Opinion: Slump exacerbates internal threats

The past few months suggest that few companies will emerge from 2009 unscathed by the downturn in the economy.

All businesses are now under pressure to cut costs ­ and that means eliminating jobs.

With more layoffs expected to come later this year, chief information security officers (CISOs) will be asked to employ decisive measures to keep their firms’ confidential data from walking out the door along with their employees.

Forrester therefore expects that in 2009 data protection tools will be seen as a critical technology for limiting the loss of sensitive information before layoffs happen.

Employers will buy data leak prevention (DLP), device control and web filtering technologies to help them clamp down on nervous employees sending themselves attachments to outside webmail addresses, copying documents to USB thumb drives, or posting to outside blogs.

Full-disk encryption will also be a key tool as a complement to DLP. Disk encryption protects the entire contents of a worker’s PC in the event of theft or loss.

Of 500 large firms Forrester recently surveyed, 35 per cent have already deployed full-disk encryption.

Forrester expects that by 2011, three quarters of large and very large companies will make full-disk encryption standard on their PCs.

In addition to taking steps to safeguard company data and documents, CISOs will be asked to watch another worrying trend ­ the abuse of privileges by authorised users.

Businesses often grant employees too many application privileges, or fail to remove access to applications when necessary.

In 2009, entitlements will give business leaders major headaches and personally identifiable information will cause much of the discomfort.

Forrester predicts that stories about unauthorised snooping will become much more common this year. If 2008 was the year of the lost laptop, 2009 will be the year of the curious customer service representative.

Another driver may be the temptation to earn quick money. Recent security intelligence from Symantec, for example, states that underground prices for consumer credit card details range up to $17.80 per card.

By that measure, an entitled employee with excessive privileges at an online merchant with sloppy internal controls could sell 10,000 card numbers and make a quick $177,000.

Further to spirited and public debates over the security of healthcare records, interoperability and access control of electronic personal health records will be a priority and drive greater awareness of entitlements in healthcare, life sciences and beyond.

As auditors have gained more experience assessing compliance with Sarbanes-Oxley and other statutes, they have become more aware of the perils of excessive entitlements. Now firms must explain who had access to which features, and why.

Forrester expects that deployments of hosted application and desktop virtualisation technologies will rise in 2009.

Today, most Forrester customers justify new client virtualisation deployments by the need to secure data on user PCs.

Increased data concerns will make client virtualisation more palatable to CISOs because firms will see it as a dual-use technology that can increase productivity and security together.

Highly regulated industries such as healthcare and financial services adopted client virtualisation first because of the clear security benefits.

In 2009, increased turnover of employees will offer further justification to these and other industries, based on client virtualisation’s potential for decreasing data breaches.

As a result, data security will continue to be the number one driver of client virtualisation initiatives through 2011.

Andrew Jaquith is senior analyst at Forrester Research.