Cybercrime and data breaches have grabbed the headlines
in the past year, but it is people and their role in preventing
these that will dominate Infosecurity Europe 2009.
Security suppliers will be there with the latest technology
trends, but the spotlight will be on the human element of security
throughout the event, which takes place from 28 to 30 April at
Earls Court in London.
Former home secretary David Blunkett will give the opening
address at the conference on the rapidly changing face of
cybercrime, the true nature of which he says is little known.
People in the public and private sectors need to be more aware
of the enormous threat posed by cybercriminals, Blunkett says.
Encourage good
management
A good information security awareness programme can enable good
data management, says Peter Bassill, information security officer
at the Gala Coral Group.
Bassill, one of the panellists in a debate on whether security
is about people or technology, says there is no replacement for
technical counter-measures, but "with an awareness programme in
place, employees will know what will happen if they take data".
A common problem is that IT security managers typically lack the
skills required to understand and change user behaviour, says
independent researcher David Lacey.
Success depends on enlisting the help of professionals with the
right skills. Lacey, who will discuss managing the human factor in
information security at the conference, says psychologists can help
understand what influences people's attitudes.
This will help create policies that encourage good security
practice, but security managers should also call in journalists to
help write and communicate those policies.
Prepared for
attack
Another important element of awareness is knowledge of the
attack methods used by cybercriminals, says Howard Schmidt,
president and chief executive of the international Information
Security Forum (ISF).
"IT security professionals can identify true weaknesses in their
defences only if they share information with law enforcement
officers investigating cybercrime," he says.
Schmidt, one of the panellists in a discussion on the dynamics
of e-crime, says IT professionals must ensure their knowledge of
cybercrime is passed on to end-users.
"IT end-users should be able to identify potential cyber threats
and know how to respond to them," he says.
If an employee sees a cable trailing across the office floor,
they immediately think of health and safety risks, says Raj Samani,
vice-president of communications at ISSA UK.
"We have to aim to replicate what the health and safety industry
has done and get information risk ingrained into employees' minds,"
he says.
Samani is one of the panellists taking part in a debate on
externalisation that will consider security in an environment where
the boundaries between organisations are disappearing.
Understanding business
processes
Other key areas to be highlighted at this year's conference
include information security skills, ways of preventing data
breaches, the challenge of policing international e-crime, and
effects of the credit crunch.
IT security professionals will need to have a greater
understanding of business if they are to succeed in the next
decade, says Paul Dorey, chairman of the Institute of Information
Security Professionals (IISP).
"They will also have to be able to use recognised standards and
repeatable processes to take a more scientific and disciplined
approach to security," he says.
Dorey adds that many IT security professionals lack the
necessary skills in business leadership, risk assessment and
effective communication.
He will discuss how businesses should go about addressing that
skill shortage in his presentation at the conference.
Information sprawl caused by distributed, networked computing is
one of the biggest causes of data breaches, says Dan Blum,
principal analyst at the Burton Group.
Information will always be at risk as long as it is allowed to
exist in several places in an organisation without proper access
controls, he says.
Blum is a member of a panel that will discuss high-profile data
breaches in the past year and what can be done to reduce the
risk.
Responsibility for policing the global internet is another
important debate at the conference.
"As yet there is little agreement over who should do and pay for
what, but there does appear to be agreement that the answer has to
be a partnership," says Philip Virgo, secretary general of Eurim,
who will be chairing the debate.
Security on a
budget
The credit crunch has also grabbed its fair share of headlines
in the past year, with many IT departments giving careful
consideration to the way forward.
"A crisis can force an organisation to become more agile,
adaptive and resourceful, but in the field of IT security, money
should not be saved at the cost of defence," says Eric Domage,
research manager at IDC Europe.
"Conversely, money should not be spent without first examining
all available options," he says.
Domage is one of the panellists taking part in a debate on the
global credit crunch and the IT security market that will look at
ways in which security can support IT development in a tough
investment climate.
Insight into the
criminal mind
Infosecurity Europe 2009 rounds up with an opportunity to learn
more about the workings of the cybercriminal mind, as recommended
by Howard Schmidt.
He is to chair a panel of hackers as they discuss corporate
espionage, hacking methods and mitigation.
| Opinion: The human side of data
loss prevention |
|---|
Peter Bassill, group information security officer, Gala Coral
Group One of the hot topics for many information security officers and
almost all suppliers within the IT security industry at present is
data loss prevention. For many information security officers (ISOs) and IT directors,
not a week will pass without a supplier calling to talk about and
sell a data loss prevention solution that is hailed as a way of
controlling data egress points. From the products I have tested, I can say that they do what
they say on the packaging, but in this economic climate, when
boards are mandating decreased budgets and businesses drive for
lower operational costs, is there another way of achieving a
similar result without large capital outlay? Good increases in data management can be achieved through a good
information security awareness programme. A good awareness
programme can make significant strides to decrease accidental loss
of data, which is by far the most common cause of data breaches,
and then use technical solutions to assist and complement the work
of the awareness programme. Awareness programmes take time to set
up and need buy-in from the very top of the business. Key
executives are usually happy and eager to help; they see both the
security benefits and the benefits of lower operating costs. For example, the use of portable media has caused many
businesses a large headache and has lead to a number of
high-profile data breaches. By educating your staff on the virtues
of good data management around portable devices and ensuring a good
understanding of classification labels and how to protect data
within certain classifications, staff have shown they are capable
of adequately protecting data and correctly using portable media
devices. This is not to say that you should not complement the training
by issuing only encrypted portable devices and controlling data
written to non-encrypted devices. In taking this step you reinforce
the training and show the workforce that you are taking the matter
seriously. By viewing technology as an assistant to good information
security practices rather than the primary enabler to information
security you are better placed to view the options open to the
business, taking a broader spectrum view of your business practices
allows you to better understand where information security gains
can be achieved easily and where gains will take longer to
realise. An excellent area within the realm of information security where
the people element returns excellent gains is in penetration
testing. By engaging different business unit members in internal
penetration testing it is possible to identify where processes are
not working and could lead to potential security issues. Using this
method of penetration testing in conjunction with traditional
external testing you get a fuller and more rounded view of your
overall security stance. This will help in identifying the many
egress routes that data could potentially take out of the
business. A good security awareness programme will not safeguard against
those rouge employees that want to take the data with them,
however. This is where there is no replacement for the technical
counter-measure. But with an awareness programme in place,
employees will be aware of what will happen if they are found to
have taken data and the HR department will have an easier time of
dealing with these employees if you can prove they are fully aware
of the policies and have taken part in the awareness training. Peter Bassill, CISSP, CITP, group information security officer
at Gala Coral Group, is speaking in the keynote on "Is security
about people or technology?" at Infosecurity Europe, 28-30 April,
Earls Court. Infosec 2009: an essential guide for IT professionals
>> |
Useful
links: