Posts Tagged ‘Security’
Wednesday, May 22nd, 2013
Cloud computing is exceeding expectations. According to The TechInsights Report 2013: Cloud Succeeds. Now What? commissioned by CA Technologies (NASDAQ:CA), respondents indicate the cloud has moved beyond adolescence and is on the path to maturity in the enterprise.
Survey participants—IT decision makers that have implemented cloud services for at least one year—reported they are achieving better results, faster deployments and lower costs than expected as a result of cloud computing implementations.
Luth Research and Vanson Bourne conducted the survey on behalf of CA Technologies to learn how cloud computing is being used, problems or successes encountered, and how its use changed as IT teams gained more experience.
The report confirms that cloud computing is not only delivering on its major promises of saving money and speeding time-to-market, but also exceeding expectations.
This somewhat contradicts some other reports we’ve seen at the TechJournal that suggest some firms are having troubles implementing cloud solutions – often due to lack of in-house expertise.
Meeting or exceeding expectations
The vast majority of respondents reported their cloud implementations met or exceeded expectations across service models including Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Experienced cloud users also shed light on the evolving nature of the cloud, and how their objectives and requirements for success change as they advance along the cloud adoption curve.
“Going in, we expected the results to be much more balanced between successes and challenges across a variety of deployments and service models,” said John Michelsen, chief technology officer, CA Technologies. “Surprisingly, survey respondents were pleased with their cloud computing initiatives, which validates that the cloud is not just a fad, and instead they are focusing on making the most of it to drive innovation, speed and performance.”
Though the overall study results were generally consistent across US and Europe, the length of experience and overall intended objectives for cloud differ. The US leads Europe in terms of years of experience, with 55 percent reporting three or more years of cloud use, compared to only 20 percent of European respondents.
The majority (79 percent) of European IT decision makers have implemented cloud computing for one to two (41 percent) or two to three (38 percent) years.
In terms of intended benefits, while cost savings continues to be a priority, increased speed of innovation rose to the top for more experienced organizations. When asked to name their top three objectives across IaaS, PaaS and SaaS deployments, Europeans most often selected “reduced total costs,” while US respondents noted “increased speed of innovation” and “superior IT performance/scalability/resiliency.”
In fact, cost reduction did not even make the list of the top three objectives in the US. One cloud provider told the TechJournal that often costs go up with cloud use because companies use it more than they expected to.
“As enterprises advance in their adoption of cloud, the desired outcomes evolve, as well,” said Michelsen. “Cost is often considered an early benefit – or even a required result – in order for IT teams to justify moving in the direction of the cloud. Once they show that cloud computing improves the bottom line, they can shift their focus to innovation and other objectives, such as increased performance and enhanced security.”
Additional notable results include:
- Larger organizations are leading the way:
- They have been in the cloud longer (93 percent that report using cloud for four or more years have revenues of $1 billion or more), and;
- They are more likely to be using all three types of cloud services (79 percent of those using IaaS, PaaS and SaaS together in their organizations have revenues of $1 billion or more).
- Security remains a contradiction:
- Nearly all respondents (98 percent) agree that the cloud met or exceeded their expectations for security across IaaS, PaaS and SaaS.
- Nearly one-third indicated “security has been less of an issue than originally thought” when asked to share their primary reasons for success with cloud computing.
- Yet, security was cited as the number one reason that an application is not moved into the cloud by nearly half of respondents (46 percent).
- Cloud spending plans increase at a faster rate for IT decision makers with more experience:
- Companies using cloud computing for four or more years are almost six times more likely (34 percent compared to 6 percent) to report that they are increasing cloud spending by more than 30 percent in 2013.
- US respondents plan to increase spending on cloud at a higher rate than their European counterparts, with 48 percent planning to increase spending up to 30 percent, and 17 percent more than 30 percent; versus 42 percent and 4 percent for European respondents, respectively.
- Overall cloud spending is expected to stay about the same or increase for the majority of respondents (95 percent across US and Europe).
- Experienced cloud users recognize the need for IT management to ensure future success:
- Respondents that have been using cloud computing for longer, or have used multiple types of cloud, identified the following IT management capabilities as critical to their success:
- End-to-end service automation,
- Service-level management across both cloud and non-cloud environments, and,
- The ability to switch between cloud service providers.
Friday, May 10th, 2013
Reports of high profile cyber security breaches at major companies have become almost routine despite studies showing that they are extremely costly to the firms invovled.
