Ten Ways the IT Department Enables Cybercrime



Similar documents
KASPERSKY ANTI-MALWARE PROTECTION SYSTEM BE READY FOR WHAT S NEXT. Kaspersky Open Space Security

CSG & Cyberoam Endpoint Data Protection. Ubiquitous USBs - Leaving Millions on the Table

Top tips for improved network security

Building a Business Case:

Protecting Your Roaming Workforce With Cloud-Based Security

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

10 best practice suggestions for common smartphone threats

THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS

Kaspersky Security for Mobile

How To Secure Your Store Data With Fortinet

Perception and knowledge of IT threats: the consumer s point of view

Your Customers Want Secure Access

BYOD: Should Convenience Trump Security? Francis Tam, Partner Kevin Villanueva, Senior Manager

How to Practice Safely in an era of Cybercrime and Privacy Fears

Global IT Security Risks

SMALL BUSINESS IT SECURITY PRACTICAL GUIDE

Top five strategies for combating modern threats Is anti-virus dead?

What Do You Mean My Cloud Data Isn t Secure?

Security survey in the United States

Nine Steps to Smart Security for Small Businesses

ITAR Compliance Best Practices Guide

DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com

Cybersecurity Policies and Best Practices: Protecting small firms, large firms, and professional services from malware and other cyber-threats

7 VITAL FACTS ABOUT HEALTHCARE BREACHES.

TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY

Extending Threat Protection and Control to Mobile Workers with Cloud-Based Security Services > White Paper

overview Enterprise Security Solutions

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Zone Labs Integrity Smarter Enterprise Security

Data Loss Prevention in the Enterprise

Healthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service

overview Enterprise Security Solutions

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

SIZE DOESN T MATTER IN CYBERSECURITY

Why Encryption is Essential to the Safety of Your Business

How To Protect Your Data From Being Hacked

NATIONAL CYBER SECURITY AWARENESS MONTH

BEST PRACTICE GUIDE TO ENCRYPTION.

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

EXTENDING THREAT PROTECTION AND CONTROL TO MOBILE WORKERS

AB 1149 Compliance: Data Security Best Practices

Small businesses: What you need to know about cyber security

Cybersecurity Report on Small Business: Study Shows Gap between Needs and Actions

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Guideline on Safe BYOD Management

How To Protect Your Smartphone From Attack From A Hacker (For Business)

THE TOP 5 WAYS TODAY S SCHOOLS CAN UPGRADE CYBER SECURITY. Public School Cyber Security is Broken; Here s How to Fix It

EMBRACING THE AGE OF MOBILITY

Top Five Ways to Protect Your Network. A MainNerve Whitepaper

YOUR DATA UNDER SIEGE. PROTECTION IN THE AGE OF BYODS. With Kaspersky, now you can. kaspersky.com/business Be Ready for What s Next

INTRODUCING isheriff CLOUD SECURITY

4 Steps to Effective Mobile Application Security

2012 Endpoint Security Best Practices Survey

WRITTEN TESTIMONY BEFORE THE HEARING ON PROTECTING PERSONAL CONSUMER INFORMATION FROM CYBER ATTACKS AND DATA BREACHES MARCH 26, :30 PM

MOBILE SECURITY: DON T FENCE ME IN

SECURITY THREATS: A GUIDE FOR SMALL AND MEDIUM BUSINESSES

SMALL BUSINESS IT SECURITY PRACTICAL GUIDE

Data Security. So many businesses leave their data exposed, That doesn t mean you have to Computerbilities, Inc.

Internet threats: steps to security for your small business

Cyber Security. John Leek Chief Strategist

Digital Consumer s Online Trends and Risks

IT TRENDS AND FUTURE CONSIDERATIONS. Paul Rainbow CPA, CISA, CIA, CISSP, CTGA

The Buyer s Guide to Unified Communications Security & Business Continuity BUYER S GUIDE

Data Protection Act Bring your own device (BYOD)

Senaca Shield Presents 10 Top Tip For Small Business Cyber Security

Computer Security at Columbia College. Barak Zahavy April 2010

isheriff CLOUD SECURITY

Mission-Critical Mobile Security: A Stronger, Sensible Approach

Primer TROUBLE IN YOUR INBOX 5 FACTS EVERY SMALL BUSINESS SHOULD KNOW ABOUT -BASED THREATS

Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS.! Guyton Thorne! Sr. Manager System Engineering!

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Mobile Device Strategy

Mobile Device Management

CuTTIng ComplexITy simplifying security

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

Protecting personally identifiable information: What data is at risk and what you can do about it

BEST PRACTICES. Encryption.

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

How To Deal With A Converged Threat From A Cloud And Mobile Device To A Business Or A Customer'S Computer Or Network To A Cloud Device

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

The Impact of Wireless LAN Technology on Compliance to the PCI Data Security Standard

Microsoft s cybersecurity commitment

Applications, virtualization, and devices: Taking back control

Securing Your Journey to the Cloud. Managing security across platforms today and for the future. Table of Contents

Online security. Defeating cybercriminals. Protecting online banking clients in a rapidly evolving online environment. The threat.

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

CYBER STREETWISE. Open for Business

Your Company Data, Their Personal Device What Could Go Wrong?

Franchise Data Compromise Trends and Cardholder. December, 2010

Extending Compliance to the Mobile Workforce.

