Not so long ago, discussions of IT security tended to focus on the need to install firewalls; to tunnel via private networks; to employ encryption keys and digital certificates; to surround servers with multiple layers of access; and to install firewalls, sandboxes and "demilitarized zones" to snag hackers.Those tools and methods remain critical, but many in the IT community are recognizing the importance of addressing physical as well as digital vulnerabilities.
What's more, IT people say, security requires scrutinizing the physical realities of every employee and end user, regardless of geographic location and no matter what device they use on the network.
Today's enterprises are no longer centralized data centers of servers with employees connected onsite via local area networks or terminals. In fact, the distinction between internal and external users has nearly disappeared. As a result, many IT assets are beyond the immediate reach of IT managers.
"Our workforce is very mobile," says Mark Odiorne, chief information systems officer for Scottish Re Group Ltd. (Bermuda), reflecting a trend among carriers. "I have far more laptops in my organization than I do desktops."
A network may have every technical security bell and whistle, but that may not help much when someone leaves a laptop or a Blackberry on the seat of a cab. To make matters worse, employees at 80% of America's financial institutions use smart phones and Blackberry devices in a mix of professional and personal capacities, says TowerGroup, a Needham, Mass., research firm.
A recent report from Stamford, Conn.-based research firm Gartner Inc., says 29% of the computers corporations purchased in 2005 were laptops, but the percentage is expected to increase to 44% by 2010.
The challenge is not limited to laptops or Blackberries. All sorts of devices, if lost, could result in a security risk, warns Jim Walker, president and CEO of DataPreserve, Scottsdale, Ariz. "A serious and often overlooked data security issue common to both corporate and small business end-users alike, concerns risks posed by unencrypted, portable data storage devices," says Walker.
AT THE FRINGES
While larger organizations typically have procedures for data backup and protection, "the data at the fringes of organizations or at small businesses is often protected by less-than-secure backup methods," says Walker. "These usually include unencrypted tapes, DVDs, CDs or handy flash drives. Data backed up these ways creates additional security risks, since these backups need to be secured from theft."
Karen Pauli, senior analyst in the insurance practice at TowerGroup, says that vulnerability should concern carriers, especially if they make sensitive information available to mobile devices. Determining the fine points of access can call for an internal policy review, she suggests.
"There's a fundamental question to be asked," Pauli says. "Just because you can send data out in a mobile application-should you? It comes down to looking at your remote workers and your mobile workers, and asking what they really need to have to do their jobs. Do we have to send an entire customer database to them?"
THE MOBILITY RISK
The devices are not under IT's control-or any other department's control, for that matter-and need to be treated as such, says Odiorne.
"We know that those mobile devices, such as laptops, that aren't always within our perimeter are potentially more at risk for things like theft," Odiorne says. "We do full-disk encryption on our laptops. We do backups of the data, via an online service, again encrypted, and we make sure that our VPN connectivity to and from those devices is topnotch and secure. We also spend a lot of time making sure that those machines are up to date as far as antivirus, anti-malware, anti-spyware."
REMOTE COMMAND
Many Scottish Re employees also have company Blackberries, and Scottish Re has the ability to send an electronic command that can decommission them, Odiorne says.
"If we lose track of one, we can go ahead and kill it," says Odiorne. "And we make sure that all the Blackberries and the laptops-everything that travels-has as high a level of security as we possibly can."
According to a survey from Evans Data Corp., Santa Cruz, Calif., about 17% of companies install encryption capabilities in remote devices, and 13% can erase data remotely from stolen or missing devices.
Welcome to the brave new world of security: It's no longer just a matter of fretting about hacker attacks. And as the number of dangers has grown, government regulation of security has increased, too. Legislators have decreed that carriers institute comprehensive policies to mitigate security risk.
"More can be done to combine physical and practical security measures to protect information from insider and outside attack," observes Joe Sturonas, CTO of Milwaukee-based PKWARE Inc., a data security and file compression company.
"More can also be done in terms of educating employees about corporate security policies and ramifications of violating those policies," says Sturonas. "Often, knowing that there are safeguards in place is enough of a deterrent to stop employee misbehavior."
Odiorne of Scottish Re agrees that well-thought-out enterprise security policies are the most effective deterrent. "It all starts with having a very good security policy in place," he says.
"That policy needs to be signed off on at all levels, right up to the executive level," continues Odiorne. "Most people in the insurance industry are under some form of regulation. Pick a good framework, whether it's ISO [the International Standards Organization], COBIT [Control Objectives for Information and related Technology] or ITIL [Information Technology Infrastructure Library], and have a model to work on. Make sure your daily, weekly, monthly, quarterly and yearly tasks are tracked and done on a regular basis. Make sure the 'basics' are being done."
Scottish Re also has addressed another vexing security issue-the wasted time and unnecessary cost of pursuing false positives from security audits. The fast-growing company was adding systems and users, and was getting tied up in vulnerability scanning and penetration testing, Odiorne says.
"We were spending a lot of time addressing vulnerability reports from consultants," Odiorne says. "If we had a vulnerability, and we couldn't really prove at that time that we weren't vulnerable, we would have to schedule time to bring machines down and have them patched, which was potentially an impact to the business."
The company addressed the situation through automation, employing Core Impact, an automated penetration-testing tool from Boston-based Core Security Technologies, Odiorne says.
Carriers face similar dilemmas in balancing the need for ironclad security vs. the potential business impact. "Think of security as a business process," says Ace Swerling, security director for Seattle-based Avanade Inc. "Wise companies would not try to improve other business processes, like sales or product delivery, exclusively with technology. They will use technology as a tool-not an end unto itself. The same applies with IT security. You have to combine people, process and technology."
EVOLVING THREAT
The nature of security threats is evolving as well, but a basic security policy can help. "With a basic policy, and a basic, solid, secure plan in place, it will net you the majority of what you need to do," says Swerling.
For example, industry experts have observed a change in security threats. In the past, hackers proved their programming prowess by writing code that created worms and bugs capable of entering and disrupting networks, says Mike Rothman, president of Security Incites, Atlanta. Now, he says, hacking's about making money through fraud.
As a result, Rothman adds, today's malicious users keep a low profile and keep their schemes alive, rather than seeking anonymous glory for their exploits.
The resulting under-the-radar threats increase the need for vigilance and the need for policies across the enterprise to embed security in all aspects of management, says the TowerGroup's Pauli. "Make security a singular focus within the entire company, not a sub-unit of somebody's department," says Pauli. "Security should be an enterprise strategy. It can't be one department at a time-or just IT. You need to have a business driver for the entire enterprise."
Take a close look, Pauli advises, at what functions and data remote users need. If employees truly need sensitive or personal information, then invest in a technology security solution. "It may be expensive," she says, "but it's just the right thing to do."