In a recent survey, the majority of corporate risk managers and senior executives expressed concern about cyber risks. Yet many U.S. companies do not have a network security or privacy liability insurance program to protect themselves.
In other words, they feel vulnerable but aren’t sure what to do about it. A new report by Lockton illuminates the issue, along with the solution to managing cybersecurity in a world where business often depends on technology.
The report, co-authored by Lockton’s Michael Schmitt and Lisa Phillips , is entitled “Cybersecurity: Most Companies Know Enough to Worry, But Not Enough to Take Action.”
“How an organization responds to a data breach can either cause or prevent lost customers, regulatory fines and investigations,” Schmitt said.
Preparation and testing essential
Phillips added that preparation and testing are essential for any responsible organization. She writes that it starts with an assessment of the type of data held, including where it is stored, who has access to it and whether there are proper security measures in place to protect it.
After analyzing risk and implementing security measures, the next step is to create and test a data breach response plan with participation from IT, Legal, HR, Risk Management, Finance and Customer Service. Lockton also suggests involving data breach experts outside the company who can provide insight and guidance.
If a breach does occur, the data breach response team must be ready to move quickly to verify, investigate and communicate internally – and with customers, as appropriate.
The Lockton experts also recommend speaking with an insurance professional about what may be covered and what breach response services may be available through an insurance policy.
Thursday, May 2nd, 2013
Now here’s a paradox – while most industries saw fewer security vulnerabilities in 2012, IT web sites actually had the highest number ov vulnerabilities per site. You would think that IT would be on the forefront of best practices, but that doesn’t appear to be so.
That’s according to WhiteHat Security, the Web security company, in the 2013 edition of the WhiteHat Security Website Security Statistics Report.
“Website security is an ever-moving target, and organizations need to better understand how various parts of the SDLC affect the introduction of vulnerabilities, which leave the door open to breaches,” said Jeremiah Grossman , co-founder and CTO of WhiteHat Security.
“This report – comprising survey and website vulnerability data – is the first time we can correlate various software security controls and SDLC behaviors to vulnerability outcomes and breaches. The results are both insightful and complex.”
The Current State of Website Security
In 2012, the average number of serious* vulnerabilities per website continued to decline, going from 79 in 2011 down to 56 in 2012. Despite this, 86 percent of all websites tested were found to have at least one serious vulnerability exposed to attack every single day of 2012.
Of the serious vulnerabilities found, on average 61 percent were resolved and only 18 percent of websites were vulnerable for fewer than 30 days in 2012. On average, resolving these vulnerabilities took 193 days from the first notification.
WhiteHat Security designated each tested site by industry, and a closer look revealed that:
- With the exception of sites in the IT and energy sectors, all industries found fewer vulnerabilities in 2012 than in past years.
- The IT industry experienced the highest number of vulnerabilities per website at 114.
- Government websites had the fewest serious vulnerabilities with eight detected on average per website, followed by banking websites with 11 on average per website.
- Entertainment and media websites had the highest remediation rate (the average percentage of serious vulnerabilities resolved) at 81 percent.
- In years past, the banking industry had the fewest vulnerabilities and fixed the most vulnerabilities of any industry. This year, banking came in second with 11 average serious vulnerabilities found per website and a below average remediation rate of 54 percent (average is 61 percent across all industries).
Top Ten Vulnerability Classes
The two most prevalent vulnerability classes in 2012 were Information Leakage and Cross-Site Scripting, identified in 55 percent and 53 percent of websites respectively.
The next eight most prevalent include: Content Spoofing – 33 percent; Cross-site Request Forgery – 26 percent; Brute Force – 26 percent; Fingerprinting – 23 percent; Insufficient Transport Layer Protection – 22 percent; Session Fixation – 14 percent; URL Redirector Abuse – 13 percent; Insufficient Authorization – 11 percent.
SQL Injection continued its downward slide from 11 percent in 2011 to 7 percent in 2012, no longer making the Top 10.
Best Practices May Not Result in Better Security
In correlating the survey results with vulnerability data, WhiteHat Security could see how software security controls, or “best practices” impacted the actual security of organizations. Some of the findings include:
- 57 percent of organizations surveyed provide some amount of instructor-led or computer-based software security training for their programmers. These organizations experienced 40 percent fewer vulnerabilities, resolved them 59 percent faster, but exhibited a 12 percent lower remediation rate.
