• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
People Power: the trade-off between productivity and network security

People Power: the trade-off between productivity and network security



We have entered an era in which people are not slaves of their computers and desks to access information anymore. Mobile technologies, social networking and a multitude of new devices provide us with ...

We have entered an era in which people are not slaves of their computers and desks to access information anymore. Mobile technologies, social networking and a multitude of new devices provide us with an unseen freedom of information, communication, collaboration and productivity. But there are many security risks...



Total Views
Views on SlideShare
Embed Views



2 Embeds 418

http://www.blog.bt.com 401
http://letstalk.globalservices.bt.com 17



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    People Power: the trade-off between productivity and network security People Power: the trade-off between productivity and network security Document Transcript

    • People powerExploring the trade-off betweenproductivity and network security?
    • Made up of more than1,800 consultants, architects anddesigners, BT Global Services offersone of the biggest dedicated securitypractice communities in the world.
    • Be careful whatyou wish forFifteen years ago we were enslaved. Toaccess information we had to be in front ofour computers, at our desks, in our offices.Today the balance of power has been turnedemphatically on its head. Technology nowserves us wherever and whenever we want itto, via a huge range of devices.Yet while people have become increasinglycentral to this evolving story, the way businessthinks about security isn’t keeping pace. Formany CIOs this mind-boggling freedom ofinformation can appear pretty scary. Theydon’t quibble with the idea that productivityhas been enhanced by technology, but theydo have a sense that being able to access dataanytime, anywhere has created more securitythreats. So can the two things co-exist? Whatexactly are the new risks? And what role dopeople play in keeping data secure? 1
    • Cyber-crime 2.0 Never has corporate data appeared so attractive to people involved in cyber-crime. The early history of the internet saw cyber-crime targeted principally against the individual consumer. But times are changing. A Forrester report in 2010 found that proprietary knowledge and company secrets are twice as valuable as the kind of information typically found on a consumer’s computer or phone (card details, medical data and so on). Ovum cites figures from the UK government that cybercrime is costing the country £27bn annually1. Extrapolate those figures globally and the numbers become frightening. So if the intellectual property of the business world is such a target, it follows that IT departments should be re-doubling their efforts to keep it secure. Yet that’s easier said than done. According to a study by McAfee, 68 per cent of data loss comes from within2. In other words, while IT departments are pulling out all the stops to keep ...while IT people from the outside getting in, the bigger problem actually comes from their departments are own colleagues. Of course on the whole such leaks are accidental – people leave a pulling out all machine unencrypted or send an email to the wrong person by mistake – but even allowing for the inevitability of a bit of human error, 68 per cent feels worrying high. the stops to keep people from the Adding to the complexity, and giving cyber-criminals more opportunities to access outside getting in, company data, is the explosion in the number of devices out there. In Brazil therethe bigger problem are now more mobiles than people3. In the US, 85 per cent of children own or have access to a mobile phone while only 73 per cent own a book4. Devices like the iPad actually comes are bought for leisure yet are also used (by 51 per cent of people according to recent from their own figures5) to log on to work systems. Are these personal devices vetted by the IT team? colleagues. Often they’re not. 1 Source: Silicon.com, www.silicon.com/technology/security/2011/03/09/cyber-espionage-firms- fail-to-take-threat-seriously-39747112/ 2 Source: www.softcat.com/files/pdfs/TheThreatsEnglish.1.pdf 3 Source: TecjEye.net, www.techeye.net/mobile/cheap-handsets-mean-more-phones-than- people-in-brazil#ixzz1IGJDVVHJ 4 Source: digital Buzz, www.digitalbuzzblog.com/mobile-statistics-2011-growth-of-mobile/ 5 Source: http://globalservices.bt.com/static/assets/insights_and_ideas/risk_resilience/pdf/btgs_ gs09_6thingsuneed2knowin2010_whitepaperFINAL.PDF2
