We asked and you answered: Insiders, Information leaks, compliance and the bottom lIne are your front-and-center priorities for 2007.
As IT director at a small manufacturer of specialized yacht equipment, Michael Bartlett worries about protecting the firm's intellectual property from outsiders. But increasingly, he's anxious about the threat posed by trusted insiders.
His agenda for 2007 is straightforward: beef up internal security.
"So far, we've been concentrating on the perimeter and the firewall, and protecting ourselves from the outside world," says Bartlett of Quantum Marine Engineering of Florida. "As the company is growing, we need to take better steps to protect our data inside."
Bartlett voices a common concern for many readers who participated in Information Security's 2007 Priorities Survey. For years, organizations' security efforts focused on shoring up network perimeters. These days, the focus has expanded to protecting sensitive corporate data from insiders--trusted employees and business partners--who might either maliciously steal or inadvertently leak information.
Nearly 40 percent of the 453 security professionals surveyed rate detecting internal attacks as either a very or somewhat important challenge for next year. To that end, many place a priority on identity and access management issues in 2007. About 32 percent say improving employee access to information will be very important for their organizations, and almost 30 percent say deploying stronger authentication is key for next year. Brian Joyce, IT director at CPA firm Joseph Decosimo and Co., says his firm plans to implement some type of strong authentication, probably RSA Security's RSA SecurID.
"One of our biggest vulnerabilities is our end-user community, even though we force strong passwords and short retention times," he says. "[If] a user maliciously or accidentally gives out a password, that makes us more vulnerable."
Concern about the risk posed by insiders spans private and public sectors alike. This fall, the Edmonton Police Service in Canada was in the process of installing a tool from Consul Risk Management to track what privileged users are doing on the network and hosts. The agency, which has about 1,400 police officers and 400 civilian staffers, is also looking at ways it could develop additional policies to manage end-user risk, says Peter Clissold, head of security. With some officers working covertly on drug or gang-related cases, he says data security is critical for the department: "If our information is mishandled, it can be life or death."
In an academic environment, controlling user access is difficult, but just as important as in the corporate world, says Jon Oliver, assistant dean and IT director at Rutgers University's School of Communication, Information and Library Studies.
"Staff turnover is higher not because of dissatisfaction, but because we use a lot of hourly student staff," he says. "The issues of access control and identity management are critical for us specifically for that reason. I don't think we've done enough in terms of coordinating that among the entire university establishment."
His school is taking steps to strengthen authentication and get away from simple passwords, which Oliver describes as problematic. Plans for a new research facility include using smart cards to log onto thin clients.
But for Quantum's Bartlett, trying to implement internal controls at the company, which has about 50 employees, is easier said than done. Anything that slows down access is a hard sell.
"Because of the friendly environment, it's sometimes hard to get people to willingly put a block between [them] and the information, even if it's in the best interest in the long run," he says.
Plus, while protective measures help, they won't necessarily stop a determined malicious employee, notes Jay Martin, security manager at D&E Communications, a provider of phone, Internet and other services in Pennsylvania. The proliferation of devices like USB keys among a staff of about 500 makes the job of data protection even harder.
"In the end, if you have a trusted user who is planning to leave the company or is disgruntled, you can authenticate all day but it's still hard to prevent them from taking the data from their screen and putting it to some use that wasn't intended," he says.
Many organizations are looking beyond technical fixes to tackle insider abuse. Glen Carson, information security officer for California's Victim Compensation and Govern-ment Claims Board, says the problem stems more from a lack of user education than poor authentication.
His priority is education: explaining to the 350 users in his agency why data security is important and how it will help them in the long run.
"We recently completed a third-party security assessment and got a good test of our exterior shell, but internally our controls were lacking," he says. "Sticky notes with passwords were found on monitors and in desk areas, in scripts and unprotected source code. People just need help knowing what needs to be done and why."
Carson, who joined the board earlier this year, is building its first formal information security program from the ground up. As the entire infosecurity department, Carson says he needs all the help he can get.
"The best way I know that I can get everybody to help is through education," he says.
Educating end users--which more than 43 percent of survey respondents say will be very important for their organizations next year--is a big part of the security process at USG, a Fortune 500 building products company.
"We believe if we increase our [user] awareness, we could be able to minimize the insider threat," says Ken Watson, USG director of IT risk management and end-user services.
Decosimo's Joyce says keeping clients' data private and secure is especially challenging because a mobile workforce has made network boundaries nearly disappear. The firm uses a wide range of security policies and technologies, with an emphasis on user policy compliance and education.
"We are increasingly finding that, regardless of the amount of money we spend on security technology, an educated end-user community is a first and critical line of defense," he says.