- 39 percent of organizations said they perform some amount of Static Code Analysis on their websites underlying applications. These organizations experienced 15 percent more vulnerabilities, resolved them 26 percent slower, and had a 4 percent lower remediation rate.
- 55 percent of organizations said they have a Web Application Firewall (WAF) in some state of deployment. These organizations experienced 11 percent more vulnerabilities, resolved them 8 percent slower, and had a 7 percent lower remediation rate.
Best practices may not be enough
Some of this data implies that best practices such as software security training are effective, yet some of the statistics clearly show that following best practices does not necessarily lead to better security.
The correlated data revealed that compliance is the primary driver for organizations to resolve vulnerabilities, but also the number one reason organizations do not resolve vulnerabilities. In other words, vulnerabilities are fixed if required by compliance mandates; however, if compliance does not require a fix, the vulnerability remains, despite possible implications to the overall security posture of the site.
“This collective data has shown that many organizations do not yet consider they need to proactively do something about software security. It is apparent that these organizations take the approach of ‘wait-until-something-goes-wrong’ before kicking into gear unless there is some sense of accountability,” said Grossman.
“This needs to change, and we believe there is now an opportunity for a new generation of security leaders to emerge and distinguish themselves with an understanding of real business and security challenges. Our hope is that they will address these issues we have identified and base their decisions on a foundation of data to improve the state of Web security over time.”
To view the complete report, visit https://www.whitehatsec.com/resource/stats.html.
Wednesday, May 1st, 2013
A smart phone can contain a lot of information that its owner would rather keep private. But 39 percent of the more than 100 million American adult smart phone owners fail to take even minimal security measures, such as using a screen-lock, backing up data, or installing an app to locate a missing phone or remotely wipe its data, according to Consumer Reports’ Annual State of the Net survey.
At least 7.1 million smart phones were irreparably damaged, lost, or stolen and not recovered last year, Consumer Reports projects. Yet 69 percent of smart phone users hadn’t backed up their data, including photos and contacts. Just 22 percent had installed software that could locate their lost phone.
“When you take your smart phone into your confidence, so to speak, you’re also taking in a host of parties, including app developers, your wireless carrier and phone manufacturer, mobile advertisers, and the maker of your phone’s operating system,” said Jeff Fox , Technology Editor, Consumer Reports.
Take basic precautions
“We recommend that all smart phone users take the basic precautions we outline in this report to ensure that their phones are secure from wireless threats.”
The full report can be found in the June 2013 issue of Consumer Reports and online at ConsumerReports.org.
The report revealed that though most smart-phone users haven’t suffered serious losses because of their phone, there are wireless threats that merit concern.
Among them: malicious software. Last year, 5.6 million smart-phone users experienced undesired behavior on their phones such as the sending of unauthorized text messages or the accessing of accounts without their permission, CR projects. Those symptoms are indicative of the presence of malicious software.
Location tracking can lead to trouble
The location tracking feature that all smart phones have can also leave users vulnerable to wireless threats. One percent of smart phone users told Consumer Reports that they or a person in their household had been harassed or harmed after someone used such location tracking to pinpoint their phone.
CR also projects that at least 5.1 million preteens use their own smart phones. In doing so, they may unwittingly disclose personal information or risk their safety.
A smart phone can be quite secure if users take a few basic precautions, Consumer Reports found. Those precautions include:
- Using a strong pass code. A four-digit one, which 23 percent of users told CR that they used, is better than nothing. But on Android phones and iPhones earlier than the iPhone 5, a thief using the right software can crack such a code in 20 minutes, according to Charlie Miller , security engineer for Twitter. A longer code that includes letters and symbols is far stronger.
- Install apps cautiously. Malicious apps may not lurk around every corner, but they’re out there and can be tricky to spot. For example, CR projects that 1.6 million users had been fooled into installing what seemed to be a well-known brand-name app but was actually a malicious imposter.
- Turn off location tracking. Disable it except when it’s needed, such as for driving directions. Only one in three smart phone owners surveyed by CR had turned it off at times during the previous year.
Tuesday, April 23rd, 2013
According to Trend Micro’s (TYO: 4704; TSE: 4704) Q1 2013 Security Roundup Report, the company’s researchers raised the alarm about zero-day vulnerabilities in addition to concerns about the recent concentrated attack in South Korea.
Collectively, these events demonstrate that zero-day vulnerabilities remain a threat while attack innovations are growing in sophistication, intensity and severity.
