With organisations using multitudes of different devices to connect businesses and their customers to a wide range of interlinking systems, securing the end point has never been a more pressing challenge to IT executives in charge of security.
Personal computing devices as well as specialist devices, such as smart meters, are connected to corporate networks and CISOs face the challenge of ensuring each complies with security policy.
The task is huge. At the CW500 Security Club event in March, Neil Cassidy, deputy director of operations at CERT-UK, said 100 billion things, with some computing power, could be connected to the internet by 2020. For the moment, IT strategies such as bring your own device (BYOD) programmes are enough to put end-point security high on CISOs' agenda.
Securing the end point amid the changing technology landscape was the subject of the latest CW500 Security Club meeting of IT security leaders, held at London's Charing Cross Hotel.
Speaking at the event, Nick Coleman, a fellow of the BCS, the Chartered Institute for IT, said the technology landscape has changed and the end point matters more than ever. “Obviously, the IT landscape is changing the number of new suppliers entering the market that you have not worked with before,” he said. “This is a challenge in itself because you have to assure new devices and applications coming into the enterprise.”
More from the CW500 Security Club
Coleman said approaches must be developed to address how to continually assure products that are appearing more rapidly from suppliers that organisations have not worked with before. “The speed of the technology cycle is also changing and we have to assure new versions that are coming quicker,” he said.
At the same time, more and more devices are being connecting as part of the business process, said Coleman. “CISOs and IT departments have to deal with more and more things being plugged in and more and more apps are trying to talk to them.”
He said a good example is smart meters, which are connecting to various apps, ranging from those used by utility firms to banking apps for payments. The government's GB Smart Meter Implementation Programme aims to have more than 50 million smart meters installed in homes and businesses across the UK. The project's aim is to enable gas and electricity consumption to be monitored, providing information to help consumers and businesses use energy more efficiently.
More security alerts
Coleman said changing business models that rely on multiple devices and applications will provide more data and lead to more security alerts, which will, in turn, make it harder to spot malicious attacks. The main challenge will be wading through millions of alerts picked up by sensors to focus on, and prevent, the harmful ones. “As we start to get more and more devices connected, security alerts will grow and from that we have to spot the real targeted sophisticated attacks that are going to cause us damage,” he said.
CISOs must focus on security hygiene to disrupt incidents and security intelligence to spot significant risks, he said. “In end point security, we must move on from just hygiene to hygiene and intelligence,” he added.
Security intelligence is now moving to the end point, which is both the main vector for attacks and the vehicle helping an attack to move round an organisation.
Coleman said there are security intelligence products coming to market that are backed by venture capitalists, which suggests the security supplies sector is moving in that direction. But he warned that picking up threats is useful only if informed decisions can be made. “When looking at products, dig a little deeper and look how the security intelligence is presented,” he said.
David Prince, delivery director of cyber security at law firm Schillings, said BYOD and enterprise mobility is driving down business cost while improving business efficiency and effectiveness, but without proper planning, it is also a threat.
He told the story of an unnamed customer that faced a crisis when a journalist called claiming to have some controversial data about the company that could have been very damaging if revealed.
Schillings investigated how the information could have got into the journalist's hands and established that it probably got out through a worker having confidential information about the business on a personal device.
As is often the case, the crisis prompted the company’s top executives to address security, in this case the BYOD issue. “This caught the attention of the general counsel, the CEO and the board,” said Prince.
It was at this point that the executives realised the need for a strategy to manage end points, especially given the number of devices on the network and the overall lack of governance. Schillings began helping the company to put a proper strategy in place.
This project involved creating a BYOD strategy to address risk management, funding, deliverables and timescales. This informed the business policy on technology investment needs and staff education.
Prince added: “It is an overall strategy that has to be broken down into smaller tactical, measurable and achievable steps and without this, you will not succeed when implementing a security strategy.”
He said the customer ran into problems partly because “it sat on the fence when it came to BYOD”. It is important for organisations to decide whether to do BYOD and then stick to their decision, he said. “[In this case] they were indecisive, so people exploited this and did it on their own.”
Ray Cabrera, security and compliance manager at mobile network provider Lebara Mobile, described the steps that should be taken to secure end points. Companies are on the fence about BYOD which means that they often do not have a formal strategy in place with policy, technology and education..
“BYO is a winning factor. There are a growing number of people asking IT ‘can you connect my device to email from my device?’” Because this gives access to confidential data from devices the security needs to be in place.
He said IT plays an important role in mobile devices but they are not fully aware of the risks of things like BYO. He said as a result IT might organise the devices and connections but might not get the policy right or might not have a policy at all because they do not have a full understanding of the consequences if they don’t get policy right.
Cabrera, like Prince, said companies have to make a choice whether to embrace BYOD or lock down.
“We decided to embrace it,” said Cabrera. Once the decision was made the company began its journey of securing end point devices
The starting point is to inform staff that they have to look after their device and review what is being accessed. It is then that you should consult with senior leadership and start formulating policy and a strategy.
“We then approached mobile device management (MDM) suppliers, some of which were very highly recognized by Gartner like Airwatch and MobileIron. What we found with MDM suppliers is that they are very practical, a powerful way to manage emails on mobile devices but they can be expensive and when you are spending someone else’s budget it is hard to get through.”
This additional costs are starting to make businesses look closely at the software it already owns and try and create a solution to meet its mobile device management needs.
On a closer look many companies are starting to see that they already have a lot of MDM capability through Microsoft Exchange and ActiveSync software.
Cabrera said that it is important for companies to sweat their assets.
The audience was then invited to ask questions and debate the issue of end-point security, and securing BYOD was a recurring theme.