While organizations work to educate end users, regulatory compliance remains a chore for many.
|Ignore at your own risk|
|Click here for an overview showing that preventing virus and worm infections is still a priority (PDF).|
Nearly 34 percent of survey respondents say auditing user access and reviewing privileges will be their top compliance challenges in 2007. Readers also rank defining and enforcing security policies and encrypting the transmission of sensitive data as big regulatory issues for next year.
D&E's Martin, who estimates that roughly 20 percent of his time is spent on Sarbanes-Oxley and HIPAA compliance issues, says that database encryption is a challenge for his firm, and that external auditors don't provide much guidance on that front: "They ask for things that would be detrimental to our systems."
Having a good plan for notifying customers in the event of a breach that exposes their confidential data is another compliance-related task his firm is tackling. California's security breach law SB 1386 paved the way for similar requirements in other states. "We keep hearing there might be a federal law. Now there are 30 different state laws to comply with," Martin says. "It's just a mess."
The company also is looking into laptop encryption. Lost or stolen laptops containing private customer data can run a company into all sorts of regulatory trouble, not to mention reputational harm.
For USG, the segregation of duties required by Sarbanes-Oxley Section 404--for example, making sure an accounts-payable employee doesn't also have access to the general ledger--is a top compliance challenge, but one that the company has a grip on, Watson says.
Chad Bartosh, IT director at North Dakota Credit Union League--a statewide association of credit unions--says the small firm has limited resources and is working to identify a vendor that will help it meet Federal Financial Institutions Examination Council (FFIEC) rules and other regulations.
"We're trying to get everything done through one shop so we don't have to work with multiple vendors," he says.
While businesses wrestle with regulations like Sarbanes-Oxley, the Edmonton Police Service has other rules it must follow. "We're in the same boat, really," Clissold says.
In order to access federal police systems, the service must use two-factor authentication and has deployed RSA SecurID to meet that requirement. Also, the service must meet the standards of the Commission on Accreditation for Law Enforcement Agencies.
Some regulations, such as HIPAA, aren't particularly challenging because they're just common sense, says Andy Sutton, network services manager at Texas Health Resources, a nonprofit healthcare system with about 25,000 users.
"Most of [the requirements] are things that a good organization would be doing any way, such as protection of information and preventing unauthorized access to information," he says.
Moreover, vendors are building in accommodations for HIPAA requirements for authorized access to patient information and logging access to that data, he says.
The Bottom Line
Of course, complying with regulations and implementing security technology takes money, but 27 percent of the security professionals surveyed don't expect their overall security budget to increase from this year.
"Ours is pretty flat," Sutton says. "Our budgets are being used primarily for business-related activities. They're going up, but not for security."
Another executive at a large firm also says his security budget won't increase: "It's just hard to make the business case. We try, but it's hard."
For some organizations, budgets aren't just staying the same, they're shrinking. For example, Rutgers is feeling the fallout of a significant statewide shortfall. "We're working under some pretty severe budget constraints," says Oliver.
Yet others are enjoying increases. Twenty-one percent of those surveyed expect their budgets to increase between 10 and 25 percent. Decosimo, for example, is likely to increase its security spending between 10 and 20 percent, Joyce says.
At global truck maker Paccar, next year's security budget will depend on which proposed projects win approval, says Shelley Percich, its technology project manager.
But, she adds, "security is a requirement for all projects that are approved, and additional funding for security requirements is allocated for most all of our projects."
Likewise, Edmonton's Clissold says he doesn't lack funding. He's in the process of building a security infrastructure; two years ago, the service had none to speak of.
"I'm in growth [mode] here, and, because of that, my budget is increasing," he says.
At the North Dakota Credit Union League, the tricky part is figuring out how much money to spend on security, Bartosh says, "because you can sure throw a lot of money out the window, but it won't do anything for you."
What's on Tap
Insider threats and regulatory requirements are driving organizations to spend money on strong authentication and encryption, but companies have a variety of security initiatives planned for next year.
In addition to deploying two-factor authentication, Decosimo expects to spend more next year on physical security. Plans also call for upgrading the company's disaster recovery/business continuity process, Joyce says.
A big project for Texas Health Resources will be implementing single sign-on with biometric authentication as an option for certain computers--a project that had been previously budgeted.
"I'd like to say it's to enhance security, but the main reason is that it's what the doctors want. The perception is that it will speed up signing onto the computer," Sutton says.
Meanwhile, patch management is something Edmonton police will be spending more money on in 2007. Until recently, the service didn't have an automated means of deploying patches.
"We've got an interim means now and we will be spending more to improve that," Clissold says. Beyond specific technologies, the service plans to focus on the convergence of physical and IT security, he adds.
For Rutgers' Oliver, better formalizing of his school's data security policies and procedures is one of his main goals for 2007. Information is critical to a university's research, teaching and service missions, he says.
"You can't have faculty research without maintaining secure and confidential data.... You can't have student services without having information safe," Oliver says.