ComputerWeekly.com's Security Think Tank puts information
security questions to a group of experts in the field. This page
compiles all those questions with links to the experts' answers.
Our security panel comprises experts from:
(ISC)2,
British Computer Society (BCS),
Gartner,
Isaca,
Information Security Forum
(ISF), Information Systems
Security Association (ISSA),
National Computing Centre
(NCC), Royal Holloway,
University of
London,
ISACA and The Corporate IT
Forum (Tif).
Why is corporate adoption of the
trusted computing standard still very low when over 70% of new
computing devices have built-in trusted platform modules
(TPMs)?
Gartner:
Users need to use multiple PCs
There are several reasons why actual usage of the
trusted platform modules (TPMs) is very low,
writes John Pescatore,
vice-president and distinguished analyst at
Gartner. The biggest reason is
that the TPM approach largely ties a user to a single computer by
storing keys and other sensitive data in the TPM chip on that PC.
In the real world, business and consumer users need to use multiple
PCs, such as their work PC and their home PC, for both business and
personal use. The TPM approach doesn’t support that concept very
well Ð it would have been much better to focus on a secure USB
drive with the TPM chip to support this mobility.
Read
full article
(ISC)2: Users resist limits imposed on their
freedom
From a security manager’s perspective, the Trusted Platform
Standard and modules offer the ability to do some remarkable
things, technically enforcing the application of encryption,
copyright licensing, policies on the use of unauthorised software
and the like, writes Hord Tipton, CISSP-ISSEP, CAP, CISA,
executive director at (ISC)2. Some modules even allow the
administrator to monitor what individuals are doing on their PCs,
what data is being accessed and where it is going. But as with all
elements of good security practice, it never comes down to the
technology alone. There is significant opposition to the
application of the Trusted Computing Standard. Users do not like
control being imposed on their PCs, particularly if they do not
have a good appreciation for why the controls are in place.
Read full
article
ISSA UK: ‘Treacherous Computing’ can constrain
legitimate software
The Trojan horse is often cited as the event that led to the
demise of Troy, writes Raj Samani from ISSA UK. Although the
theft of the Palladium by Odysseus and Diomedes is the action that
allowed for the a daring raid. The Greeks learned that Troy was
protected by the Palladium, and would not fall while it remained
within Troy’s walls.
Read full
article
BCS: Cost of support outweighs the
benefits
The use of any standard depends on a need (to use a standard)
and/or the availability of products that can effectively leverage
the particular standard, writes Peter Wenham, committee member
of the BCS Security Forum Strategic Panel and director of
information assurance consultancy Trusted Management. Extending
this thought a little more we see that within the corporate world
the use or adoption of a product will depend in part on the degree
of support the product will need ‘in service’, in part on the
knowledge and skill levels available within the organisation and in
part on adoption and support costs.
Read full
article
ISACA: Users reject Trusted Computing because of
privacy and security concerns
Trusted Computing, and its various implementations, have been a
perennial topic since the mid 1990s, writes Rolf von Roessing,
international vice-president at ISACA. The first initiative,
such as the "Clipper chip" met with grass-roots resistance, and
subsequently industry resistance, as many thought this a
misdirected attempt at government supervision and surveillance.
Read full
article
How can businesses assess and
mitigate the security threat of networked devices such as printers
that have operating systems which can continually re-infect
networks with malware?
ISACA: Passwords and encryption strengthen printer
security
When we
conduct a penetration test of a corporate network, we typically
find dozens of printers offering management pages without
passwords. This means that anyone on the network could not only
print to the machine, but also control it, change the print
settings and send
faxes.read full
article
BCS: Responsibility for security of end-point
devices must be shared across the business
Network scanning technology needs to be capable of addressing
the end points to ensure that anti-virus or software updates are
run on printers and other connected devices to keep them virus-free
and "healthy".
read full article
ISSA: Security managers must keep pace with weak
points in connected devices
Restrictions provide a back door into organisational networks
through [the lack of] security in embedded devices.
read full article
Tif: Risk assessment enables targeted security
management
There is a broad spectrum of serious risks and vulnerabilities
to be addressed, in which networked devices re-infecting networks
is only one challenge.
read full article
How can security play a central role in enabling
business growth?
