Protecting users in today’s IT landscape requires a trade off between fullproof security and access, speakers at a recent IDC event argued.
“I want to make it clear that we see there is no way providing IT security and availability,” says Simon Piff, an associate vice president for enterprise infrastructure at IDC. “Any time you open a port in your firewall, you’re opening yourself to attack. It’s always some kind of a tradeoff and the question you have to ask yourself is what is your appetite for risk?”
Aside from the complexity imposed by trends like BYOD, the nature of hacking has evolved into a form of business itself. Still, the biggest threat to organisations is not exploiting weaknesses in technology, but social, with experts depicting data loss as a sin of omission or commission.
“The majority of cases that come to light regarding data loss have been idiocy,” says Piff. “Someone made a mistake they should not have made. People try to find ways to do things, but they’re not trying to break the rules. They just to make their jobs easier.”
For example, users in an organisation will be secured on company email, but may expose data to unknown threats or leakage when using devices or software outside the organisation, such as Dropbox or Gmail.
According to Piff, an IDC survey shows that New Zealand companies still see threats to their data as external, with 52 percent reporting hackers as a bigger threat than careless or hostile employees. Piff believes the bigger threat is the disgruntled ex-employee or the careless worker.
There is also a lag among New Zealand companies in executing security policies to prevent and respond to data loss. While 88 percent of New Zealand executives surveyed reported having a formal security policy, 49 percent don’t know if employees are trained in that policy.
The highest concerns among the executives was data loss, followed by access control, and injection of malicious codes and denial of service attacks.
According to NetIQ, a sponsor of the August 23 breakfast held at the Langham Hotel in Auckland, the concept of firewall perimeters is outmoded.
“The whole concept of perimeters is something we’ve been hanging on to far too long,” says Ian Yip, APAC product manager for identity, security and governance at NetIQ. “There really isn’t a perimeter. What cloud and mobility is forcing us to do is take our heads out of the sand and acknowledge we need to do something. It doesn’t matter who I am, it matters what I am. It actually matters if I’m the same person I said I was yesterday once I’m inside the network.”
Because most organisations do not dedicate an internal role for security means that resellers and consultants have an opportunity to fill that gap.
“Security is about saying no,” says Philip Whitmore - director, KPMG Security Advisory Services, which co-sponsored the breakfast with IDC and NetIQ. “Can they bring in their iPad? Can they download these files, or access this or that information. The answer is always no, no, no. And I think a lot of our businesses value that because it saves investment and having to do things, it protects us.”
But that is also not practical, so organisations once again must decide where they want to be on the access versus security spectrum.
