Security is rapidly emerging as one of the top priorities that companies need to address in 2008. With attacks assuming epidemic proportions, the traditional approch of ignoring the problem seems to be giving way to more pragmatic ways of dealing with it.
Unisys believes the use of mobile devices will pose new security risks and challenges for IT professionals; while further convergence of physical and IT security needed to keep pace with evolving security threats.
“Many organizations have a tendency to view security in the rear view mirror – scrambling to find a solution to a security problem after it’s happened,” says Tim Kelleher, vice-president: Enterprise Security at Unisys.
“To combat new threats and to cater to the evolving demands of their end users, IT professionals must convince their organizations to treat security as a core business function – one that anticipates user demand, predicts future risks and develops workable solutions to potential security events.”
Unisys experts predict the five following trends in the coming year:
* Protecting data on mobile end point devices will demand more attention and become increasingly difficult – With the exploding use of mobile consumer devices (such as cell phones and personal digital assistants), organizations are scrambling to address security issues via passwords and other protective measures at log-in. By doing so, however, many enterprises miss the real threat. They neglect to look beyond the physical device and often fail to protect the data stored in the device, which is not only valuable to owners but a growing target for criminals to commit identity fraud and theft. Data protection is an increasing concern among consumers.
“Digital signatures and encryption are crucial to protecting data, but they must be woven into a holistic security plan that addresses issues such as whether and how the data can be transferred from one device to another,” Kelleher says. “Without such a plan, an enterprise will find that the data on its mobile devices either are too vulnerable to potential breaches or so secure that they become inoperable. Striking a balance between the two is necessary to devise a secure solution that still allows the user to be productive.”
* Banks will face significant challenges in protecting consumers’ data and financial assets as more clients turn to mobile devices to conduct transactions – Mobile banking is gaining traction and will continue to emerge as a significant banking channel, with more than 35 percent of online banking households using mobile devices for financial transactions by 2010, according to a recent Celent report. As this trend continues, security risks will increase. This is particularly the case for mobile phones embedded with radio frequency identification and “near-field” chips, the latter of which enable transactions similar to gas station speed passes. Because of the design of near-field technology and the way in consumers use it, such devices could be open to attacks such as “phishing”. Another threat is malicious code designed to bypass security technology, allowing unauthorized users to steal someone’s identity credentials.
As financial institutions continue to grow their audiences for e-banking, they must better integrate business processes and solutions to prevent these fraudulent activities and consider new business models. Banks must build better alliances with telecommunications companies and share security knowledge for the benefit of their customers. Service providers also must build comprehensive, interactive consumer education programs about the risks and protections bank customers must take.
* Organizations will seek continued convergence of physical and electronic security measures for enhanced protection against espionage – The convergence of physical and electronic security will continue to drive new economic efficiencies into organizations while improving the safety and security of people, IT systems and mission-critical physical assets. As the global supply chain continues its expansion, 2008 will see greater use of converging security technologies to safeguard land borders and ports, protect sensitive data, and reduce opportunities for espionage. Organizations will integrate physical and IT security measures that, until now, largely had been kept separate.
Such integrated access control systems could include motion sensors to monitor grounds; access cards and biometric credentials to authenticate workers; and RFID tags, both to identify containers and their contents and reveal suspected breaches. Other convergent applications that can help minimize threats to complex security challenges: Electronic e-pedigree that ensures the integrity of products such as pharmaceuticals, highly meshed wireless-enabled sensory networks for border and port security, and intelligent monitoring and surveillance applications.
* Public and private sector entities will pay more attention to paper and electronic records – The global economy is dependent on the efficient distribution of electronic and paper records within and between organisations. The growing use of electronic record exchanges creates fundamental security issues. For example, many individuals readily share critical personal or organisational data without thinking about the security ramifications that exists when a document is passed among multiple individuals.
Kelleher predicts that, in 2008, companies will be more diligent about setting more stringent controls over documents and data that are sent electronically or via U.S. mail. This is likely to result in greater focus on encrypting information on shared portable drives and discs and increased investment in enterprise rights management solutions. The latter enables content owners to encrypt sensitive data and control users’ ability to print, forward, copy or amend a document.
* Popular social networking sites will become increasingly vulnerable to privacy breaches – The broadening use and reach of Web2.0 technologies will increase the chances of a major privacy breach via social network sites such as MySpace, LinkedIn or Facebook. In 2007, a few of the major social networking sites experienced their first taste of privacy breaches, a trend that is likely to increase as many of these sites begin to connect to one another for information sharing purposes.
Peer-to-peer (P2P) networks create an array of security risks and vulnerabilities for end users. Unauthorized file shares, unintended duplication of personal e-mail and address books, data leakage, password and IM interception and installation of malware programs via P2P clients are just some of the risks that end users can experience. P2P users can minimize risk by improving password complexity; implementing security measures such as personal firewalls, anti-spyware, anti-phishing features and up-to-date antivirus application; and installing the most current P2P client software, browsers and operating system patches and updates.
As technology evolves, end users will be able to minimise risk through trusted federated directory structures and stronger authentication and cryptographic applications.
Kelleher notes that, while 2008 will bring opportunities to leverage the tremendous communication and collaboration capabilities of the Internet and Web-enabled applications, “the challenge, as always, will be balancing freedom of information exchange with protecting information and people’s identity and privacy.”
Novell agrees that 2008 will see organisations having to face up to new security issues.
Lewis Taljaard, business unit sales specialist at Novell, believe companies need to focus more on compliance, insider threats and identity theft.
"In 2008, businesses can expect the government to become even more involved with compliance standards," he says. "CISOs (chief information security officers) will be asking how they can prove compliance to auditors; and how they can simplify the process."
Insider threats can be a result of deliberate or accidental action.
"As the workforce calls for more collaboration, file-sharing and mobility, employees are increasingly putting their companies at risk. Laptops, PDAs, USB drives and Multimedia devices often contain confidential work information and sensitive personal data," says Taljaard.
"And because of their size and mobility, can be easily lost or stolen. CISOs will increase password protection, encryption and personal firewalls on these devices to remediate security breaches."
An employee attempting to exceed access privileges is also a security threat, he says, and there will be a renewed focus on analysing the ways employees are using systems and revoking access when employees go beyond their authorised scope.
To counter identity theft, stronger authentication combined with better validation is a necessity.
"Authentication methods that depend on more than one factor, such as personal identification numbers or biometrics, can be more reliable and are stronger fraud deterrents," says Taljaard.
"If the only thing between you and your bank account is a username and password, that is a cause for concern. Multifactor authentication will also drive a stronger push toward converging IT security with physical security. Right now, converged security, also known as identity assurance, is primarily happening in the government sector, but in 2008 more banks, retailers and healthcare facilities will begin using access cards and tokens to tighten access security and prevent ID fraud."