Information Security Forum: Meeting regulations is
key security advantage
The business case for information security has finally been
recognised. Rather than being viewed as an unwanted necessity and
expense, information security is now seen as a valuable contributor
for protecting and managing brand image.
read full article
BCS: Good security and security governance can help
win business
A very simple view of how security can enable business growth is
to consider the question "why do cars have brakes?" The answer
given by most people is that the brakes are there to stop the car,
which is true of course, but not the reason.
read full article
ISACA: Strong security builds trust; trust builds
business
The first challenge in attempting to articulate the extent to
which security can help business growth is for the enterprise to
recognise that security is a business issue, not just a technical
one.
read full article
ISSA: Raise the profile of security’s risk
management potential
The name Paul Moore, former head of risk at HBOS, is not
synonymous with information security, but perhaps it should be.
read full article
Gartner: Seven ways to align security with the
business
There is no single tactic or strategy that guarantees success in
improving business alignment of security. Rather, a number of
varied but interrelated actions need to be identified and executed
to improve alignment over time.
read full article
ISC(2): Security bridges divide between IT and
business
As information security grows in stature within the
organisation, we in the profession must be careful not to develop
any delusions of grandeur. No matter how crucial our efforts may
be, we must recognise that we are very firmly cast in a supporting
role.
read full article
Tif: Protection of customer data makes a strong
selling point
There is no doubt that security will play an increasingly
important role in enabling business growth, but it requires those
in the boardrooms of Great Britain to wake up to the real
challenges that will threaten their business over the next decade.
read full article
What should businesses be doing to assess and
manage the security risks of instant messaging?
Corporate IT Forum: The triangle of
trust
Corporate IT Forum members collectively believe that the triangle
of trust around security is policy, enforcement and education.
Obviously, individual organisations must decide how far they want
to go with each of these, depending on the nature of the risk and
its potential impact on the business.
Read the full article
ISACA: Develop flexible IM guidelines
Any security technology that is developed for IM applications
must be easy to use and, ideally, be as unobtrusive as possible.
Read the full article
BCS:Mitigate risks with security
awareness and access control
The first thing any company should do is to ensure they have a
comprehensive set of acceptable use policies (AUPs) covering such
things as IM, e-mail and internet access. They must also ensure
that staff are aware of the various AUPs and sanctions for abuse of
an AUP.
Read the full article
ISSA: No silver bullet for instant messaging
security
Introducing new communication channels for business also becomes
a new delivery channel for malware and spam (or spim - spam over
instant messaging). The popularity of IM is not lost on those that
propagate such unwanted traffic.
Read the full article
(ISC)2: educate, monitor and block
My advice to companies would be to allow it internally, but to
block any IM activity with the outside world. That way, the chances
of connecting inadvertently with a stranger and disclosing company
information, or of clicking on a malicious link, would be reduced.
Read the full article
Gartner: Comprehensive web security
IT organisations must recognise that instant messaging (IM) is
no more or less secure than any internet-facing application. It is
really just one of the issues to consider when developing a
comprehensive solution that will protect organisations from all
types of Web2.0/internet threats.
Read the full article
What qualifications, technologies, sectors and
networking events should IT security professionals be looking at to
help increase job security and further their careers?
BCS: Balance corporate needs with personal career
aspirations
In the current conditions, employers are, rightly, pretty
focused on performance and efficiency savings, and so it is
important to be able to be strategic about balancing corporate
needs with personal and future career aspirations.
Read the full article
Isaca: Information security professionals must
broaden their horizons
In these challenging times, it is prudent to take stock of where
you are and make sure you are doing everything in your power to
contribute to the success of the organisation you are working for.
