The idea that enterprises have made great progress in locking down their infrastructure to protect end-users from malware may not be totally accurate, writes Paul Williams, chair of ISACA and IT governance adviser to Protiviti.
Any progress made against malware comes at a tremendous cost. Security companies spend significant resources deploying monitoring systems to capture malware as early as possible so that their research teams can diagnose the code and quickly release a fix. Similarly, enterprises spend a great deal deploying multiple layers of protection. Resources go into patching existing systems rather than implementing and deploying new business-enabling technologies.
Moola first, mischief second
The reduced number of incidents reported has more to do with the financial benefits that flow from capturing personal information rather than from better protection against malware attacks. Hackers and malware writers are channelling their efforts for financial gain rather than spending their time creating mischief. The fewer malware incidents do not mean we are better protected, but that attacks have become more focused and stealthier.
Traditional security incidents may return in the form of terrorist or politically motivated attacks, and security officers need to watch for signs of such attacks. But they need to pay even more attention to the protection of sensitive and private information and the scams used to capture information from users.
Beyond the borders
The larger challenge for security officers is to provide protection beyond the borders for end-users who are increasingly mobile and who have greater choice of the technology form they will use. In this highly distributed, mobile and technology-rich business world it is difficult to approach protection as in the past. The availability of cheap, high-capacity USB memory sticks and Wi-Fi enabled networks are examples of the lowering of barriers.
Traditional countermeasures are no longer enough by themselves when the boundaries of organisations are constantly shifting. End-user awareness and tighter integration of information security activities with business strategy and product development are necessary to understand risks and to structure protection strategies aligned with business goals.
Even so, incidents are still likely to happen. Technical controls, awareness, monitoring, and incident response can no longer provide the levels of protection required to support e-business.
What is lacking is the ability for users in their personal and work lives to establish identities that can be trusted and for organisations to be able to present an identity that can be trusted. Without the assurance of identity and trust among end-users, the effective protection of personal and sensitive information will remain difficult to attain.
Paul Williams is chair of ISACA and IT governance adviser to Protiviti
This was first published in May 2008