Trend Micro’s synopsis of prominent Q1 threats, includes:
New attacks against Oracle’s Java and Adobe’s Flash Player, Acrobat and Reader reveal that vulnerabilities are emerging faster than they can be patched and are quickly being incorporated into professional attack kits such as the “Black Hole Exploit Kit.”
“Of course Java is cross-platform and that is somewhat attractive to criminals, but what is really attractive is its vulnerabilities and its ubiquity,” said Rik Ferguson , Trend Micro’s VP, Security Research.
“This definitely won’t be the last zero-day vulnerability in Java and it won’t be the end of the vast attack surface that it currently offers to criminals.”
It’s still a good idea to disable Java in your browsers, security experts say. If you don’t actually need it, you may want to uninstall it from your devices entirely.
Attacks on South Korea
The high-profile attacks executed in South Korea this March reinforce that theft is no longer the sole focus of hacking efforts, but rather these breaches are also designed to cripple critical networks via innovative techniques including:
- Multiplatform focus such as UNIX and LINUX
- Specific countermeasures for installed security software
- Hijacking of patch management systems
“Given the capability of what took place in South Korea, it is likely that increasingly destructive attacks will continue to be a threat,” said Tom Kellermann , VP, Cyber Security. “With each quarter, attacks are becoming bolder and more targeted, pointing to concerns far beyond the compromise of personal data.”
For the complete report, please visit: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-zero-days-hit-users-hard-at-the-start-of-the-year.pdf.
Wednesday, April 17th, 2013
As competition for talent heats up in the US and confidence levels among American workers continues to climb, new research conducted by Randstad US will arm employers with the insights they need to cultivate and optimize their employer brand – everything from their carefully crafted value proposition to the public’s perception.
“An employer brand is a billboard for the organization, and the importance of this public sentiment goes beyond recruitment efforts,” said Jim Link , managing director of human resources for Randstad US.
“Clearly, company reputation impacts attractiveness among potential candidates. It is also clear a strong employer brand will further drive bottom-line results by creating a stable workforce, increasing productivity, and engaging key stakeholders. This affects all aspects of the organization, and when managed effectively, can elevate leadership and visibility within the company’s industry.”
In order to help employers learn how to develop and deliver on this brand promise, Randstad took a closer look at what workers expect and want from a prospective employer. Key findings include:
Show Me The Money…And, Give Me Security And A Nice Working Environment
Top Three Factors in Choosing a New Employer
- Competitive salary and benefits
- Long-term job security
- Pleasant work atmosphere
Over the last several years, many Americans have witnessed or personally experienced salary freezes, temporary furloughs, layoffs, and even long periods of unemployment.
Given these recent strains, along with continued unease around the state of the economy, it may come as no surprise that US workers seek financial security first and foremost. Even so, money isn’t everything. A pleasant work atmosphere follows closely as one of the top factors in choosing a new employer.
It’s All About R-E-S-P-E-C-T
- A majority of workers want recognition for their good work (52 percent)
- Around half of employees tout the importance of open and honest communication (51 percent)
- Forty-nine percent of America’s workforce wants the respect of their colleagues
A pleasant work atmosphere is linked closely with job recognition, open communication, respect, and even fun and friendship. A good first step in building and sustaining an employer brand is to craft a culture that values employees, recognizes their contributions, and celebrates successes. Encouraging social connections among workers will not only nurture a sense of team spirit, it will also strengthen and solidify a feeling of shared commitment and accountability.
Pique the Interest of Peak Talent
- Just over half of workers find a job interesting when it makes good use of their existing skills
- Even so, 43 percent of employees are interested in the acquisition of new skills
- For 39 percent of US workers, a job is considered “interesting” when new ideas are valued
People seek employers that offer the opportunity to acquire new skills while making use of their existing capabilities. In order to attract and retain top talent, companies must provide an avenue for continued learning, whether through traditional training channels or participation in cross-functional teams and activities.
Supporting professional development initiatives and fostering career advancement will go a long way in retaining talent and maintaining a high performing workforce.
Spread the Word
Employers should research what people are already saying about the company when drafting a blueprint for their employer brand.
In a social media age, word of mouth communication is both accelerated and amplified. Company decision makers should use these digital conversations as an informal focus group and consider what’s being said online as a benchmark for their brand value.
Employers can facilitate positive social mentions by encouraging current employees to serve as brand ambassadors. Additionally, engaging in dialogue with potential candidates will create an online talent community, which will establish a pre-employment connection with prospective employees.