Read the full article
Issa: Building a profile is key to career
progression
Clearly certifications can demonstrate a measurable difference
between candidates, but where particular qualifications are seen as
merely a baseline, inevitably a greater differential is required.
Read the full article
ISF: Bridge the gap between IT and business to dodge
layoffs
The profession is changing: there seems to be a bigger drive for
consultants with a greater understanding of business (and how it
works) and a need for people who can 'bridge the gap' between
technology and business. Technology specialisms are also likely to
be in demand.
Read the full article
Gartner’s tips for furthering your IT security
career
Gartner has seen a dramatic increase in programme maturity over
the past 10 years. Tools are still important pieces of the puzzle,
but scalable, repeatable processes are now at the centre of
security programmes.
Read the full article
(ISC)²: Keep your finger on the pulse and stay
relevant
Currently there is a huge interest in cloud computing and all
that involves. It is certain that businesses will want to take up
this business model and that security professionals who understand
the threats and vulnerabilities and have looked at ways of using
this technology securely will be in demand.
Read the full article
Are information security risks really increasing
with offshoring and outsourcing and how can the IT security
professional assess and mitigate the risk?
(ISC)2: Legal input is vital to meet data privacy
challenge of outsourcing
When offshoring and outsourcing, it is more likely that data is
made accessible to third-party vendors or other combined legal
entities. For this reason, the involvement of legal professionals
is paramount to understand processing and disclosure principles and
policy.
Read the full article
ISSA: Balance cost and risk for outsourcer
information assurance
In the film Meet the Parents, the character played by Robert De
Niro unveiled his new invention dubbed the nanny camera. It had a
motion-activated camera positioned within a teddy bear that would
record the babysitter for later viewing.
Read the full article
BCS: Remember you are outsourcing process, not legal
responsibility
Intuitively, the belief is that security risks are raised when
outsourcing or offshoring. But, if you analyse it, I doubt that
there is any real increase in risk, providing the vendor selection
process is conducted properly and the results are fed through to
the contract stage.
Read the full article
ISF: Get in early to mitigate outsourcing data
risks
Consistently the biggest information security problem associated
with outsourcing has been in being late to the party. Finding out
about the outsourcing deal after it had been signed, not being
invited to participate in the vendor assessment process and
realising that security was not part of the deal.
Read the full article
ISACA: Reality check your outsourcing
risk
This is of course something of a trick question, or should be.
All organisations need to begin any risk assessment for existing
outsourcing contracts from an operational risk perspective.
Read the full article
Gartner: Define a process to protect data when
offshoring
Offshore outsourcing is an emotive topic, and the security and
privacy risks specific to offshoring can often be perceived, rather
than real. Indeed, many companies have significant challenges
managing security requirements with third parties regardless of
location.
Read the full article
Application security is a growing area of
concern, but what can UK businesses do to ensure the applications
they buy today are not going to be security threats of
tomorrow?
Isaca: Build security into the entire software
development life cycle
Application software is always going to contain flaws. The trick
is to catch the mistakes as early as possible.
read full article
ISSA UK: Defence in depth is key to
application-level security
Having objective safety information is critical to the selection
of a product that demands security for its users. For IT managers,
such critical information for deciding which application is best
for running the payroll is likely based on vendor assurances.
read full article
Gartner: Technologies for application-level
security
As attacks become more financially motivated and as
organisations get better at securing their network, desktop and
server infrastructures, there has been a shift in attacks to the
application level. To address those new risks, several technology
markets for application security have emerged.
read full article
How can business ensure security
technologies are aligned with work processes so that it is easy for
end-users to do the right thing and not circumvent
controls?
ISSA UK: Give users an alternative to
breaking the rules
Unless you believe everything depicted in the TV show 24,
employees are not recruited by foreign intelligence services, and
data exfiltration is due to mistakes rather then malicious intent.
read full
article
ISF:
Get processes right, and the security will
follow
Many
organisations still fall into the trap of selecting a security
technology and then attempting to retro-fit a process around it.
