Contractors, social networks weaken enterprise security

Email security vendor MessageLabs has highlighted contractors and suppliers as security weak spots through which cybercriminals could gain unauthorised access to large organisations.

Releasing its 2010 annual security report this week (pdf), the Symantec subsidiary warned that attacks would become more targeted and more diverse in the coming year.

ANZ regional director Keith Buckley explained that organisations typically treated their contractors and suppliers as a "trusted source", granting them physical and virtual access to assets.

But in the absence of harmonised software and technology policies, there was "no guarantee" that those contractors would be as well equipped to weather IT attacks, he said.

Buckley urged organisations to ensure that all employees, contractors and suppliers used company-approved devices that were governed by company policy at all times.

Security vendor Webroot agreed that any additional threat posed by contractors and suppliers would be addressed by enforcing on them the organisation's internal IT policies.

Contractors should be "no more [a threat] than your general employee," its Asia Pacific MD Charles Heunemann told iTnews today, as the company opened a new 340-square-metre facility in Sydney.

Heunemann expected Webroot's November acquisition of UK cloud security vendor Prevx to improve its protection of a "consumerised" enterprise, where personal mobile devices were becoming more prevalent.

Webroot currently offered around 30 percent of its security solutions from the cloud, but hoped to increase this to 90 percent within the next three years.

Automated, targeted spam

M86 Security echoed its competitors' calls for more stringent policies, encouraging organisations to ensure their acceptable use policies were "social media-proof".

Acceptable use policies should aim to ensure a safe working environment, employee productivity and internet safety, the vendor wrote in a whitepaper today.

Meanwhile, MessageLabs' Buckley warned that information on social networks may fuel new, automated methods of writing targeted spam messages.

MessageLabs reported detecting one or two targeted attacks per week in 2005. This increased to 77 targeted attacks per day in 2010, with between 200 and 300 organisations targeted each month.

Buckley suggested that cybercriminals could scrape victims' personal information from company and social networking sites, and make contact using bogus LinkedIn accounts.

While the vendor could not protect organisations from cybercriminals' social engineering traps, Buckley said software systems could protect networks from malicious code even after those fraudulent relationships were set up.

"We can't stop people from getting together, but we can stop the flow of information," he told iTnews today.