A strong employer brand not only attracts high performing talent, but it also promotes retention, creates a stable workforce, and increases organizational success. Moreover, high retention rates reduce search and selection costs and help employers more effectively manage their cost structure, driving the company’s bottom-line.
With a strong employer brand that clearly defines and delivers on its promise, organizations can attract and retain great talent, enhance productivity, and elevate market leadership.
Monday, April 1st, 2013
A new study of over 1,400 consumers, from market research firm Chadwick Martin Bailey, finds that while one-half of smartphone owners are familiar with mobile wallets; many who are familiar have reservations about adopting.
The research also reveals that beyond allaying security concerns, mobile wallet providers must do more to articulate the advantages of the technology over more traditional forms of payment. Additional insights include:
Mobile wallet providers who guarantee fraud and theft protection are well positioned to drive adoption among mainstream consumers—Concerns over security remain a significant barrier to adoption, but the promise of 100% fraud protection substantially increases willingness to adopt.
Notably, these security-conscious smartphone users are the most likely to identify banks and credit card companies as their preferred mobile wallet provider.
Ways to gain an advantage
Customers find the benefits of location-based services appealing, but privacy and battery life remain concerns. Respondents indicate location-based services that facilitate information gathering, like showrooming, drive adoption, but too many alerts and offers are unappealing. Providers willing to allow users to customize the number and type of offers they receive may have an advantage.
While banks and credit card companies are the clear choice for the security conscious, opportunities exist for other providers.
Convenience, features, and usability are compelling attributes for many current and prospective mobile wallet users; while banks win on security, the feature-conscious prefer tech giants—with Amazon and Google topping the list as their preferred mobile wallet provider. For those who value convenience, credit card companies hold the advantage.
“These findings reveal that consumers are still in the early stages of understanding the uses and benefits of mobile wallets—there remain many elements (players, features, positioning, etc.) that will evolve over the next 12 to 18 months,” says Jim Garrity, SVP of Chadwick Martin Bailey’s Financial Services practice.
“With security concerns a key hurdle to adoption, banks are well-positioned as trusted providers of secure financial services, but this window of opportunity won’t remain open for very long. Consumers already have the technology at their fingertips; and as familiarity increases, other entrants are proving that they are secure, reliable, and offer clear advantages that drive adoption.”
Wednesday, March 27th, 2013
More than 80% of IT security professionals believe that corporate employees deliberately ignore security rules issued by the IT department.
The survey, which looked at the attitudes of nearly 250 IT security professionals, also discovered that more than half of those who think that workers deliberately ignore IT security directives do not believe end-users would listen more even if these mandates were issued by executive management.
These findings are despite the fact that more IT security professionals and vendors are insisting that in order to improve IT security within organizations, strategic guidance must be issued from the board level.
Commenting on the research, Philip Lieberman, CEO of Lieberman Software, said: “These figures highlight the fact that most end-users are still not taking IT security seriously and are unnecessarily putting corporate data — and potentially customer information — at risk.
And these behaviors are continuing even after it has been proven that human error is the leading cause of data breaches. Organizations need to implement better cyber security training that properly instructs staff about the consequences of data breaches.
“IT groups must also look beyond conventional security products and invest in technology like privileged identity management (PIM),” continued Lieberman. “PIM products ensure that powerful privileged accounts found throughout the enterprise in large organizations are available only to authorized IT personnel with limited-time, audited access. This ensures that end-users are not able to accidentally or maliciously change configuration settings, access systems with sensitive data, or perform other actions that are not required of their jobs.”
The survey was conducted in February at RSA Conference 2013 in San Francisco.
For more information on the survey, seewww.liebsoft.com/2013_information_security_survey.
Thursday, March 14th, 2013
In an era of frequent and seamless device upgrades, it’s easy to ditch an old handset and move on to the next. However, chances are the old device has personal information lingering on it, putting consumers at a greater risk of identity theft.
“Think about all the personal data stored on your phone: text messages, emails, even intimate photos of you or your significant other,” said Tony Anscombe, senior security evangelist at AVG.
“Consumers are now carrying more and more personal information on their devices, and AVG wants to ensure everyone is well equipped to wipe out that data when the time comes. Your identity is essentially yours to lose, so take every precaution possible to stay safe.”
While the factory reset button seems like the logical place to start, numerous industry and security experts report that even after consumers carry out this exercise, personal information often remains.
The following tips will help ensure private information is erased:
- Remove the memory and SIM cards. Both store personal data and are best kept safe in your possession or destroyed.