Often the resulting process is clumsy, encouraging users to make
short cuts, or to simply perform tasks in a roundabout way. So,
instead, reassess the problem in hand, design a new process and
once that is right the appropriate security technologies should be
easier to identify.read full article
BCS: Security must be compatible with working practices
Many security
technologies do not appear to be effective because they do not fit
in with the way people work. Users often ignore, avoid or
circumvent anything that makes it difficult for them to do their
jobs. And why would they
not?read full article
Gartner: Raise awareness
of security
measures
Internet and IT
risk have an impact on all employees, and controls required to
mitigate these risks will inevitably constrain or hamper the
activities of all users. A reality of human behaviour is that
whenever controls are implemented that affect what people do, many
of them will modify their behaviour in unexpected or undesirable
ways.
read full article
ISACA:
Ensure employee buy-in to security
measures
The two most significant factors that
lead to employees circumventing security controls are lack of
employee "buy in" to the controls and the absence of a good fit
with "business as usual".
read full
article
(ISC)2:
Accountability is key to
security
Unfortunately the accountability of the user is yet to be
well understood, which leads to error or justified flouting of the
rules, often with management support, in order to get a job done.
This presents a colossal task for the security manager to ensure
employees understand the whys and wherefores of what is being asked
of them.
read full article
Full disk encryption is expected to be the top
security technology to be tested or adopted this year, what are the
challenges and benefits likely to be?
Assess your software- and hardware-based full disk
encryption options
There are still plenty of people who believe that a strong
Windows password will protect the contents of their laptop.
However, the truth is that anyone with physical access to your
laptop can also have full and unrestricted access to your data,
unless you have encrypted the hard disk.
Read the full article
Full disk encryption effective, but lost
productivity needs to be addressed
Within large organisations, full disk encryption is already
considered necessary to protect files and data - it is becoming an
"as standard" technology and has been for some time. Indeed, in
certain areas of the IT estate - such as laptops - encryption is
now seen as 'unequivocal'.
Read the full article
Benefits of full disk encryption lie in avoiding PR
and compliance risks of breaching data
According to Forrester, full disk encryption will be the most
piloted or adopted security technology in 2009. With national press
now interchanging data loss stories with reports on an ailing
housing market, this is hardly surprising.
Read the full article
Increased mobility makes full disk encryption more
important, but so is end-user policy management
The security officer is becoming increasingly aware of the
importance of controls for end-user computing, writes Alessandro
Moretti, co-chair of the (ISC)2 European Advisory Board, The
Information. With end-users becoming more mobile thanks to the
advances of technology, the numbers of laptops in an organisation
is increasing.
Read the full article
Business case must be well-managed to balance cost
and benefits of full disk encryption
Full disk encryption (FDE) is expected to be the top security
technology tested or adopted this year. There is little doubt
encryption helps improve security. The issue that requires more
thought on a case-by-case basis is that of desktops and the point
at which the overhead becomes worth it.
Read the full article
Realise the full benefits by encrypting hard drive
and storage media
Full drive protection completely replaces the contents of a
user's hard drive with an encrypted image. If this is combined with
pre-boot authentication, a thief really has nowhere to start in
breaking out the contents of the drive.
Read the full article
Full disk encryption performance faster but easier
interfaces still expensive
Full disk encryption (FDE) appears to offer an ideal solution to
the increasingly publicised losses of data on laptops, CDs and
thumb drives. By encrypting all the storage area on a device, FDE
removes the need for an end-user to consider whether the
information is protected.
Read the full article
How secure is the current practice in
virtualisation?
