicon.com/technology/security/2011/03/09/cyber-espionage-firms-fail-to-take-threat-seriously-39747112/

2 Source: www.softcat.com/files/pdfs/TheThreatsEnglish.1.pdf

3 Source: TecjEye.net, www.techeye.net/mobile/cheap-handsets-mean-more-phones-than-people-in-brazil#ixzz1IGJDVVHJ

4 Source: digital Buzz, www.digitalbuzzblog.com/mobile-statistics-2011-growth-of-mobile/

5 Source: http://globalservices.bt.com/static/assets/insights_and_ideas/risk_resilience/pdf/btgs_gs09_6thingsuneed2knowin2010_whitepaperFINAL.PDF

...while IT departments are

pulling out all the stops to keep people from the

outside getting in, the bigger problem

actually comes from their own

colleagues.

3

But when you flip this over and look at devices approved and provided by work, a similar problem occurs. As many as 21 per cent of people let their family use their work laptop to access the internet6. Are those family members versed in the company’s IT policy? Again, the answer is likely to be ‘no’.

Revealingly, at an event in London in April 2011 IDC expressed the view that viruses are no longer the biggest security threat. That dubious honour now lies with what it described as ‘security sprawl’. So how should these risks be tackled? Firstly by not trying to swim against the tide. Employees, especially the younger generation, have grown up with the internet. Trying to prohibit the use of certain devices or certain ways of using those devices is futile. There’s also a good chance that by seeking to place limits on the way technology is used, you will also place a limit on people’s effectiveness and on their ability to innovate. Instead the best approach is to take the following sensible steps:

> Education. Ongoing training should be provided so that people understand your organisation’s policy on information security, personal email use or plugging personal iPods into computers, for example.

> Access. You need to get the balance right, giving people the access to the information they need, with enough leeway to be able to innovate and do their job. But full administration rights to all data are rarely appropriate for the entire workforce.

> Encryption. Always encrypt your commercially sensitive data, and particularly any customer data you may hold. It sounds obvious, but not all organisations do it. Most software applications – even mainstream ones, such as Microsoft Office, support strong encryption.

> Monitoring. Security monitoring isn’t not an option any more – network traffic should be monitored on a 24/7 basis for two reasons. Firstly, so that you can undertake forensic analysis in the event an issue occurs and secondly, to detect threats in real time so they can be tackled immediately.

6 Source: http://globalservices.bt.com/static/assets/insights_and_ideas/risk_resilience/pdf/btgs_gs09_6thingsuneed2knowin2010_whitepaperFINAL.PDF

There’s also a good chance that by seeking to place limits on the way technology is used, you will also place a limit on people’s effectiveness and on their ability to innovate.

4

7 Source: http://globalservices.bt.com/static/assets/insights_and_ideas/risk_resilience/pdf/btgs_gs09_6thingsuneed2knowin2010_whitepaperFINAL.PDF

8 Source: SC Magazine, www.scmagazineus.com/former-gucci-insider-charged-with-hacking-network/article/200030/

Where mobiles go when they die

The economic climate has a role to play in this debate too. With most economies still only tip-toeing out of recession, employees are generally holding fire. But research shows that once the market starts to accelerate again, many will be looking for new opportunities – in the US one in five employees plan to change jobs when the recession lifts. In the UK that figure is more like one in three7. Ex-employees can take devices with them, might have knowledge of passwords and may have accessed the company system using their own laptops or smart-phones.

For others, redundancy will be their route out of the company, sometimes with potentially catastrophic consequences. Last year a former network engineer at Gucci was charged with hacking into the company’s network8, deleting data and shutting down servers and networks. He faces 15 years in jail, but for Gucci, the reputational damage has already been done.

Even if devices are thrown away they can still cause problems. The increasing popularity of websites that buy old mobile phones is a good example. In research from March 2011 by data protection company CPP, 81 per cent of people said they had wiped their mobile before selling it. Yet when these phones were examined by experts 54 per cent contained sensitive personal data – PIN numbers, bank account details, passwords.

5

Combating these threats requires action by three groups of people within the organisation:

> The IT department needs to make sure that all usernames, logins and passwords to company data are cancelled when people leave the organisation.

> The HR team should double check that access tokens and key fobs have been returned.