    • But when you flip this over and look at devices approved and provided by work, a There’s also asimilar problem occurs. As many as 21 per cent of people let their family use their work good chance thatlaptop to access the internet6. Are those family members versed in the company’s ITpolicy? Again, the answer is likely to be ‘no’. by seeking to place limits on the wayRevealingly, at an event in London in April 2011 IDC expressed the view that viruses technology is used,are no longer the biggest security threat. That dubious honour now lies with what it you will also placedescribed as ‘security sprawl’. So how should these risks be tackled? Firstly by not tryingto swim against the tide. Employees, especially the younger generation, have grown up a limit on people’swith the internet. Trying to prohibit the use of certain devices or certain ways of using effectiveness andthose devices is futile. There’s also a good chance that by seeking to place limits on the on their abilityway technology is used, you will also place a limit on people’s effectiveness and on their to innovate.ability to innovate. Instead the best approach is to take the following sensible steps:> Education. Ongoing training should be provided so that people understand your organisation’s policy on information security, personal email use or plugging personal iPods into computers, for example.> Access. You need to get the balance right, giving people the access to the information they need, with enough leeway to be able to innovate and do their job. But full administration rights to all data are rarely appropriate for the entire workforce.> Encryption. Always encrypt your commercially sensitive data, and particularly any customer data you may hold. It sounds obvious, but not all organisations do it. Most software applications – even mainstream ones, such as Microsoft Office, support strong encryption.> Monitoring. Security monitoring isn’t not an option any more – network traffic should be monitored on a 24/7 basis for two reasons. Firstly, so that you can undertake forensic analysis in the event an issue occurs and secondly, to detect threats in real time so they can be tackled immediately.6 Source: http://globalservices.bt.com/static/assets/insights_and_ideas/risk_resilience/pdf/btgs_ gs09_6thingsuneed2knowin2010_whitepaperFINAL.PDF 3
    • Where mobiles go when they die The economic climate has a role to play in this debate too. With most economies still only tip-toeing out of recession, employees are generally holding fire. But research shows that once the market starts to accelerate again, many will be looking for new opportunities – in the US one in five employees plan to change jobs when the recession lifts. In the UK that figure is more like one in three7. Ex-employees can take devices with them, might have knowledge of passwords and may have accessed the company system using their own laptops or smart-phones. For others, redundancy will be their route out of the company, sometimes with potentially catastrophic consequences. Last year a former network engineer at Gucci was charged with hacking into the company’s network8, deleting data and shutting down servers and networks. He faces 15 years in jail, but for Gucci, the reputational damage has already been done. Even if devices are thrown away they can still cause problems. The increasing popularity of websites that buy old mobile phones is a good example. In research from March 2011 by data protection company CPP, 81 per cent of people said they had wiped their mobile before selling it. Yet when these phones were examined by experts 54 per cent contained sensitive personal data – PIN numbers, bank account details, passwords. 7 Source: http://globalservices.bt.com/static/assets/insights_and_ideas/risk_resilience/pdf/btgs_ gs09_6thingsuneed2knowin2010_whitepaperFINAL.PDF 8 Source: SC Magazine, www.scmagazineus.com/former-gucci-insider-charged-with-hacking- network/article/200030/4
    • Combating these threats requires action by three groups of people within theorganisation:> The IT department needs to make sure that all usernames, logins and passwords to company data are cancelled when people leave the organisation.> The HR team should double check that access tokens and key fobs have been returned.> Individuals need to be aware of the company security policy. It should contain guidelines and advice to help them act responsibly and safely in the way they use and access data and devices. Training should be carried out for new joiners, with refresher courses for existing staff. BT Global Services has developed active alliances with more than 100 leading security partners including Check Point, Blue Coat, Crossbeam, IBM ISS, McAfee, EMC/RSA, Microsoft, Oracle / Sun, Juniper, Cisco Systems, HP, Websense, ActivIdentity and Symantec. 5