Information Security Forum: Leverage the benefits of
virtualisation but in a secure way
The key driving force behind virtualisation is the
promise of reduced costs resulting from server consolidation.
read full article
Sapphire Technologies: Guard physical and hypervisor
layers against unauthorised access
Virtualisation technology makes best use of
available processor and memory resources.
read full article
ISSA: Set up virtual machines with extra
caution
The stampede to employ virtualisation shows no
signs of waning in 2009.
read full article
BCS: If you outsource your virtualisation,
thoroughly check your provider's security
When you search for virtualisation, the results
don't directly include security.
read full article
Security as a service: how are the
patterns of risk and reward changing?
(ISC)2: Higher rewards for the client mean higher
risks for the security service provider
Overall, both the sum of risks and
the sum of rewards stay constant, they are just distributed
differently in the client-provider relationship.
read full article
ISSA UK: Business rewards make risk
worthwhile
The latest buzzwords are security as
a service. The term refers to the delivery of traditional security
applications as an internet-based service. It is not a new term,
making its first appearance in 2001 when McAfee filed a patent for
the delivery of security software as a service over the internet.
read full article
ISACA: Careful implementation and management of security service
is essential
Security as a service, if
implemented and managed properly, can allow enterprises, and in
particular the smaller business, to outsource essential security
tasks for which they do not have the internal resources or the
expertise.
read full article
The Corporate IT Forum: Rewards outweigh security
drawbacks
It is now over a year since we
tested corporate attitudes towards outsourced security services and
found that many Corporate IT Forum members were routinely
outsourcing security functions such as spam management, e-mail
virus and vulnerability scanning for external threats. We
established that members felt comfortable and confident with the
services provided, with many regarding them as cost-effective and
sound business choices.
read full article
BCS Security Forum: Managing the risk is essential
when outsourcing security
In seeking to provide a detailed
response for the above questions, views have been sought from the
wide community of experts that make up the BCS Security Forum
Strategic Panel (SFSP).
read full article
Gartner: Poor implementation presents the greatest
risk - failure
Security as a service can provide cost savings
and accelerated implementation cycles, just as software as a
service (SaaS). However, the “as a service” approach can fail if
applied under the wrong circumstances using a poor implementation
methodology.
read full article
With the bank failures of recent weeks, more
pending redundancies and a continuation of the downward slide,
should we be concerned about lax security? Is someone minding the
store while all this is going on or should we be doing something
more when the banks are going bust?
BCS: Secure employee access to prevent insider
threat
Even an organisation with very good security can find it is
effectively more vulnerable than an organisation with poor security
if it is going through a period of change, such as redundancies,
cost-savings, mergers or outsourcing.
read full article
(ISC)2: Guard business assets against
increased threat
The value of business assets, (for example, intellectual
property, client data and service availability, managed in-house or
via third parties) does not diminish during a downturn. During such
time, there is an increased emphasis on the identification of key
business assets and the mapping of a formal, consistent, and
proportionate security strategy.
read full article
NCC: Beware employees' "exit strategies" during
downturn
Even the most process-oriented institution hinges on the human
components that carry the information systems through their
lifecycles from conception to disposal.
read full article
ISSA: Be vigilant of saboteurs' revenge
cybercrime
The threat of sabotage to organisations from disgruntled
existing or former employees is very real, and can have a large
impact on organisations.
read full article
Gartner: Drop in staff morale increases security
threat
Organisations can expect to experience internal security
problems as staff reductions in turn reduce morale. Undoubtedly,
there will be malcontent about reductions in stock or bonuses,
outsourcing or redundancy.
read full article
ISACA: Don't let turmoil distract attention from
security
While most enterprises in financial services have generally
understood the need for high levels of security and have applied
themselves to implementing and managing effective and appropriate
security measures, there is little doubt that risk will have
increased throughout and following any major market upheaval.
read full article
ISF: Security is not primarily a technical
issue
The great myth associated with information security is that the
risks are primarily technical. However, practitioners in the
trenches know better the greatest vulnerabilities organisations
face are down to human behaviour.
read full article
How do you protect from
malware your mobile employees and customers, who lie beyond the
network frontier?
