An eye on security for 2009

There were several fundamental challenges in the security field last year, and this year will be no different, according to Websense's Phil Vasic.

There were several fundamental challenges in the security field last year and Essential Information Protection proved to be one of the most critical aspects.

Whether it's customer records or intellectual property, information is now the lifeblood of the modern enterprise, and data is available on demand to employees, customers, and partners. Broken business processes, employee error and gaps in security often put this data at risk - risk from regulatory and corporate compliance, customer and competitive pressures, and the rising cost and publicity of data leaks.

In addition, the fundamental shift of web content creation from trusted sources to anonymous and user-driven collaborations such as wikis, blogs and social networking sites has changed the threat landscape. Attackers are targeting 'trusted' websites with good reputations to circumvent traditional security measures and maximise attack effectiveness.

Moreover, converged email and Web threats fuelled by Web 2.0 technologies now employ surreptitious manoeuvres to circumvent traditional protections. This shift has changed the threat landscape and the way businesses need to think about security.

To ensure risk mitigation remains in step with the threat climate, enterprises must rethink their approaches to web, messaging, and data security. Instead of thinking about technologies, organisations must think about data. It's all about the data. How is it used? Who is using it? Who can get hold of it? Who can receive it? Which channels can safely send it? There's a lot to consider.

Today's workforce is more mobile and global than ever. Locking things down is not only unrealistic, it hinders business growth. Saying 'no' made sense in the old Web 1.0 world, but everything has changed.  Traditional approaches to security are inadequate in the Web 2.0 world, and the continued increase in spam volumes will make it increasingly costly and unpredictable to use traditional methods of spam filtering. 

So, what we can expect this year? For one thing, hackers will continue to get creative and leverage user-created content and Web 2.0 applications to create even bigger security concerns for organisations in 2009. Researchers expect to see a rise in special interest attacks - targeting specific groups of people based on interests and profiles.

In addition, spam volumes will continue to increase with spikes and troughs becoming ever more unpredictable, creating risk to the corporate messaging infrastructure and mail delivery. Email will increasingly contain unwanted or malicious links. The number of compromised websites grew in 2008 to surpass the number of created malicious sites. This trend will continue as hackers become more sophisticated and leverage the good reputations of some websites to evade traditional security measures.

Attackers exploit the weakest links within the web infrastructure in order to target the greatest number of internet users. Most vulnerable to these attacks are search engines and large user networks such as MySpace, Facebook or other social networking sites. We've seen a rise in web spam to post URLs to malicious sites within forums, blogs, in the commentary or "talk-back" sections of news sites, and on compromised websites. This activity drives traffic to the infected websites and raises it higher on search engine rankings, increasing the risk that users will visit the site.

Organisations will also make a move toward comprehensive data-centric security that includes not only web and messaging security, but also data security to prevent information loss across all channels. And as spam volumes rocket, hosted solutions will be considered as a means to cut out spam before it hits the corporate network.

Times are undeniably tough and companies must be looking at ways to reduce expenditure and increase their competitiveness. However, adding to the uncertainty, mergers and downsizing raise important questions about the handling of sensitive data.

For instance, how is this data being protected as it transfers ownership? As potentially disgruntled employees exit a business, are they taking data with them? As companies restructure, do they even know how or where their essential information is kept? All of these questions underscore the importance of a well-crafted Data Loss Prevention (DLP) strategy.

Fortunately, the threat of a leak is significantly mitigated through the use of technology, specifically, a DLP solution which can provide a clear return on investment and a manageable total cost of ownership. DLP provides a sound cost-avoidance strategy and can positively impact revenue - saving hundreds of millions of dollars with little upfront investment. In addition, organisations should consider moving to a hosted offering or at least protecting their on-premise filtering infrastructure by adding a layer of email hygiene in the cloud.

Organisations should prepare for continuing challenges during the year ahead and I predict that security managers will shift their protection emphasis from guarding against inbound attacks at the infrastructure level - a model suited to perimeter boundaries and the internet as a simple content resource - to guarding essential information against blended threats and accidental or malicious loss, in tune with Web 2.0 and the internet as a business platform.

Now is also the time to recall evidence of past downturns and remember that those who make smart use of innovative technology will be the ones who come out strongest.

Phil Vasic is the managing director of Websense ANZ.