> Individuals need to be aware of the company security policy. It should contain guidelines and advice to help them act responsibly and safely in the way they use and access data and devices. Training should be carried out for new joiners, with refresher courses for existing staff.

BT Global Services has developed active alliances with more than 100 leading security

partners including Check Point, Blue Coat, Crossbeam, IBM ISS, McAfee, EMC/RSA,

Microsoft, Oracle / Sun, Juniper, Cisco Systems, HP, Websense, ActivIdentity and Symantec.

6

The wild west of the security world?

The influence of Twitter – the world’s most famous five year-old – continues to amaze. In the days after the Japanese earthquake, relief organisations were using the micro-blogging site to post information for non-Japanese speakers trying to contact relatives left homeless9. And the US State Department used Twitter to publish emergency numbers to inform Japanese residents in America how to contact families back in Asia.

But Twitter isn’t alone. There are now more social networking accounts than there are people on earth10. Facebook and Twitter generally hog the column inches, but there are numerous big hitters elsewhere in the world. The dominant social network in Brazil is Orkut, in China it’s Qzone, while Russia has VKontakte. And while corporate marketing teams have been relatively slow to understand how best to use social media sites, they’re now starting to see the dollar signs.

Marketing messages make up a growing chunk of the one billion (yes, one billion) messages that get sent every single week on Twitter11, while sites like Facebook are increasingly being used as the go-to channel for retailers trying to ‘engage’ with customers. Starbucks boosted sales of Christmas drinks by 15 per cent last year by inviting its Facebook fans to choose seasonal flavours12. And Coca-Cola records at least 10 times as much traffic to its Facebook page than to its own website13.

Yet these marketing opportunities are not without security risks. The volume of spam and malware targeting such sites increased by 70 per cent in 200914. Equally worrying is the growth in ‘social engineering’ attacks – hackers setting up false accounts and attempting to acquire personal data from people or organisations by ‘befriending’ them on social networking sites.

9 Source: Daily Telegraph, www.telegraph.co.uk/technology/twitter/8379101/Japan-earthquake-how-Twitter-and-Facebook-helped.html

10 Source: Silicon.com, www.silicon.com/technology/mobile/2011/04/01/social-network-accounts-outnumber-people-on-earth-39747241/

11 Source: Twitter, http://blog.twitter.com/2011/03/numbers.html

12 Source: Financial Times, www.ft.com/cms/s/0/240f19d4-5afc-11e0-a290-00144feab49a.html

13 Source: Financial Times, http://www.ft.com/cms/s/0/240f19d4-5afc-11e0-a290-00144feab49a.html#axzz1Lw1iTcsD

14 Source: Asian Security Review, http://www.asiansecurity.org/articles/2010/feb/08/social-media-security-risks-revealed/

There are now more social networking

accounts than there are people

on earth.

7

One of the most common tactics is ‘clickjacking’. Criminals take advantage of the popularity of users posting shortened URLs (common services are bitly and TinyURL). These shortened URLs do not show the true destination of the link – for example, a link to an article on the BBC website wouldn’t start with www.bbc.co.uk, instead it would be something like http://tinyurl.com/6dvr4lk. Hackers can use this to disguise the fact that clicking on a link will actually take you through to a malicious site.

So how should IT departments train staff to minimise the risks?

> Education Again clear policies and education are paramount. Marketing staff need to exercise the same level of vigilance in opening messages, and clicking links received in messages, as they would with their own email. When it comes to phishing attacks against consumers the message seems to be getting through. In the UK for example, while the number of phishing attacks has risen to an all-time high, online banking fraud losses were down to £46.7m last year, a 22 per cent decrease from 200915. The people running your social media marketing activity need to show the same level of caution.

> The horse has already bolted You might think that one way to limit the risks would be to limit access to social media. This will not work. For your younger employees in particular, social media is a way of life. For the IT department the challenge is to make security policy on social networking usage relevant to ‘Generation Y’ employees.

> Blurred boundaries You should also be alert to your employees’ use of social media outside of work. The information they include in things like their Facebook profiles can potentially be used by hackers to build up a detailed picture of their habits and lifestyles, helping them to more effectively target social engineering attacks.

15 Source: Silicon,com, ww.silicon.com/technology/security/2011/03/10/online-fraud-falls-as-consumers-wise-up-to-phishing-39747119/

Clickjacking –hackers can use this to disguise the fact that clicking on a link will actually take you through to a malicious site.

