Wednesday, November 17, 2010
Employee welfare must be sacrificed for organizational data protection
An organization has two primary types of data within its premises, structured and unstructured. Structured data is stored in databases and primarily used through applications. Existing security mechanisms are well able to take care of data security threats to structured data, with penal legal provisions and strong enforcement through standards like PCI.
Unstructured data resides on employee desktops, laptops, mobile phones, portable drives, and pen drives. Unstructured data comprises of documents created by employees or are extracts in the form of reports or XL sheet from structured data repositories. Securing this data is far from easy, as the only mechanisms that can be applied are endpoint security mechanisms such as antivirus, personal firewalls and new technologies like DLP. DLP is template driven and has its own limitations.
Relying on employees to be security aware is not a situation that one can rely on. 70% of organizations only provide generic security awareness training and only 40% provide updates on new threats. The employee becomes a conduit for bringing BOT’s into the organization capable of stealing user data and becoming staging points for further attacks.
Bots usually use social engineering to draw users to malicious websites which then installs bots on the end users devices. The problem is quite acute. The McAfee Threat Report: Third Quarter 2010, has uncovered that average daily malware growth has reached its highest levels, with an average of 60,000 new pieces of malware identified per day, almost quadrupling since 2007. McAfee identified 14 million unique pieces of malware. The most dangerous were Zeus, Stuxnet and Cutwail.
Social trends like online shopping for Christmas are used to create fake online shopping sites to steal user identities and install BOT's (trojans).
The 2010 ISACA Shopping on the Job Survey: Online Holiday Shopping and Workplace Internet Safety—UK released in October clearly showed that organizations failed to consider the three most important tools available to protect against this threat due to concerns on employee welfare. In the report 58% of organizations do not prohibit employees from using a work email for online shopping. 43% allow the use of laptops for online shopping and 9% actually prohibited access to online shopping sites from the workplace.
I am of the opinion that employee welfare must be sacrificed until technology measures have been created to defend against all BOTs. There are also new technologies for disk encryption, application whitelisting, and operating system lockdown from security product companies like McAfee which are useful in mitigating these threats.