Without a doubt, compliance demands and fears of bad publicity from stolen or lost data continue to push security to the top of corporate agendas. But a deepening recession could put a real squeeze on security efforts this year.
Readers who participated in Information Security's Priorities 2009 survey ranked data protection, threat management and other security initiatives as top concerns. At the same time, 27 percent of the more than 900 respondents expect their security budgets to remain flat and 23 percent are delaying some purchases. More than half expect security budget cuts if the economy doesn't rebound.
"With tightening budgets, anything that's not essential will probably be put on hold," says Justin Drain, data security manager at Fremont Bank in the San Francisco Bay Area. "If what you have planned isn't designed to deal with compliance or an active threat, it would make sense to put it on hold."
Kevin Dickey, CISO and deputy CIO for Contra Costa County in the San Francisco Bay Area, doesn't have much choice. Data protection is a priority for him, but he's limited in what he can do because the county has been undergoing a series of deep budget cuts.
"The budget cuts force us to be leaner and meaner," he says.
Tight budgets notwithstanding, organizations are under pressure to protect sensitive customer data. As of November, 44 states had enacted laws requiring notification of security breaches involving personal data, according to the National Conference of State Legislatures. Other government and industry requirements such as HIPAA and the Payment Card Industry Data Security Standard (PCI DSS) also mandate companies secure their customers' sensitive information.
New personal data protection laws passed in 2008 will add to the pressure.
Nevada in October enacted a law requiring encryption for transmission of personally identifiable information over public networks. A Massachusetts law takes effect May 1 that requires businesses not only encrypt transmission of personal data but also personal data stored on laptops and removable storage devices.
|Planning for the Worst|
Restaurant operator outsources data center to ensure uptime
SOME TIMELY PLANNING helped OSI Restaurant Partners LLC avoid disaster when Hurricane Charley hit Florida in 2004, shutting down power in Tampa. The company operates more than 1,200 restaurants, including Outback Steakhouses.
The year before, CIO Dusty Williams and his team outsourced its data center -- which was housed in the company's Tampa headquarters without backup power -- to Qwest. When Charley hit, "none of the restaurants even knew anything happened," he says.
Disaster recovery planning is critical for every company, Williams says: "No matter what business you're in these days, if systems are down for any length of time, it will have a major impact on either revenue generation or cost containment."
Eighty-two percent of participants in Information Security's 2009 Priorities survey say disaster recovery and backup is among their data protection concerns.
Since moving the data center to Qwest's secure CyberCenter in Tampa, OSI expanded its disaster recovery efforts by adding a backup facility located in Qwest's Chicago CyberCenter. "We look at it as an insurance policy," Williams says.
"The trend is increased emphasis on data protection," says Mark Steinhoff, national financial services lead and principal at Deloitte & Touche LLP's security and privacy services. "What we are seeing with our clients is increased concern not only around the regulatory drivers, but brand and reputation risk associated with having the information disclosed in an unauthorized manner."
In addition to protecting their customers' personal data, organizations are paying more attention to securing sensitive corporate data such as trade secrets and strategic plans, he adds.
Data protection, including encryption, data loss prevention (DLP) and database access controls, was one of the top areas where survey participants said they plan to spend more in 2009; 70 percent rank laptop/desktop/drive encryption as an important data security initiative this year. Compliance was by far the top driver for data protection efforts with 72 percent of respondents citing it as the main motivator. (see chart below)
The breach notification laws have made data protection "the hottest topic," says Brad Sanford, CISO at Emory University in the Atlanta area. Organizations "don't want the bad press, especially after seeing what happened to companies like TJ Maxx," he adds.
In the fall, Emory began rolling out a full-disk encryption project with the initial focus on about 1,500 employee laptops and possibly a few high-risk desktop workstations. The university chose a solution that would allow it to encrypt removable media like flash drives in addition to laptops and desktops; a few power users will receive a full installation that lets them manage removable media and encrypt files individually. "When we finish that, we'll probably look at encryption of data backup tapes," Sanford says. Contra Costa County started last year to encrypt its backup tapes to mitigate the risk of data loss, Dickey says. The county also hammered out laptop encryption guidelines for county agencies. Spending money on full-disk encryption is small compared to the cost of losing personally identifiable data, but the challenge is convincing executive management, he adds.
Pasadena Federal Credit Union uses PGP encryption to secure sensitive internal and external email exchanges in several departments and plans to expand its data protection efforts.
"Some technologies I will be implementing in the near future are network traffic encryption for our internal network and PGP key validation and encryption for all employee email accounts," says Mike McDanell, information security officer at California-based PFCU.
In addition to encryption, organizations are eyeing DLP technologies. Seventy-one percent of survey respondents say preventing data leaks via flash drives and USB tokens is important and 74 percent say preventing data loss via email and the Web is key.
Fremont Bank's Drain says a major focus for him in 2008 was deploying a DLP tool, which handles multiple protocols. "The problem hasn't been completely solved, but I feel a lot safer now," he says. The DLP deployment was driven by more than compliance demands, he says, calling it an overall best practice.
Alongside their encryption and DLP efforts, organizations are focused on controlling users' access to sensitive data and other corporate resources. Survey respondents cited several identity and access management challenges ahead for 2009, including strengthening endpoint security (67 percent), getting better at strong authentication (55 percent), and improving user access rights (56 percent).
"We're certainly looking at improving our password controls and expanding our use of two-factor authentication," Emory's Sanford says. "The whole identity management struggle -- provisioning and de-provisioning of accounts, making sure the right people have the right level of access into critical systems--is paramount."
Being a university, Emory's environment is fairly decentralized. Figuring out how to effectively manage access in an environment that involves multiple service providers and other third parties is a challenge for many organizations, Sanford says.