    • The wild west of the security world? The influence of Twitter – the world’s most famous five year-old – continues to amaze. In the days after the Japanese earthquake, relief organisations were using the micro- blogging site to post information for non-Japanese speakers trying to contact relatives left homeless9. And the US State Department used Twitter to publish emergency numbers to inform Japanese residents in America how to contact families back in Asia. But Twitter isn’t alone. There are now more social networking accounts than there are people on earth10. Facebook and Twitter generally hog the column inches, but there are numerous big hitters elsewhere in the world. The dominant social network in Brazil is Orkut, in China it’s Qzone, while Russia has VKontakte. And while corporate marketing teams have been relatively slow to understand how best to use social media sites, they’re now starting to see the dollar signs. Marketing messages make up a growing chunk of the one billion (yes, one billion) messages that get sent every single week on Twitter11, while sites like Facebook are increasingly being used as the go-to channel for retailers trying to ‘engage’ with customers. Starbucks boosted sales of Christmas drinks by 15 per cent last year by inviting its Facebook fans to choose seasonal flavours12. And Coca-Cola records at least 10 times There are now as much traffic to its Facebook page than to its own website13. more social Yet these marketing opportunities are not without security risks. The volume of spam and networking malware targeting such sites increased by 70 per cent in 200914. Equally worrying is the accounts than growth in ‘social engineering’ attacks – hackers setting up false accounts and attempting there are people to acquire personal data from people or organisations by ‘befriending’ them on social on earth. networking sites. 9 Source: Daily Telegraph, www.telegraph.co.uk/technology/twitter/8379101/Japan-earthquake- how-Twitter-and-Facebook-helped.html 10 Source: Silicon.com, www.silicon.com/technology/mobile/2011/04/01/social-network-accounts- outnumber-people-on-earth-39747241/ 11 Source: Twitter, http://blog.twitter.com/2011/03/numbers.html 12 Source: Financial Times, www.ft.com/cms/s/0/240f19d4-5afc-11e0-a290-00144feab49a.html 13 Source: Financial Times, http://www.ft.com/cms/s/0/240f19d4-5afc-11e0-a290-00144feab49a. html#axzz1Lw1iTcsD 14 Source: Asian Security Review, http://www.asiansecurity.org/articles/2010/feb/08/social-media- security-risks-revealed/6
    • One of the most common tactics is ‘clickjacking’. Criminals take advantage of the Clickjacking –popularity of users posting shortened URLs (common services are bitly and TinyURL).These shortened URLs do not show the true destination of the link – for example, a link hackers can use thisto an article on the BBC website wouldn’t start with www.bbc.co.uk, instead it would be to disguise the factsomething like http://tinyurl.com/6dvr4lk. Hackers can use this to disguise the fact that that clicking on aclicking on a link will actually take you through to a malicious site. link will actuallySo how should IT departments train staff to minimise the risks? take you through to a malicious site.> Education Again clear policies and education are paramount. Marketing staff need to exercise the same level of vigilance in opening messages, and clicking links received in messages, as they would with their own email. When it comes to phishing attacks against consumers the message seems to be getting through. In the UK for example, while the number of phishing attacks has risen to an all-time high, online banking fraud losses were down to £46.7m last year, a 22 per cent decrease from 200915. The people running your social media marketing activity need to show the same level of caution.> The horse has already bolted You might think that one way to limit the risks would be to limit access to social media. This will not work. For your younger employees in particular, social media is a way of life. For the IT department the challenge is to make security policy on social networking usage relevant to ‘Generation Y’ employees. ...younger> Blurred boundaries You should also be alert to your employees’ use of social media outside of work. The employees in information they include in things like their Facebook profiles can potentially be used particular, social by hackers to build up a detailed picture of their habits and lifestyles, helping them media is a way to more effectively target social engineering attacks. of life.15 Source: Silicon,com, ww.silicon.com/technology/security/2011/03/10/online-fraud-falls-as- consumers-wise-up-to-phishing-39747119/ 7
