According to a newly published IDC report, fraud, unlicensed product sales, physical-cyber threats and information leaks are among the most serious information threats facing organizations today - and the problem is escalating.
"The external threat environment for online security is advancing, with a growing number of profit-minded perpetrators and increasingly sophisticated attacks," said Allan Carey, senior analyst at IDC and author of the recent report on mitigating online security risks. "Organizations need to increase their awareness of online risks that extend beyond information security, and are evolving to combine cyber and physical security, along with direct threats to business operations, revenue and critical infrastructure."
Stakeholders, including security managers, risk and compliance executives, marketing and brand managers, as well as legal counsel, are urged by IDC to launch enterprise-wide efforts to mitigate risks by deploying specialized tools and relying on third party expertise.
The study, which was sponsored by online risk monitoring and management firm Cyveillance, predicts that the following "top five" threats will cause the greatest problems for chief security officers in 2006.
*Fraud and Identity Theft: Phishing schemes have increased during the past years and now even encompass "spear phishing," which targets specific groups of people. Until email authentication standards and new anti-phishing solutions are widely adopted, phishing is expected to continue to be a popular identity theft tactic. Financial Insights, an IDC company, estimates that global financial institutions may have lost up to $400 million in fraud losses in 2004 due to phishing schemes.
*Information leaks: In addition to outside threats, the insider threat of trusted employees deliberately or inadvertently distributing sensitive information is quickly becoming a major concern in many organizations. Organizations often lack governance policies specific to methods of communication such as blogs, chat rooms, technical boards.
*Unlicensed product sales: In addition to identify theft, organizations must be alert to broader online threats such as intellectual property (IP) loss and the online sale of counterfeit or gray-market goods. More sophisticated attackers, often from organized crime, will increasingly use the internet's speed and anonymity to exploit unauthorized product distribution.
*Convergence of physical and cyber security: Threats are moving beyond pure information security and are converging with physical security. Extremist groups and activists are connecting online and discussing methods to attack the critical infrastructure at organizations including energy and utility plants, transportation systems, and corporate buildings. "IDC believes that CSOs, as well as other executives whose job it is to evaluate risk, must account for the broadening scope of emerging threats that are evolving from pure network or information security threats to a combination of physical and cybersecurity threats. Currently, many organizations are simply unprepared to handle such multilayered threats."
*Corporate espionage: Information intentionally or deliberately leaked onto the internet can make the difference between profit gained and profit lost. Competitors that obtain access to confidential files can leverage the information to their advantage resulting in a diversion of sales and revenue.
The study advises that IT security professionals should adopt the following "resolutions" to combat these security risks.
*Create corporate policy: to address new and old mediums for communications - email, blogging, chat rooms, instant messaging, technical boards, et al. - and aggressively enforce those policies.
*Enforce policies: ensure that policies are defined and enforced regarding how employees are able to identify themselves online, and what types of information may be openly shared.
*Educate customers: about what types of requests and product offers the company will make via electronic mediums. Also, take a systematic approach to monitoring the web, as well as promotional offers made in junk email and global domain registrations, to proactively identify brand-related issues.
*Monitor the internet vigilantly: for early signs that your corporate identity is being used without authorization. In addition, organizations should monitor activity leading up to a particular organizational event, searching for activities by hostile groups or individuals that might be targeting your event. Set up countermeasures such as increased physical security to avoid disruption.
*Attain a closed-loop solution: Companies need a holistic approach, with the tools (workflow, case management, document management), expertise to stay atop emerging threats and third-party solution providers to mitigate risks.