- Use a data removal application to ensure data really is deleted. Android users can use AVG AntiVirus Free, for example. For other platforms there is a list of apps available on the CTIA web site. Personally, we installed this on our Android tablet when we first fired it up and it seems to have been effective so far.
- Once the data is deleted, then run a factory reset. Instructions can be found on manufacturers’ or carriers’ websites.
- If you are going to simply throw away your mobile phone, older handsets can contain toxic materials. Consult your local authority or drop it off at a mobile phone retailer, where they will be able to dispose of it correctly. Additionally, there are specialist companies that will take it apart and recycle each component.
- Of course, recycling or handing it on for use is a good option; there are many charities and organizations that redistribute old phones and will even send you a pre-paid postage box to send it in. Just search on the Internet for the many options!
Thursday, March 7th, 2013
What will protect a company or other organization against state-sponsored cyber attacks? Not firewalls, intrusion detection systems, intrusion prevention systems and antivirus, according to an nCircle survey of security pros who attended the recent RSA conference in San Francisco.
Survey findings include:
- 59% of respondents say firewalls are no longer effective against state-sponsored cyber attacks
- 48% said antivirus software is no longer effective against state sponsored cyber attacks
- 39% said intrusion detection systems (IDS) and intrusion prevention systems (IPS) are no longer effective against state-sponsored cyber attacks
“Security professionals know we live in a world where state sponsored attacks are common and they also know that many legacy security systems that are updated after exploits or malware become public knowledge are no longer effective against these attacks,” noted Lamar Bailey, director of security research and development.
“Plugging in a firewall, IPS, or IDS and setting auto update doesn’t offer enough protection against sophisticated cyber attacks. IT security professionals know they can no longer sit passively on the sidelines and assume security technology will protect them.”
For more information about nCircle please visit www.ncircle.com.
Wednesday, March 6th, 2013
Although more than half the U.S. small businesses surveyed by the Ponemon Institute experienced at least one data breach, only a third notified individuals that their personal information had been exposed, it was reported today in a study conducted for The Hartford Steam Boiler Inspection and Insurance Company (HSB), part of Munich Re.
“Smaller companies are targeted by data thieves, but they often don’t know how to respond when sensitive information they keep on customers and employees is lost or stolen,” said Eric Cernak, vice president for Hartford Steam Boiler.
“Failing to act in a timely and effective way can harm the reputation of businesses and even risk legal penalties in many states.”
The Ponemon Institute survey of small businesses throughout the United States found that 55 percent of those responding have had a data breach, almost all involving electronic records, and 53 percent had multiple breaches.
Only a third notified those affected
Only 33 percent notified the people affected, even though 46 states require that individuals be contacted when their private information is exposed.
The primary causes of the data breaches were employee or contractor mistakes; lost or stolen laptops, smart phones and storage media; and procedural mistakes.
Sensitive information is more likely to be compromised when the data has been outsourced, 70 percent of the respondents believe, but 62 percent do not have contracts that require third parties to cover all the costs associated with a data breach.
Presonal ID most feared data loss
Seventy percent of small business owners said they would purchase insurance to help pay for the costs if data is breached.
At least 85 percent share customer and employee records with third parties such as those providing billing, payroll, employee benefits, web hosting and information technology services.
When asked which type of lost or stolen data was more likely to harm their business, 70 percent agreed the loss of personally identifying information was more damaging than confidential company data.
The Ponemon Institute surveyed small businesses with annual revenues of less than $10 million for Hartford Steam Boiler, which provides HSB Data Compromise insurance for small to mid-sized organizations.
Tuesday, March 5th, 2013
Half of companies have lost a device with important company data on it, causing security implications for over a fifth of organizations.
Further, 57% of employees believe that BYOD puts their personal data at risk as well. Despite these concerns, the study also revealed that 86% of the workforce are obsessed with their devices.
Employees device obsessed
According to the findings, almost three quarters of employees are now allowed to access company data from their personal devices.
In fact, regardless of whether they were in a BYOD-approved environment or not, employees equally appear to be device obsessed — nearly 86% of employees use their devices for work all day and night, with 44% doing so even during meals.
Additionally, 20% of respondents consider themselves “borderline workaholic,” 15% bring their devices on vacation, and 7% claim that their work and home lives are one.
Major security implications
This growing trend to work remotely is likely to have an impact on breaches and data leakages as mobile devices continue to have major security implications.