    • Cloudy with a chance of security scares? Cloud computing is continuing to set the pulses of CIOs racing. IDC predicts that while global IT spend will increase by six per cent in 201116, spending on public cloud computing services will grow five times faster. Gartner’s latest CIO Survey17 suggests that almost half (43 per cent) of CIOs expect to operate their applications and infrastructures through the cloud within the next five years. Yet behind the hype, concerns persist. Just two per cent of companies in Europe have implemented cloud services, a figure that hasn’t changed since 200918. And a recent survey by Forrester found that for 58 per cent of decision-makers security is the main concern19. Interestingly, the people issues around cloud computing are just as significant in tackling the security challenges as the technology. > Your IT Team. You need to sit down and understand exactly what you want to achieve by using cloud services. Clear guidelines should be drawn up. What type of data do you want to move to the cloud? Where will that data actually be hosted? What are the regulatory implications if data is stored in different countries? You may feel that the ‘perimeter’ of the cloud is fit for keeping out unwelcome intruders, but how do you make sure that data within the cloud itself is secure? How do you > Your supplier. Do you know who within the supplier organisation will have access to your data? Can your supplier provide audit logs (in the event of data theft such make sure that logs can help to pinpoint the perpetrator)? You should also ask your provider for data within the compliance certification, or information about a recent audit that can be shared cloud itself is with your auditor. secure? > Your employees. Be aware of employees taking a DIY approach. Companies that don’t make remote access simple may see employees saving company documents to their own personal cloud services (such as Microsoft SkyDrive). The problem is that many of these consumer-focused services only use password-protection. For companies in highly-regulated industries like financial services, this could create serious problems. 16 Source: Silicon.com, www.silicon.com/technology/networks/2011/02/04/cloud-computing-to- boom-in-2011-39746924/ 17 Source: Silicon.com, www.silicon.com/management/cio-insights/2011/03/21/cloud-security- why-cios-must-tighten-their-grip-39747169/ 18 Source: Silicon.com, www.silicon.com/technology/networks/2011/02/04/cloud-computing-to- boom-in-2011-39746924/ 19 Source: Silicon.com, www.silicon.com/technology/security/2011/02/03/cloud-computing-what- you-should-and-shouldnt-be-worried-about-39746908/8
    • Even within the course of their work, employees might have cause to use cloud ...allow technologyservices that the IT team has not authorised. For example, if they’re collaborating on aproject with a smaller organisation which is using Google Docs. The cloud services of to be a tool toAmazon and Google (aimed largely at SMEs) have had well-reported security issues, boost efficiency,with a lightening storm once knocking out part of Amazon’s service20. So once again, productivity andcommunicating clearly with employees is key. Help them understand your policy on innovation, withoutcloud computing. compromisingThe brutal truth is that security risks are not going to go away. In fact the global picture security.is one of threats remaining as numerous – and as potentially harmful – as at any timesince the birth of IT. Meanwhile the increasing number of devices we own and use, andour growing desire to work on the move, have led to added complexity. Yet the typicalapproach to tackling this issue – placing all our faith in technology to deal with thedangers – ignores a crucial ingredient in the battle to keep data secure. That ingredientis people. Your staff play a role that is every bit as important as the security hardwareand software that your business has invested in. So in the year ahead, place youremphasis on education and awareness. Do this and you will allow technology to be atool to boost efficiency, productivity and innovation, without compromising security.Go on, embrace the sprawl. You can assess your operational security today, rapidly identifying weaknesses in your security management and measure its adoption across the organisation. The BT Secure Networking Quick Start Service will help you take cost-effective remedial and preventative measures. The service is based on a unique set of tools, experience and knowledge, drawing on the expertise of consultants from across the BT Group who have come together to form a Global Centre of Excellence. Find out more about the BT Secure Networking Quick Start at www.globalservices.bt.com/uk/en/products/Secure_networking_quick_start20 Source: CNET, http://news.cnet.com/8301-1001_3-10263425-92.html 9
    • Offices worldwideThe telecommunications services described in this publication aresubject to availability and may be modified from time to time. Servicesand equipment are provided subject to British Telecommunicationsplc’s respective standard conditions of contract. Nothing in thispublication forms any part of any contract.© British Telecommunications plc 2011.Registered office: 81 Newgate Street, London EC1A 7AJRegistered in England No: 1800000Designed by Westhill.co.ukPrinted in EnglandPHME 62497