ISSA: Traditional controls inadequate
There is a common misconception that because an organisation has
anti-virus, it must be safe.
read full article
Tif: Boundaries are blurring
The notion of a boundary existing between "locked down" IT
systems inside the corporate network and everything else operating
outside it does not make as much sense as it once did.
read full article
ISF: Extend the security perimeter
By and large, corporates have solved the problem of protecting
the security of workstations against malware in their own internal
environment.
read full article
ISACA: Constantly mutating challenge
The idea that enterprises have made great progress in locking
down their infrastructure to protect end-users from malware may not
be totally accurate.
read full article
Gartner: Control devices and encrypt
data
As new and improved technologies appear in the mobile markets,
and are adopted by businesses, so new threats and attacks appear.
read full article
BCS: Audit and educate
Attend the likes of InfoSec to ensure you are up to date with
the latest products and then seek the advice of an expert
consultant to help in cutting through the snake oil.
read full story
NCC: It's all about layers
Working outside an organisation's physical domain brings certain
responsibilities with it and the road warrior must take caution
along in the kit bag.
read full story
Has the government got the business case for ID
cards right?
Royal Holloway:
Benefits to the citizen have yet to be
proven
In asking whether the government has got the business case for
ID cards right, we need to understand precisely what that business
case is.
read full article
BCS: Now is the time for
action
I don't need platitudinous diktat from government indicating
that they are doing me a new favour.
read full article
NCC: Be sure of making the complete
case
ID cards are only part of the identity management solution - not
the solution - nothing ever is.
read full article
ISSA: ID cards - analyse the
facts
Let's put emotion aside when asked about national identity cards
and analyse the facts presented by the Identity and Passport
Service.
read full article
In view of the cyber-warfare dimension to the
Russia-Georgia conflict, and the Chinese cyber-espionage ongoing
against the west since c.2003 ("Titan Rain", and so on), how
concerned should we in the UK be about state-sponsored
hacking?
ISSA: The threat to the UK
from cyber terrorismWhat has the UK
got to fear from
hackers? read full article
NCC: The national threats from
hackers
What could hackers realistically do to disrupt our national
infrastrucure, and how should government respond?
read full article
(ISC)2: We know how to deal with the
threat
The is much to fear from hackers, but using established security
principles UK government can deal with the threats
read full article
ISF: There is much to prepare for
Governments must be prepared for "blended threats"
read full article
ISACA: The cyber-crime threat is difficult to
measure
Cybercrime threat is very real, but dealing with it will
be difficult
read full article
What tools can be used to prevent or mitigate
employee wrongdoing?
NCC: Put your faith in standards
Implementing the right security standards is the best way to stop
insider fraud.
read full article
ISSA: Control is the key
You need to get the security fundamentals right, and then ensure
your controls can be (and are) effectively enforced.
read full article
ISF: Take a holistic approach
People, motive, opportunity and means: you need to cover all the
angles if you're serious about protecting the organisation.
read full article
Tif: Access management comes first
Sure, tools are useful, but only after you have identified which
staff need which information, and you have processes in place that
can deliver and control that access.
read full article
(ISC)2: Protect controls as well as
systems
Vigorous and independent audits are key in underpinning the
controls that safeguard your systems against fraud.
read full article
BCS: Management buy-in
essentialUntil the management of large
organisations understands the need for the ongoing maintenance of
IT security systems, and fully supports it, employees will continue
to evade controls and commit fraud.
read full article
Royal Holloway: Control the
controllers
So what really happened at Société Générale?
read full article
Social networking sites: what are the associated
risks at a corporate and at an individual level?