Businesses consider bans on social networking when personal information is shared and security risk are introduced.
SOCIAL NETWORKING SITES such as MySpace and Facebook may be digital darlings in today's hyper-connected culture, but they're not too popular in the enterprise. In fact, most are apt to ban their users from accessing such sites.
Forty-two percent of participants in Information Security's 2009 Priorities survey say their policy is to ban user access to social networking sites entirely. Another 27 percent restrict access somewhat.
"In a business environment, social networking is a very bad thing and we look at it as something that needs to be restricted at every point," says Justin Drain, data security manager at Fremont Bank. "It's extremely risky."
Security experts have warned that attackers can use social networking sites to collect personal data about people and carry out social engineering attacks. At the 2008 Black Hat Briefings in Las Vegas, a pair of security consultants demonstrated a series of MySpace attacks, which combined social engineering and technical hacks.
Scott Crawford, research director at IT consulting firm Enterprise Management Associates, says enterprises tend to steer clear of social networking sites even if the marketing department sees it as a new media outlet. "Unless there is some compelling reason, they're inclined to shut it off," he says. "It's a best practice as far as security."
In academic environments with student populations, however, banning or restricting use of Facebook and other sites isn't so feasible.
"We do have some monitoring but we don't restrict it," says Edmond Kwok, desktop engineering manager at the University of San Francisco. "Some of our courses use social networking sites; one uses Second Life as a teaching tool."
USA Federal Credit Union plans this year to replace the multifactor system it implemented at the end of 2006 to meet FFIEC requirements. The system turned out to be cumbersome, which turned off some online members, says Carolyn James, senior vice president and CIO at USA Federal.
"In the past couple of years, there have been some great developments with multi-factor [technology]. Now, it's more integrated with your platform and almost invisible to members," she says.
The credit union is making the investment in order to promote its online services, which are a cost-effective means of serving members, she adds.
Scott Crawford, research director at IT consulting firm Enterprise Management Associates, says the biggest issue with strong authentication is making it more transparent and less expensive for a business to manage. Physical tokens are expensive to distribute and maintain; companies such as AdmitOne Security, which provides technology that uses keystroke biometrics to authenticate users, offer new approaches, he says.
But Crawford calls endpoint security "the most troublesome aspect of security" for most organizations. "I see businesses still trying to get a handle on making it work and getting some control over what's happening on the endpoint."
Fremont Bank is among those working to gain control over the endpoint. The bank has implemented various tools and procedures to ensure better access control over endpoint devices, including portable storage devices. "We want to be able to say with a level of clarity and confidence that we know everything that touches our network," Drain says.
The University of San Francisco started focusing on endpoint security when it saw a spike in infected computers. It beefed up its security policies and deployed Sophos software for about 3,000 faculty members and employees. Centralized management and Macintosh support were key concerns for USF in the deployment, says Edmond Kwok, desktop engineering manager.
"We're seeing this as a solution to protect the end user and lower our support costs," he says.
Organizations are preparing for a continued onslaught of threats to endpoints and the overall network. Threat management--defending against viruses, malware and intrusions--is an area where 21 percent of respondents said they plan to spend more in 2009, ahead of data protection, identity management and application security.
"Just the sheer growth in malware code that's floating out in the wild has people very concerned because how do you deal with the staggering growth in threats that often directly target sensitive information?" Crawford says.
"You should assume attackers will get past some defenses, so this raises the bar on defense in depth," he says. "You want to contain them an make it as frustrating as possible to get to their desired targets…So that means increasing the number of barriers to sensitive information--without interfering with the performance of critical applications."
Organizations are always looking for better threat management solutions, says Emory's Sanford.
"The good guys and bad guys are at war on that front. They get better attack tools, you improve your defenses and it seesaws back and forth," he says. "Everyone is spending time consciously looking at where they are, what their defenses are capable of, their shortcomings, and how to improve."
Enterprises are focused on correlating threats to vulnerabilities -- formulating all the data produced from various threat management tools so they can make meaningful decisions about mitigating threats, says Deloitte's Steinhoff.
Indeed, a majority of survey participants cite correlating threats and vulnerabilities as their top vulnerability management challenge.
Contra Costa County's Dickey is looking at automated vulnerability scanning and patch management tools to reduce risk exposure--and to deal with fallout from the county's budget cuts. "We also need automated tools to replace the fact we don't have as many human resources to do manual reviews on desktops and servers," he says.
While organizations have threat management and data protection at the top of their to-do lists, many are "deferring some of the technology solutions based on budget constraints," Deloitte's Steinhoff says (see chart below).
"Rather than spending dollars today on technology implementations, more [businesses] are taking their time and taking advantage of the current environment to think through, plan, evaluate and test the market for the right solution," Steinhoff says.
Twenty-two percent of survey respondents say delaying or canceling nonessential upgrades or implementations is their top strategy to contain security costs. Well over half say that threat management, data protection or identity and access management deployments are vulnerable to potential budget cuts.
At Emory University, Sanford expects to put a priority on initiatives that can be done for free or less money while putting off more costly projects for a couple years. Cost-saving initiatives include improving policies, ramping up security awareness, and utilizing open-source tools. Twenty-seven percent of survey participants say they will focus on security awareness as a cost-containment measure.
"There are a lot of ways to improve the security posture of your organization that aren't necessarily about buying tools and implementing them," he says. "Even something as simple as evaluating technologies you've deployed and making sure your default install configurations have the right security controls will go a long way to improving security."
USA Federal Credit Union is looking to consolidate a few of its security vendors in order to save money, James says. However, the gloomy economy won't impact the organization's security efforts.
"It's a bleak year, but we'll keep our systems running and not give up on security," she says.
Marcia Savage is features editor of Information Security. Send comments on this article to firstname.lastname@example.org.