Half of respondents stated that someone within their company has lost a device with important company data on it — and over a fifth admitted that a lost device had created a security implication for their company.
The study found that implementing a BYOD policy seems to have a small, though arguably statistically insignificant, positive effect on security as illustrated by a 5% drop in incidents at companies that have a BYOD policy.
Personal data also at risk?
By far the most popular method to secure mobile devices is password protection (57%), followed by 35% who wipe devices remotely, and 24% who use encryption.
Surprisingly, employees were not just concerned with their organization’s security. A staggering 57% believe that using a personal device for work could pose a security risk to them personally through potential leakage and misuse of confidential health and personal information.
At the same time, productivity drain is greater for companies that allow BYOD — nearly a quarter of employees stated that they spend more time than they care to admit using their personal device for personal use during work hours.
“Being connected to work around the clock appears to be accepted as the ‘new normal,’” said David Gibson, VP of Strategy at Varonis.
How companies can protect their data
- Developing a BYOD policy that lets people know what is and isn’t allowed.
- Making sure controls are appropriate to the risks — if the data is valuable, organizations need to control where it resides and who has access to it, need to be able to audit use, spot abuse.
- Monitoring the effects of frequent interruptions and ‘always on’ habits to watch for signs of impaired productivity or health.
“Only by limiting the potential damage — both to organizations and employees — can organizations make the most of a trend that will continue to leap forward, whether businesses allow it to or not.”
To download the full BYOD research report, visit http://hub.varonis.com/BYOD-report
Tuesday, March 5th, 2013
Fourteen percent of U.S. chief information officers (CIOs) surveyed recently plan to expand their IT teams in the second quarter of 2013, according to the just-released Robert Half Technology IT Hiring Forecast and Local Trend Report.
Many, however, say they find it challenging to recruit IT pros with the skills they need.
In addition, 61 percent of CIOs said they will not be adding positions but will fill IT positions that open in the next three months. Twenty-two percent will not be hiring, even to fill an open position, and 2 percentexpect to reduce their IT staffing levels.
Q2 IT Hiring Forecast
|CIOs adding more staff to IT departments
|CIOs planning to hire only for open IT roles
|CIOs planning to put IT hiring plans on hold
|CIOs planning to reduce their IT staff
“We continue to see strong demand for IT workers as companies increase their investment in technology initiatives, including security, data mining and mobile,” said John Reed , senior executive director of Robert Half Technology.
“Companies are finding it most challenging to recruit technology professionals in specialties such as network administration and database management.”
The IT Hiring Forecast and Local Trend Report survey was developed by Robert Half Technology, a leading provider of information technology professionals on a project and full-time basis, and conducted by an independent research firm.
The survey is based on more than 2,300 telephone interviews with CIOs from a random sample of U.S. companies in 23 major metro areas with 100 or more employees.
Seventy percent of CIOs surveyed said it’s somewhat or very challenging to find skilled IT professionals today.
Respondents cited networking (16 percent), data/database management (13 percent) and applications development (12 percent) as the most challenging functional areas in which to recruit.
Confidence in Business Growth and IT Investments
The survey results suggest that CIOs are optimistic about their companies’ growth and IT investments. Eighty-nine percent of CIOs reported being somewhat or very confident in their companies’ prospects for growth in the second quarter of 2013.
Seventy-two percent of CIOs also said they were somewhat or very confident that their firms would invest in IT projects in the second quarter of 2013.
Skills in Demand
Among the technology executives surveyed, 51 percent said both network administration and database management are the skill sets in greatest demand within their IT department. Desktop support followed, with 48 percent of the response.
Friday, March 1st, 2013
Half of IT security professionals at the recent RSA conference in San Francisco said they believe their company is a potential target for state-sponsored cyber attacks.
And, 48% of respondents say China has the most advanced capabilities for state-sponsored cyber attacks, while 33% believe the U.S. has the most advanced capabilities.
“The number of organizations that are potential targets for state-sponsored cyber attacks is probably much higher than 50%, because if attackers can’t break into a targeted organization, they will go after partners and suppliers,” said Tim ‘TK’ Keanini, chief research officer for nCircle, which surveyed 205 attendees.
“Frankly, I’m surprised that the level of paranoia among information security professionals isn’t higher.”
Indeed, with recent revelations that China has conducted years of sophisticated cyber attacks on U.S. companies and organizations, you have to wonder why security is not a number one priority for many firms.