...younger employees in particular, social media is a way of life.

8

Cloudy with a chance of security scares?

Cloud computing is continuing to set the pulses of CIOs racing. IDC predicts that while global IT spend will increase by six per cent in 201116, spending on public cloud computing services will grow five times faster. Gartner’s latest CIO Survey17 suggests that almost half (43 per cent) of CIOs expect to operate their applications and infrastructures through the cloud within the next five years.

Yet behind the hype, concerns persist. Just two per cent of companies in Europe have implemented cloud services, a figure that hasn’t changed since 200918. And a recent survey by Forrester found that for 58 per cent of decision-makers security is the main concern19. Interestingly, the people issues around cloud computing are just as significant in tackling the security challenges as the technology.

> Your IT Team. You need to sit down and understand exactly what you want to achieve by using cloud services. Clear guidelines should be drawn up. What type of data do you want to move to the cloud? Where will that data actually be hosted? What are the regulatory implications if data is stored in different countries? You may feel that the ‘perimeter’ of the cloud is fit for keeping out unwelcome intruders, but how do you make sure that data within the cloud itself is secure?

> Your supplier. Do you know who within the supplier organisation will have access to your data? Can your supplier provide audit logs (in the event of data theft such logs can help to pinpoint the perpetrator)? You should also ask your provider for compliance certification, or information about a recent audit that can be shared with your auditor.

> Your employees. Be aware of employees taking a DIY approach. Companies that don’t make remote access simple may see employees saving company documents to their own personal cloud services (such as Microsoft SkyDrive). The problem is that many of these consumer-focused services only use password-protection. For companies in highly-regulated industries like financial services, this could create serious problems.

16 Source: Silicon.com, www.silicon.com/technology/networks/2011/02/04/cloud-computing-to-boom-in-2011-39746924/

17 Source: Silicon.com, www.silicon.com/management/cio-insights/2011/03/21/cloud-security-why-cios-must-tighten-their-grip-39747169/

18 Source: Silicon.com, www.silicon.com/technology/networks/2011/02/04/cloud-computing-to-boom-in-2011-39746924/

19 Source: Silicon.com, www.silicon.com/technology/security/2011/02/03/cloud-computing-what-you-should-and-shouldnt-be-worried-about-39746908/

How do you make sure that data within the

cloud itself is secure?

9

Even within the course of their work, employees might have cause to use cloud services that the IT team has not authorised. For example, if they’re collaborating on a project with a smaller organisation which is using Google Docs. The cloud services of Amazon and Google (aimed largely at SMEs) have had well-reported security issues, with a lightening storm once knocking out part of Amazon’s service20. So once again, communicating clearly with employees is key. Help them understand your policy on cloud computing.

The brutal truth is that security risks are not going to go away. In fact the global picture is one of threats remaining as numerous – and as potentially harmful – as at any time since the birth of IT. Meanwhile the increasing number of devices we own and use, and our growing desire to work on the move, have led to added complexity. Yet the typical approach to tackling this issue – placing all our faith in technology to deal with the dangers – ignores a crucial ingredient in the battle to keep data secure. That ingredient is people. Your staff play a role that is every bit as important as the security hardware and software that your business has invested in. So in the year ahead, place your emphasis on education and awareness. Do this and you will allow technology to be a tool to boost efficiency, productivity and innovation, without compromising security. Go on, embrace the sprawl.

20 Source: CNET, http://news.cnet.com/8301-1001_3-10263425-92.html

You can assess your operational security today, rapidly identifying weaknesses in your security management and measure its adoption across the organisation. The BT Secure Networking Quick Start Service will help you take cost-effective remedial and preventative measures. The service is based on a unique set of tools, experience and knowledge, drawing on the expertise of consultants from across the BT Group who have come together to form a Global Centre of Excellence.

Find out more about the BT Secure Networking Quick Start at www.globalservices.bt.com/uk/en/products/Secure_networking_quick_start

...allow technology to be a tool to boost efficiency, productivity and innovation, without compromising security.

Offices worldwideThe telecommunications services described in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc’s respective standard conditions of contract. Nothing in this publication forms any part of any contract.

© British Telecommunications plc 2011. Registered office: 81 Newgate Street, London EC1A 7AJ Registered in England No: 1800000

Designed by Westhill.co.uk Printed in England

PHME 62497