How to Get the Most Bang for Your Information Security Buck
Consider ways to protect the information itself, no matter where it lives.
by Simon Thorpe, October 2010
This month, PricewaterhouseCoopers released findings from their worldwide survey, “The 2011 Global State of Information Security.” It posed questions to over 12,000 chief executives, vice presidents and directors in 135 countries about information security breaches, the amount of money spent on information security, and the impact of information security issues on business. The main issue? During the last few years of economic turmoil the survey reveals a flat line, and sometimes a decrease, in spending to secure the business. Even more worrying is that it finds investments in existing security deployments have declined, exposing companies to greater risk.
Justifications to the business for spending money on security, such as impact on revenue, following industry practice and reducing liability, are on the decline. Yet specific client requirements driving the justification for security are on the increase, which indicates that the role of information security is becoming more customer-focused. This makes sense, as it is much easier to justify spending on security when the end result could be income from a customer or an internal client that requires security to ensure compliance with a regulation.
It comes as no surprise that organizations that reported their business partners and suppliers are not spending money on security, because they have also been weakened by recent economic conditions. But while companies are taking time off of investing in their security projects as the economy tightens, threats continue to increase. Evidence is everywhere that criminal activity, accidents and complacency are contributing to an increase in avenues by which your most valuable information can be lost. Take a look at sites like datalossdb.org, who report on public data loss incidents, or even wikileaks.org, a controversial website that takes advantage of weak security systems to leak information.
Your information is at risk
One industry in particular that is struggling with a lack of funds and an increase in threats is healthcare. A report published in early 2010 found that in the last quarter of 2009, hacker attacks targeted at healthcare organizations doubled to 13,400 per day for any given health care organization. Then there are the internal threats: Five employees from a U.S hospital recently ended up in court facing a maximum 30-year prison sentence. They were found guilty of stealing patient information and using it to fund a frenzy of fraudulent credit card spending totaling $600,000. Combine this with the government requirement to move all U.S. healthcare onto electronic medical record (EMR) systems and the increased trend of providing care resources online, and more and more of our patient information is at risk, managed by an industry that is struggling to find resources to protect it.
As if this situation doesn’t cause enough concern for security executives, changes to the Health Insurance Portability and Accountability Act (HIPAA) and new state laws in California, Massachusetts and Connecticut are increasing the pressure on organizations to notify the public of security incidents. This may well be driving the reported increase in incidents. Over three years, the number of respondents claiming they have no idea how many security incidents have occurred in the past twelve months has halved. Companies also reported they have more knowledge of the type of security event — whether the security breach happened through applications, data, mobile devices, systems, networks, or through social engineering. Clearly, the first evidence of the new laws taking an effect is organizations becoming more aware of the problems.
Health care isn’t the only industry challenged in this area. In 2010, two major U.S. automotive manufacturers lost intellectual property as unhappy ex-employees took information to Chinese competitors. MI6, the English equivalent of the Central Intelligence Agency and the home of James Bond, was recently vulnerable to an IT employee attempting to sell a hard disk full of intelligence secrets. Microsoft lost details of the product roadmap for Windows 8 in an unprotected PowerPoint presentation. These are just a few examples from a long list of publically recorded incidents, and there are many more unrecorded events either going undetected or being suppressed from public view.
Looking to the future, the survey states that 60 percent of respondents have yet to implement technology to protect against information loss via Web 2.0 technologies. Yet Web 2.0 technology — and more often Enterprise 2.0 technology — presents a growing risk. As we spend more and more time gazing at Facebook watching the lives of other people (who are probably watching us in return), we are prone to very effective social engineering attacks, social network viruses, and accidentally sharing corporate or personally identifiable information in a status update. Today’s security professionals are challenged with controlling sensitive information while enabling people to leverage new collaboration technologies in a scalable, cost-effective manner.
The weakest link
The biggest change in trends across the survey was on the business impact of security incidents. Financial loss, theft of intellectual property, and impact on brand or reputation had all increased over 200 percent.
So what’s going on? Companies are unable to spend money on addressing known security concerns that have a real financial impact. Yet at the same time, they must share more and more information with their employees, customers, partners and suppliers. Other areas of the business are moving to the cloud, putting information in the hands of other companies who also have frozen budgets on security spend. All of this is happening as new ways to attack businesses increase relentlessly.
It isn’t all doom and gloom; the survey reports there is a light at the end of the tunnel. Resources for improving and implementing security solutions are being released as economic conditions slowly improve. But even though the security budget is going to get better, spending is going to be scrutinized. The trick is in knowing where to allocate it.
A Balance of Risk
It’s all about calculating risk. As any Certified Information Systems Security Professional (CISSP) knows, good risk assessment methods can help calculate the costs of threats to information assets. One typical formula in risk analysis is threats × vulnerability × asset value = total risk.
So based on the survey, in which areas can organizations achieve the most cost-effective reduction of risk? One of the greatest areas of concern arises when the business is collaborating with customers, partners and suppliers. This usually means exposing some part of enterprise information systems to third parties, or allowing the business to share information via email or documents. Ask these questions when evaluating possible security solutions:
By how much is my risk is going to reduce?
Can this solution both protect and report on security? Both the preventative and the monitoring controls in one technology is a big bonus.
How easily and quickly can this be deployed? A well-designed solution should be deployable within a few months, and address the most risk in that time.
The usual response to protecting information sent to third parties that ultimately resides on laptops is to implement hard disk encryption, Data Loss Prevention (DLP) or distribute encrypted USB devices. While these can be part of an effective security strategy, it can be costly to purchase many products which ultimately protect only the location where information might reside. What happens when financial documents are attached to an email that DLP allows to be sent to a partner who stores them on a non-encrypted USB key, which then gets lost or stolen? How do you even know that the information has been lost?
Instead, consider ways to protect the information itself, no matter where it lives. The truly forward-thinking security professional will put those valuable dollars towards solutions such as Information Rights Management (IRM), which uses encryption and access controls at the email and document level. So not only is there control over the information even when a partner accidentally emails it to a competitor, but the technology is active on every secured document, and there is an audit trail of who is using the information.
Another great solution with a huge impact is a database firewall. Firewalls not only protect third-party-facing applications accessing the important payment card industry (PCI) information, patient health data, or personally identifiable information (PII) that resides in databases; they also provide the reporting capabilities to ensure regulatory compliance — all in the same solution.
Welcome to the leading edge of enterprise security. Valuable information exposed via applications is protected by an intelligent database firewall. The information ultimately resides in encrypted documents with controls that allow you to report on access no matter where it lives, inside or outside your firewall. Stop chasing the desire to protect the location; instead, secure the information.
Simon Thorpe is an expert in information security and works with Oracle customers in the U.S. to architect security solutions.