Cyber crime has undergone a metamorphosis

As the threat landscape is ever evolving, enterprises today are facing several new challenges in managing and securing their data. Today, for Indian enterprises information has become the new currency. Protecting this valuable asset is the key to a business’s ability to grow and thrive.

In the last couple of months, the face of the cyber criminal has undergone a complete metamorphosis. Increased instances of IP theft, loss of customer and employee information among others have often indicated the involvement of not only external sources but that of malicious insiders as well. Evidently, these new age cyber criminals are targeting four key areas of weakness that are putting business environments at risk, namely-poorly protected infrastructure, poorly protected information, poorly enforced IT policies and poorly managed systems.

From our research, Symantec has found that most breaches have 4 stages:

1. Incursion – Where malware gets into a company

2. Discovery – Where the attackers look for the valuable assets

3. Capture – Where the attackers get a hold of these assets

4. Exfiltration – Where they move the assets out of the company

Increasingly, criminals have dedicated teams associated with each of the stages.

Furthermore, these stages are enabled by:

1. Well-meaning insiders mishandling information

2. Malicious insiders stealing confidential information

3. Hackers who target poorly protected infrastructure, poorly protected information, lack of strong IT policies and poorly managed endpoints

Apart from the sophisticated nature of today’s threat landscape, the IT environment is undergoing an evolution as well. Some of the challenges that this poses to information security include:

Explosion of Information: It is becoming an increasingly information-centric world. Consider these statistics — IDC reports estimate that digital information will surge six-fold, from 281 exabytes in 2007 to a staggering 1773 exabytes in 2012. To add to this, this information now resides at various endpoint including the cloud making it all the more difficult to secure.

Proliferation of unstructured data: Enterprises are struggling with large volumes of unstructured data, including documents, spreadsheets and emails. Analysts predict the growth of unstructured data to continue at over 60% per year, and in many organisations it accounts for more than 80 % of all data. Protecting unstructured data against loss and misuse is vital but with the size, organisation and age of file server data, protecting it can represent the largest data loss prevention challenge.

Growth of the mobile workforce: Today the workforce in Indian enterprises is moving out of the four walls of the premise. In fact, according to IDC, the number of worldwide mobile workforce will reach 1 billion by 2011 with Asia Pacific contributing the maximum number. Hence, this mobile workforce, coupled with growing heterogeneity of enterprise IT environments, increases the threat of losing sensitive data. According to the Symantec’s Enterprise Security Survey 2010 – Millennial Mobile Workforce and Data Loss, 59% of Indian enterprises feel employee-owned endpoints compromise security, and 42% have lost confidential or proprietary data in the past. While access to unlimited information and the presence of collaborative tools in the business environment is enormously empowering, it can easily manifest rogue business processes that violate regulations resulting in loss of sensitive data.

Consumerisation of IT: The official use of consumer technology such as social networking, instant messaging and blogs has become prevalent in Indian enterprises and is bound to increase over the next few years. However, the fact is that enterprises are not adequately protected. The above mentioned Symantec study reveals that 82% of Indian enterprises use Facebook, while 54% officially use web-based consumer email and 62% use blogs. Additionally, 46% of Indian enterprises use microblogging tools, 69% use Google Talk and 61% use Yahoo Messenger. The biggest concern was around the use of instant messaging (IM), with 57% of respondents rating IM as a major security threat. Social media is being increasingly used in business for collaboration and communication. Yet 54% of CIOs and CISOs considered social networking sites to be a serious threat to their security. Fifty percent of Indian enterprises revealed that web-based email presented a high security threat as well.

Rise of insider threat to data: While in the past threats to data were synonymous with external threats, trends like consumerisation of IT, the use of employee-owned endpoints and the consequent diversity of enterprise IT have changed this belief. According to the above mentioned Symantec study, Indian enterprises are not adequately equipped to protect their information, leaving them vulnerable to data breaches, especially from insiders. Last year, according to a study by the Ponemon Institute, sponsored by Symantec, more than 59% of those surveyed kept corporate information after leaving their jobs.

Furthermore, according to the Symantec’s Enterprise Security Survey 2010 – Millennial Mobile Workforce and Data Loss; Indian enterprises perceive malicious insiders (61%), well-meaning insiders (50%) and former employees (50%) as threats to sensitive information. This is a threat that could grow over the next couple of years.

The increase in targeted attacks: Today’s attacks are proving to be more sophisticated, well-organised and covert in nature than attacks seen in years past, thus requiring a new approach to security. The recent case of the Hydraq attacks brings to light how threats to organisations can not only be highly sophisticated but also very targeted. Hydraq is a Trojan that recently compromised sensitive information and brought down the critical infrastructure of several large corporations. According to the Symantec Internet Security Threat Report, 60% of identities exposed were compromised by hacking attacks similar to Hydraq. Another such example we observed recently is that of the W32.Stuxnet, which uses a previously unseen technique to target sensitive information by compromising large SCADA (supervisory control and data acquisition) systems which control large industrial and infrastructure units.

Copyright @Business Economics October 31 2010