Here at the TechJournal, we have seen several recent reports that not only state-sponsored cyber attacks, but the large number of other high profile security breaches over the last year, have made at least some firms more aware of the need for much stronger security measures.
Keanini also notes that public perception of the country with the most advanced nation state cyber attack capabilities has clearly been shaped by recent media coverage.
“The reality is that nations that are really good at cyber attacks don’t make the news because they don’t get caught. China appears to have a large number of cyber ‘soldiers’ but we don’t have any public point of reference yet.”
Monday, February 18th, 2013
What do IT professionals need to meet their increasingly complex security concerns? A new survey by SolarWinds, which sells IT management software, suggests they need powerful and easy-to-use security products.
The survey of more than 160 IT pros found that 86 percent specialize in areas other than security but are nevertheless responsible for it.
Forty-nine percent of respondents spend 40 percent or more of their time on IT security and compliance, while only seven percent of IT pros consider security their full-time job.
Top security concerns
The top IT security responsibilities, concerns and priorities revealed that securing today’s IT infrastructure will take a concerted and coordinated effort across all IT functions.
- The top five security and compliance responsibilities are managing networks; security infrastructure — firewalls, IDS/IPS, endpoint; servers; data exchange — email, file transfer, websites; and (a tie) desktops and mobile devices
- The top three IT security and compliance concerns are data loss, external threats, and cloud security and privacy
- The No. 1 security priority is preventing data loss
Complex security tools a problem
Most significantly, nearly all respondents cited complexity of security tools as the No. 1 reason they felt their organization is not able to respond effectively to security challenges.
“SolarWinds research shows that what works for security among large enterprises does not translate to the entire market,” said Jim Hurley, President of Wellington Research. “Usability and effectiveness are critical factors no matter what size an organization.”
“Securing IT is not just the role of a security expert anymore,” said Brandon Whichard, senior director product marketing, SolarWinds.
It’s not even the role of the IT department in many cases. Webmasters and bloggers often have to manage their own security and that can be difficult if their training has been primarily editorial or marketing.
Wednesday, February 13th, 2013
If you’re operating a web site, chances are you have wrestled with cyber attacks in the last year. Research findings released today from Websense Security Labs™, the worldwide research team from Websense, Inc. (NASDAQ: WBSN), report explosive year-over-year growth in global cyberattack trends.
“Year-over-year, the number of malicious web-based attacks increased by nearly 600 percent,” said Charles Renert , vice president of the Websense Security Labs.
Attacks staged from legitimate sites
“These attacks were staged predominantly on legitimate sites and challenge traditional approaches to security and trust. The timed, targeted nature of these advanced threats indicates a new breed of sophisticated attacker who is intent on compromising increasingly higher-yield targets. Only proactive, real-time security techniques, that inspect the entire lifecycle of a threat, can withstand the assault and prevent data theft.”
The attacks are so persistent – often including vast global botnets, that even with a firewall and daily scanning, we’ve had trouble with malicious attacks here at the TechJournal. A number of WordPress plugins seem particularly vulnerable. But the bad guys are out in force and go after any weak links. We suspect entirely new methods of combating cyber crime are needed to combat the increasingly sophisticated attacks.
Below are key Websense 2013 Threat Report findings, based on a year-over-year comparison of web, email, data, mobile and social media threats:
- Each week, organizations faced an average of 1,719 attacks for every 1,000 users.
- Malicious websites increased by nearly 600 percent worldwide.
- North American malicious sites increased by 720 percent and EMEA saw a 531 percent increase.
- Legitimate web hosts were home to 85 percent of those malicious sites.
- Half of web-connected malware downloaded additional executables in the first 60 seconds.
- Only 7.7 percent of malware interacted with the system registry—circumventing many behavioral detection systems and antivirus solutions.
- Thirty-two percent of malicious links in social media used shortened URLs. Once cybercriminals gain access to a host, they typically hide their own malicious pages deep in the directory tree. This process generates very long and complex web links that might tip off a wary user. Link shortening solves that problem.
- The United States of America, Russia and Germany were the top three countries hosting malware. Meanwhile, the Bahamas made its debut into the list of top five countries hosting phishing sites, with a second place ranking.
- China, the United States of America and Russia were the top three countries hosting command and control servers.
- Only one in five emails were legitimate and email spam increased to 76 percent. Worldwide spam volumes reached more than a quarter of a million emails per hour.
- One in 10 malicious mobile applications asked for permission to install other apps, something rarely required by legitimate apps.