The idea that enterprises have made great progress in
locking down their infrastructure to protect end-users from malware
may not be totally accurate, writes Paul Williams, chair
of
ISACAand IT governance adviser to
Protiviti.
Any progress made against malware comes at a tremendous cost.
Security companies spend significant resources deploying monitoring
systems to capture malware as early as possible so that their
research teams can diagnose the code and quickly release a fix.
Similarly, enterprises spend a great deal deploying multiple layers
of protection. Resources go into patching existing systems rather
than implementing and deploying new business-enabling
technologies.
Moola first, mischief second
The reduced number of incidents reported has more to do with the
financial benefits that flow from capturing personal information
rather than from better protection against malware attacks. Hackers
and malware writers are
channelling their efforts for financial gain rather than
spending their time creating mischief. The fewer malware incidents
do not mean we are better protected, but that attacks have become
more focused and stealthier.
Traditional security incidents may return in the form of
terrorist or politically motivated attacks, and security officers
need to watch for signs of such attacks. But they need to pay even
more attention to the protection of sensitive and private
information and the scams used to capture information from
users.
Beyond the borders
The larger challenge for security officers is to provide
protection beyond the borders for end-users who are increasingly
mobile and who have greater choice of the technology form they will
use. In this highly distributed, mobile and technology-rich
business world it is difficult to approach protection as in the
past. The availability of cheap, high-capacity USB memory sticks
and Wi-Fi enabled networks are examples of the lowering of
barriers.
Traditional countermeasures are no longer enough by themselves
when the boundaries of organisations are constantly shifting.
End-user awareness and tighter integration of information security
activities with business strategy and product development are
necessary to understand risks and to structure protection
strategies aligned with business goals.
Even so, incidents are still likely to happen. Technical
controls, awareness, monitoring, and incident response can no
longer provide the levels of protection required to support
e-business.
What is lacking is the ability for users in their personal and
work lives to establish identities that can be trusted and for
organisations to be able to present an
identity that can be trusted. Without the assurance of identity
and trust among end-users, the effective protection of personal and
sensitive information will remain difficult to attain.
Paul Williams is chair ofISACAand IT governance adviser to Protiviti
Read more expert advice from the Computer Weekly Security Think
Tank >>