Information security has remained a high priority for organizations for many years. But the threats, vulnerabilities and tools are changing as companies transform into digital businesses.
Trends such as the growth of cloud services and mobile technology, including bring-your-own-device (BYOD), have presented new and daunting challenges to IT and security managers. Just keeping track of the devices, applications and authorized users within a global organization—as well as the latest security threats—can be extremely difficult. As a result, many companies might find themselves at increased risk for attack.
“The threat is most definitely real,” said Tyler Shields, principal analyst, Mobile, Application and Internet of Things Security at Forrester Research. “Attackers only have to find one flaw to access your sensitive data. If that flaw exists in a mobile device, cloud service or some other advanced digital technology is irrelevant.”
The more businesses move to modern technology models such as cloud services and mobile devices, “the more attackers will look to compromise these technologies,” Shields said. “You will see a steady and continual slow increase in attacks against digital business technologies as attackers move to monetize new methods.”
“Mobile represents a threat due to lost or stolen devices being used to access company applications or data,” said David Monahan, research director, Security and Risk Management at Enterprise Management Associates. Newer mobile devices in many cases have less security controls than their laptop counterparts, “especially in the case of BYOD,” he said.
The rapid rise in devices and apps in the workplace has brought unique challenges in regard to security. In addition to dealing with issues such as secure access to the corporate network and protection of the data on devices, companies need to address the problem of “dead apps,” which once lived in app stores and are no longer supported or useful; and stale apps: old, unpatched versions of apps that are still available in app stores.
These apps can harbor vulnerabilities that cyber-criminals can exploit to implant malware.
“It’s not uncommon for someone to download a useful application only to use it once and completely forget about it a week later,” said Hormazd Romer, director of product marketing at cloud security company Accellion. “Because these stale apps become neglected and unpatched or become dead apps when they’re no longer available in app stores, they lack critical security updates and are easy targets for hackers to access personal or sensitive information.”
IT departments can proactively guard against these unused or out-of-date apps by educating users on the risks and encouraging employees to delete them, Romer said.
The growth of cloud computing also poses security challenges for companies.
“The biggest issue that organizations can have with cloud is having an authorized [user] access it from off site and siphon data or make changes,” Monahan said. “Not all cloud providers expose their logging capabilities to the customers and even if they do, if the identity is authorized, the customer may not notice the activities.”
Chicopee Savings Bank for years has relied on using banking applications hosted at vendor sites rather than in its data centers, but in general has avoided cloud-based services in part because of security concerns, said Darlene Libiszewski, senior vice president of technology.
That’s changing. “Maturity has certainly improved over the last few years with cloud applications and services,” Libiszewski said, and despite potential worries such as loss of control and evolving security risks, she is looking into the various cloud models “because they do position me to outsource skill sets that I don’t have on my team” and offer possible IT cost savings opportunities.
“The security risks loom, but I think these are compelling business benefits that propel me to constantly assess cloud-based solutions and consider approaches to minimize the risks that weigh heavily on me, our directors and customers,” Libiszewski said.
Because data resides outside the walls of the company with cloud-based solutions, “we have to consider the external threats and evaluate the efficacy of controls for our data at rest and during processing at the vendor’s location, and while in transit between us, our users and the vendor,” Libiszewski said.
Among the key security questions to ask the cloud service provider, she said, are how an authorized user can get to an application, service and data in a reliable and secure way.
“What if someone is using an insecure end point or network? Can I control that to adequately minimize the risk?” Libiszewski asked. “I can control it so much more reliably when access is from inside our four walls, using existing, proven and managed controls we have in place.”
Other questions are how does the hosting provider keep non-authorized users from gaining access to the bank’s data while it’s in the cloud, how are breaches detected and prevented and how often does the provider identify and patch system vulnerabilities.
Chicopee Savings has built up its internal security through both policy and technology initiatives, such as rigorous vendor management routines, using secure virtual private networks, access management controls, encryption, prohibiting use of personal end points, training employees on the many security threats, ongoing monitoring and other efforts.
“We’ve had to re-think how we do business, how we expect to do business and how we protect ourselves, both now and in the future,” Libiszewski said. “This has resulted in a deeper dive on various risks, whether old, new or evolved. The evolved risks can sometimes slip through our risk assessment process, because they aren’t really new, they’ve just changed a little.”
It’s easy to be complacent and think existing controls should still be adequate, Libiszewski said. “However, the reality is often that a little change can have a bigger-than-expected impact and potentially make existing controls less effective,” she said. “So we look at all of our risks deeper and broader, with as much insight as possible, to be sure our residual risk is still acceptable to us both now and in the future.”
Security experts make several recommendations for companies as they become digital businesses.
Defense in depth, data encryption and requiring all vendors and service providers to be bound to strong security standards in writing are musts, Shields said. “Get some kind of recourse in the event that one of your providers is hacked,” he said.
Data encryption “is always a good thing when it comes to trusting your data to an external provider,” Monahan added. “Encryption implemented properly will protect data from unauthorized disclosure.”