Security shortcuts: how to avoid the pitfalls ~ a guide to the four key areas where security, not money saving, must come first ~ it is claimed.
Budget and staff cuts in the IT department are threatening enterprise security, according to a recent study by Deloitte. It found that nearly a third of organisations have reduced their information security budget in 2009, leaving 60 per cent feeling that they are either still ‘falling behind’ or ‘catching up’ on security.
Furthermore, KPMG’s annual e-crime survey found that almost two thirds of companies believe they dedicate insufficient resources to locating vulnerabilities. It seems that IT directors are putting new investment first, jeopardising existing security as they seek to take shortcuts to save money.
According to Ansgar Dodt, director of embedded systems sales at SafeNet EMEA, not enough foresight is being shown about the potential pitfalls around making security cuts. IT directors need greater awareness of the risks, and need to make stronger plans to protect their business.
"Abandoning important security measures raises the risk of data loss and misuse," said Dodt. "Even failing to keep security up-to-date can cause problems. The inevitable consequence is spending more money repairing the damage to the company, its data and its reputation. Wasting resources on preventable problems is a luxury organisations cannot afford during the downturn."
Dodt has identified four key common pitfalls that are vital to avoid, even when times are tough:
1. Incomplete encryption
A firewall protects from external attacks. However, attackers frequently find ‘doorways’ into a company nonetheless. To protect data from unwarranted access from outside the organisation, it is necessary to develop a holistic encryption strategy. Enterprises should start by defining which data is sensitive and where it is stored. For comprehensive security, the data has to be protected within all storage locations – not just where access is most simple. Clearly defined roles and access rights, combined with the proper controls, will ensure security and only allow data access for authorised personnel.
2. Nonexistent key management
Strong data security also needs adequate key management. Safeguarding the retention of all keys is essential: technology such as Hardware Security Modules (HSMs) creates secure keys for encryption and protects those keys over their whole lifecycle. As a result, any abuse of the keys will be spotted immediately.
3. Careless use of passwords
Everyone knows that passwords should consist of difficult combinations of letters and numbers, should be changed regularly and never be noted on the desk or passed to colleagues. However, in reality users choose passwords that are easy or rely on the same key word all the time, weakening security measures. Additional security holes appear when companies are re-structured or staff are made redundant. Companies frequently forget to save and change the passwords of former employees. To prevent the security risks careless password management can bring, companies can give employees a Single-Sign-On-solution, which saves all required passwords on a smartcard. The user only needs to remember the password used to access the smartcard. This solution means passwords are changed frequently and automatically meet company guidelines for using strong, hard-to-hack combinations of numbers and letters.
4. Incomplete security for remote access
Many employees access business-critical data more than once a day while out of the office. Security measures are often not up-to-date, as a SafeNet study revealed in February 2009. Nearly 50 per cent of all companies that allow employees remote access to enterprise data do not have official guidelines for regulating staff’s remote access. Two-factor authentication using a smart card or token ensures that only authorised users gain access to company data. Additionally, the IT administrator should define the security guidelines, and implement an automated system to check that each PC logging on has adequate antivirus protection or a personal firewall.
"Organisations need to understand the true value of their data and give information security the focus it needs. Otherwise, they are putting the future of the organisation at risk, through allowing unnecessary risks to customer information and the company’s reputation. Even in a time of financial turmoil, adequate encryption and firm security guidelines are vital," added Dodt.
