The five biggest security threats facing businesses today

From the poison pharms to the cloud's evil lining

Published: 4 February 2009 14:46 GMT by Nick Heath

Tags: saas, credit crunch

Show related articles

As tech-savvy millennials enter the workplace armed with netbooks and a Facebook habit, Nick Heath looks at the emerging threats to corporate IT from today's wired workforce.

Keeping valuable data locked up inside the company is no longer viable as consumer tech and home working become increasingly common and with IT offshoring and software as a service forecast to continue growing in 2009.

But can corporate networks really afford to relax their door policy when the multibillion pound global cybercrime menace is being buoyed by increasingly impoverished and desperate techies?

Recent research by analysts Forrester shows that application and data security is an important issue for more than 80 per cent of firms but that efforts to protect information are being held back by a lack of investment.

In order to help businesses hone their security strategy, we've rounded up the top five threats.

Millennial's bug
Like it or not, social networking and gadgets are a way of life for many of the 14- to 27-year-olds now entering the workplace.

But their insistence on bringing their sleek consumer tech and Facebook friends into the office poses a unique headache for corporate security chiefs.

Jonathan Armstrong, technology lawyer at law firm Eversheds, says: "One of my clients is a business that employs a lot of young creative people who say: 'I want to use the same tools that I've used through college and I can work much quicker'.

"But there is a danger in letting people use their own machines and work from home. You can forget that they do not have the same restrictions on what they can copy to an USB drive, or antivirus software installed to the same standard.

"When you lose control over your equipment in this way you have corporate data being taken into environments where it has never been before.

"For example the person who takes their laptop backpacking round India so they can update their Facebook page on holiday."

Armstrong says companies need to be strict about what devices can be used in the office and look at treating consumer devices as thin clients to minimise the data stored on them.

Nigel Jones, director of the Cyber Security Knowledge Transfer Network (KTN) - a government-funded body dedicated to promoting the UK cyber security business, says: "Facebook can be central to the way young people do business but that creates difficulties for security staff as you are no longer inside a stable system with a perimeter."

Poison pharms
It looks and behaves like the company website, apart from that large banner defaming the chairman.

The potential of such a calamity became significantly more likely last year when security researcher Dan Kaminsky revealed details of a fundamental flaw in the Domain Name System (DNS), a phonebook that translates the web address at the top of web browsers into the IP address that tells your computer which machine to connect to.

The flaw made it far easier to poison the DNS and carry out a 'pharming' attack, which allows a person to be diverted to a spoof or malicious website even if they have typed in the correct address.

Cambridge University security expert Richard Clayton says: "We cannot expect the Kaminsky attack to go away this year.

"If corporate IT is not ready then people can attack their DNS and all of their staff or their customers can be directed to the wrong websites.

"Having people come to your website only to see some rude message about the company chairman by some protest group or disaffected employee is definitely an issue that the head of IT security should worry about."

Clayton says that by the end of 2009, large businesses should make it a priority to apply the DNS Security Extension, greatly reducing the chance of hijacked web pages and any red faces in the boardroom.

Storm clouds
This year more than half of software developers worldwide expect to use software as a service applications.

But the flow of data to and from the cloud means companies can no longer be confident about who is storing and accessing corporate information.

KTN's Jones says: "When you get into the cloud services or those grid ideas about sharing computing power, you come up against the problems of how do you accredit the security of a system and how do you secure data that is held somewhere else?

"From the consumer's perspective, they allow this company to hold their data and they want to know where that data is held and who has access to it.

"But that data is no longer kept within the organisation. It passes through different countries, different organisations and different ISPs as it is routed round the web.

"At a time when we are wanting to prevent data leakage and maintain intellectual property we are making access to information far more fluid."

The credit crunch
The downturn in the UK and worldwide economy is making it difficult for firms to find cash for extra training and security procedures.

Unfortunately this has coincided with a push to give regulators more powers to protect data, prompted by HM Revenue and Customs' loss of 25 million records and the tide of breaches that followed.

While analyst Forrester found that IT security spend would increase slightly in 2009, more than half of security chiefs it questioned said that justifying the cost of data security was their biggest challenge.

KTN's Jones says: "People are concerned about cutbacks on training budgets and investment on security.

"While an organisation might be facing economic difficulties, the level of threat is not going away and you have increasing regulation related to privacy.

"What you don't want in these circumstances is a reduction in training so you find yourself making people more responsible for data but not investing in it.

"Also if you are downsizing you have really got to think about disaffected employees and the potential to increase the threat of insiders leaking information."

Eversheds' Armstrong says: "Phishing attacks still get a lot of traction as the scams have become more sophisticated while businesses have not done enough to educate consumers and staff."

Choppy waters offshore
The revelation of a possible fraud at Indian outsourcing giant Satyam sent shockwaves through the Indian technology industry and fuelled job insecurity among Satyam's 53,000 employees.

Combined with news the World Bank determined fellow outsourcer Wipro to be ineligible to contest direct contracts from the bank from 2007 to 2011, this turbulence has repercussions for the hundreds of Fortune 500 companies that trust these offshoring companies to keep their information safe.

Armstrong says: "It is ultimately a time of uncertainty for these businesses that employ thousands of people and that uncertainty makes those employees less secure.

"Staff will be more motivated to do bad things, for example selling on corporate information or taking it with them when leaving the business."

Armstrong says companies should begin enforcing stricter, well-defined security standards among outsourcers such as the ISO 27000 series of international rules, rather than relying on ad hoc security agreements.

Forrester found that 16 per cent of companies felt unable to impose security standards on third parties.