Gartner: at-a-glance guide to social networking
risks
Multiple worms and viruses have been introduced to various social
network environments. Content distribution within a social network
parallels peer-to-peer environments and can support rapid
distribution of malware embedded in applications and graphics
read full article
BCS: Individual risks become corporate
risks
As a result of the strong human desire to connect, social
networking websites have encouraged online behaviour where security
and privacy are not always the first priority. The key cause for
concern is the late realisation of the open nature of the web and
thus how much personal information has been left exposed to any
passing stranger
read full article
Tif: Limit your liability from social
networking
The main risk of social networking comes from the blurring of a
participant's professional and personal profile. Very often, social
networkers align themselves with professional networking groups
that indicate clearly who employs them and what their job function
is. Potentially, this can make it very easy for criminals to
harvest information that can be used against them or their
companies - so called "social engineering"
read full article
NCC: Social networking security is a people
issue
It is an enticing technology but few of the associated risks are
really technology problems. It is no different from that old
managerial adage of "less gob, more job". And heavy handed bans are
unlikely to mitigate the risks. You may curtail the workplace
access, but you cannot control the cybercafe or home PC without
instilling staff with a risk-literate attitude
read full article
ISSA: Would you shout your details in the
street?
The danger of giving too much information away on social networking
sites is of significant concern. Even information that seems
innocuous, such as date of birth and postcode can be used for
nefarious motives. How many times is this sort of information used
as a challenge when speaking to a call centre operative to prove
your identity?
read full article
ISF: A greater social networking threat on the
horizon
Last year, Facebook purchased Parakey, a start-up from two of the
creators of Firefox that promises a web-based operating system
designed to bridge the gap between desktop and web and make it
easier to move content between the two. How long will it be before
one of these sites gives simple remote access from PC to PC?
read full article
(ISC)2: Policies hold key to social networking
security threat
The rapid take up of social networking sites offer cyber criminals
and mischief makers a new large target. Remind colleagues not to
use any workplace e-mail addresses or passwords on these websites.
Many of these websites do not encrypt user log-on details.
Passwords and user IDs transmitted in clear text across the public
internet are subject to possible interception or compromise
read full article
Indications are
that remote working was able to reduce the financial impact for
those companies that have enabled it, but very few small and medium
businesses have the budget or technical ability to implement and
manage secure virtual private networks (VPNs) with sophisticated
network access control.
Remote working - how risky is it and what can small businesses
do to enable it securely?
ISACA: Low-cost and secure remote working is
achievable for SMEs
Remote working is commonplace in the corporate
world, but many small business have still to take advantage of a
secure method to permit their staff to connect back to the office
when they are working at home or travelling. Whilst there are
low-cost, adequately secure alternatives, small businesses are
generally unaware of the technology or the risks of a poor
implementation.
read full article
ISSA: Remote working is not all
or nothing
Remember looking out of the window and being
greeted with a blanket of snow? The very hint of no school and a
day in the snow is every kid's dream. This attitude changed one
day, and the only thought was the impending journey into work
because a day out of the office is surely unthinkable. For many
organisations, the feeling of an enforced day out of the office is
translated into a day of inactivity. Without the technology to pick
up e-mail, access information, or even change face to face meetings
into conference calls, the merest hint of snow could have CEOs
clambering for the keys to the snow plough.
read full article
(ISC)2: Remote working need not be
feared
Remote working
should be encouraged and embraced, not feared, in companies
where the actual work can be done remotely.
read full article
ISF: Remote working is a challenge for companies of
all sizes
Even
large organisations struggle to secureremote working-
and that is with multi-million pound budgets, 24x7 support and
dedicated technical teams. Small businesses are exposed to the same
risks, may not have any of these controls, yet would still like the
flexibility and convenience that remote working offers them.
read full article
Gartner: SMEs at
risk from casual remote working
practices
Most organisations haveremote workers
, whether teleworkers working from a home office, or mobile
workers who work from a variety of locations. However, some
organisations do not know who is working remotely, how much of the
time, or which tools and services they need. This creates not only
business risks, but potential IT security risks, as no defined and
agreed mechanism is in place for ensuring that the right people
gain access to the right corporate resources securely.
read full article