Information security goes mainstream
Formerly the exclusive domain of IT, information security is now a mainstream issue, as major retailers and government agencies have suffered data breaches, denials of service and destructive intrusions. Millions of individuals have been affected, and organizations are now forced to devote more resources to prevention and remediation. Everyone in the information chain, from consumers to CEOs, has become acutely aware of the hazards of failing to protect information.
“Cybersecurity is a business issue,” says Steve Durbin, managing director of the Information Security Forum (ISF). “Every business user and anyone accessing data needs to be aware of it.” The ISF is a non-profit professional organization that provides research, best practices and a globally interconnected environment in which corporate members can exchange information.
The advent of the mobile worker and the proliferation of cloud technology have added a new dimension. “People want to run their businesses on a tablet, and you can do that but you need to understand how to do it safely,” Durbin says.
Some organizations that have been attacked might seem to be unlikely targets. For example, Boston Children’s Hospital was the victim of a denial of service (DOS) attack by so-called “hacktivists” because of a controversy related to a child custody issue. “These attacks are inexpensive and easy to launch,” says Ben Desjardins, director of security solutions at Radware. “It only takes one person to do it.”
Radware’s products are oriented toward ensuring application service level. Some of its solutions are for performance optimization during normal operations, and others are for network and application attack protection. “Cybersecurity is about data protection, but it is also about continuity and availability,” Desjardins explains. “Sometimes availability is overlooked, but hackers can do a substantial amount of damage to a company by taking down a website even if no data is lost.”
Protecting information with technology is important, but it is not a substitute for communication within a company. “We have had situations where companies thought they were under attack, but the volume of hits was actually the result of a marketing program,” says Desjardins. “This shows the importance of communication between IT and the business side of an organization.”
Business versus IT
The perennial issue of that communication gap, which exists between the two groups with respect to most applications, is exacerbated in the context of information security. Unlike enterprise applications that are used by business units and are enablers for their job functions, security software products are not. Therefore the motivation to reach across the gap is less strong.
“Business and IT should start with a conversation to explain what protection the company has in place and what measures are being taken,” says Desjardins. “Then, the business side can work with IT to develop business cases based on the impact of their operations and illustrate the ROI for protection of their functions. That can help IT by showing the costs of downtime and clarifying what needs to be protected.”
Hazards of mobility
According to a study by IDC, 75 percent of the U.S. workforce is mobile, with most of those employees having more than one mobile device. But those devices are at risk: About five to 10 percent of laptops are lost each year, according to a study from Ponemon Institute, and about one-third of them contain unencrypted sensitive or confidential data. In another study, one in six respondents reported having a mobile device lost, stolen or destroyed.
Even when users hold onto their devices, security is far from guaranteed. “Data is becoming more dispersed and fragmented,” says Dave Packer, director of product marketing at Druva. “Much of the data in an enterprise exists only at endpoints, which increasingly are mobile devices. Governance in this environment is very difficult.”
Druva entered the security market with a product for securely backing up data, and now provides broader governance that is aimed at endpoint security. “Even when companies do not know where the data is flowing, they still have an obligation to protect it,” Packer says. “In addition, a lot of intellectual property is stored on mobile devices, and in the event of litigation, the company has to be able to locate it.”
Despite the convenience of mobile devices, their use creates well-recognized conflicts with security, especially in the face of increased frequency of BYOD. “People who want to collaborate with clients or vendors don’t like restrictions,” says Packer. “Restrictions get in the way of doing business.”
Druva’s products help overcome that problem because the applications are transparent to the users. “We provide continuous backup, but users don’t know it’s running,” Packer explains. “We can also enforce encryption without the user’s awareness and remotely wipe laptops to clear the data.”