What gained the most attention in 2011 were the big scores that data thieves made on companies like Citigroup Inc., RSA Security LLC and Epsilon Data Management LLC. Nevertheless, smaller, more targeted data theft is what's topping IT executives' data security management agendas this year.
The biggest data security concerns for Michael Daly, for example, are spear phishing (an e-mail spoofing fraud attempt that targets a specific organization) and social engineering. These types of attacks have made their way onto social forums, to the point where some enterprises have had to consider locking down access to all social networks, according to Daly, deputy chief information security officer (CISO) at Waltham, Mass.-based Raytheon Co.
Security and usability butt heads. The best way to deal with a move to the cloud or mobile devices is by layering security across the organization.
"I've had conversations about whether we should permit social networking sites at work," Daly said. "Companies want to leave them up; but banks, for example, have had to turn them off because critical information ends up on these sites."
Many heavily regulated industries are weighing the benefits of social media sites against the risk to the company, agreed Suzanne McGann, social media program manager for global interactive strategy at Minneapolis-based Medtronic Inc. She was told by higher-ups at the medical device company that there would be no social media in the organization until she figured out how to do it safely, she said.
As SearchCIO.com has reported, establishing the appropriate social media policies at Medtronic involved 10 meetings just to sort out how contractors and employees could use marketing materials without running afoul of the Food and Drug Administration (FDA). The FDA watches external marketing messages closely to make sure the content is balanced and truthful and does not impinge on Health Insurance Portability and Accountability Act (HIPAA) regulations in terms of patient privacy, McGann said.
Because of social engineering and phishing, some organizations don't allow employees to use their personal email for business purposes. That has led employees to use their business email for personal use -- which in turn has opened up the company to myriad risks from attachments, Daly said.
The data security management tactic Daly has employed to combat attachment attacks is a home-grown product called RShield. The software looks at all emails down to their attachments and embedded URLs. "In the virtual machine farms, the product jumps down the links to see what's at the other end," he said.
What's the most effective data security control in Daly's arsenal? Education. Before his team introduced security risk training, the click-through rate on attachments was 30%. After training, the rate went down to 5% and has held steady at 2%. "That's because we have persistent and varied training, from posters to lunches and it really pays off," he said.
Data security management for mobile and remote devices
More than 2,000 IT executives ranked data security and vulnerability and threat management as their No.1 and No. 2 priorities for 2012, with mobile device management contributing to both categories' top spots on the agenda, said Laura Koetzle, vice president and practice leader for the Infrastructure and Operations and Security and Risk groups at Cambridge, Mass.-based Forrester Research Inc.
A group of 45 CISOs on Forrester's security leadership board also ranked securing mobile devices as their top priority, followed by developing their security strategy roadmap and security metrics and reporting, Koetzle said.
IT departments spent a large part of 2011 balancing freedom of choice in terms of anytime, anywhere, any-device access to corporate data, with iPads and smartphones leading this people-centric computing revolution. Desktop virtualization has turned out to be a data security measure that when done right, can make both sides happy.
A virtual data infrastructure (VDI) proved something of a magic bullet for Wes Wright, vice president and chief technology officer (CTO) at Seattle Children's Hospital. He swapped out an old blade platform for Cisco Systems Inc.'s Unified Computing System (UCS), and replaced existing desktop workstations and laptops with zero clients from Wyse Technology Inc. The VDI was built on top of the UCS platform with Citrix Systems Inc.'s XenDesktop and XenApp technologies. The impetus was the hospital staff's need for speed.
"When the iPad came out, people got used to being instantly on," Wright said. "We had clinicians roaming around the hospital or administrators at desktops taking three to five minutes to log on to a brand new PC. Our patient safety forums felt [this slow logon time] affected patient safety."
A side benefit of the VDI was data security and the ability to ensure HIPAA compliance. "We pushed everything into the data center, so all patient information stays within the confines of our data center and isn't resident on any device that can leave our walls," said Jake Hughes, the hospital's chief technical architect.
More about data security management
Diebold Inc., a Canton, Ohio-based maker of automated teller machines (ATMs), also uses desktop virtualization as a front-line defense. Data doesn't reside on the machines, but in Diebold's case, virtualization by itself isn't quite enough: The manufacturer also uses security measures at all application layers so "there is no way to turn on any tracing or logging of data," said Chuck Somers, the company's vice president of ATM security. As for data in flight, it is encrypted from the card reader to the processor.
Still, as Somers will tell you, data thieves will find a way to bypass roadblocks. "Skimmers" -- almost invisible devices that data thieves attach to ATMs' card entry slots -- pop up. As a bank card or credit card is swiped, credential information is stolen. Like Raytheon's Daly, Somers believes the best defense against such devious tactics is education -- of both bank employees and consumers.
Data security management: Get on the user-needs bus
Aside from being the buzzwords of the year, cloud computing and mobile devices have taught IT executives that users will roll right around data security controls.
"It is very easy to fall into a Chicken Little approach as more and more means of accessing data become available," said Jeremy Bergsman, practice manager at The Corporate Executive Board Co., an IT and corporate strategy consulting firm in Washington, D.C. "The tendency may be to lock down, but our more progressive members are doing the opposite. They understand that this information and access to information is how business is done today and if you just lock things down, you're destroying value in the business."
Put simply, "security and usability butt heads," explained Seattle Children's Hospital's Hughes. The best way to deal with a move to the cloud or mobile devices is by layering security across the organization, he said. "You need to allow the maximum usability by building in security from the beginning and explaining why those measures are there."
Let us know what you think about the story; email Christina Torode, News Director.