Detecting Cyber Attacks in a Mobile and BYOD Organization

For additional information and evaluation copies of Trend Micro products and services, visit our website at

Global security intelligence. YoUR DAtA UnDeR siege: DeFenD it with encryption. #enterprisesec kaspersky.com/enterprise

Are You Ready for PCI 3.1?

THE NEW FRONTIER FOR PROTECTING CORPORATE DATA IN THE CLOUD

Is your business secure in a hosted world?

Kaspersky Fraud Prevention platform: a comprehensive solution for secure payment processing

OVERVIEW. Enterprise Security Solutions

Policing Together. A quick guide for businesses to Information Security and Cyber Crime

Cisco SAFE: A Security Reference Architecture

Transcription:

White paper Ten Ways the IT Department Enables Cybercrime Be Ready for What s Next. 1

Ten Ways the IT Department Enables Cybercrime We hope that by now you ve already read Kaspersky Lab s white paper, Waging War at the Endpoint. If not, please download and read that white paper prior to proceeding (in the resource section.) Waging War at the Endpoint focuses on the real target for cybercriminals today the endpoint, or the employee. This white paper focuses on how IT unknowingly enables cybercrime by giving cybercriminals access to systems and data through a series of misconceptions and false assumptions. End-user demands for access to the World Wide Web and all of the communication vehicles that it affords are at an all-time high. Business demands for those same communication vehicles are also on the rise. The mobility of employees and company data present a growing challenge and keeping up with the exponentially growing cybercrime threat is daunting. As a result, and often without their knowledge or understanding, many IT departments have become accomplices to cybercrime. This document explains the various ways that corporate IT departments are enabling cybercrime in our environments, and provides some guidelines to prevent this dangerous, destructive practice from continuing. This paper discusses 10 ways that IT departments are enabling cybercriminals today, and offers ways to stop them, based on third-party research and analysis from Kaspersky Lab experts. How does your organisation measure up to these all-too-common pitfalls?

Enabler #1 Assuming the data is in the data centre Consider the fact that most corporate executives have one copy of their email on their smart phone (iphone, BlackBerry, etc.), a second copy on their laptop, and a third copy on their corporate mail server. This clearly demonstrates that there is twice as much data outside the data centre as inside the data centre. Add to that the numerous USB memory sticks, CDs, back-up tapes, cloud-based solutions, and data exchange interactions with business partners, and this number easily grows beyond what we normally consider. We innately realise that data isn t contained, yet corporate IT departments treat it as though it were. Why else would we spend disproportionate time and money reinforcing the data centre perimeter with technologies such as authentication, access management, firewalls, network intrusion prevention, etc.? That is not to say that any of these technologies aren t important. They definitely are. But, we need to concentrate on where our data currently resides; out on the endpoint. Data does not live in silos. It moves freely outside the data centre. In fact, IDC research shows that desktops/laptops represent the most serious concern for Data Loss Prevention (DLP). The endpoint represents a more immediate threat to data loss. IDC data also shows mobility is the number one factor driving new security spending, suggesting that more organisations are taking heed and beefing up security measures beyond their data centre perimeters. 3

Enabler #2 Failure to recognise the value of data on mobile devices Your time is valuable. The countless hours we spend creating reports and analysing data to make solid business decisions, the weekends we spend on email and on presentations, and performing due diligence on business opportunities that are time sensitive; all of these result in massive amounts of data loaded on portable systems. Yet, IT departments treat a laptop as a glass bottle of Coke. When a device is lost or stolen, the insurance claim only considers the value of the empty bottle, ignoring all the valuable data that was contained within the device. Because of that, the protection schemes on mobile devices usually address the value of the device, instead of considering the value of the data. The fact is that most often the value of the data on the device exceeds the value of the devices itself, often hundreds of times over. Use of managed anti-malware, anti-theft and privacy technologies for mobile devices is a good start to address protecting mobile data. There is a trend among businesses to allow users beginning at the executive level to select the make and model of their choice when buying a business-critical mobile device such as a laptop or smart phone. The growing number of iphones supported on corporate networks is a prime example. Unfortunately, most business people and IT shops are more concerned with the cost and time of replacement of the device rather than the value of the data on the device. Employees are equipped with the device of their choice instead of a device that is optimised for managed anti-malware, anti-theft and privacy technologies. The result is an expanding variety of devices, operating systems, carriers, security profiles, and other technologies within the business network. For organisations with a limited security staff, the demand to guarantee cross-platform security can exceed their capacity for support. 4

Enabler #3 Treating laptops and mobile devices as company assets that are never used for personal use, believing that company data never finds its way to home systems We can no longer assume that company assets are used exclusively for business use. The laptop, for example, serves as a primary communication and transactional tool for many travelling business people. This includes social networking for maintaining relationships and applications such as Skype for affordable international calling. This consumerisation of business IT has been growing for years, and as we discussed above, employees are beginning to expect flexibility and preference when it comes to company managed devices. Many employees use their personally-owned computers to access data after hours. If not properly secured, those devices risk increased security breaches. Use policies and managed security software are imperative in ensuring that data is protected as much as possible. This can include personallyowned equipment. Many companies extend their security software investments and licences to their employees as a means of expanding the umbrella of protection. Any information that is stored inside the enterprise perimeter on mobile devices such as smartphones, laptops or netbooks should definitely be encrypted as such devices can easily be forgotten, lost or stolen. 5

Enabler #4 Treating mobile devices as desktops A few years ago, our corporate IT networks were defined with a solid perimeter. Protection technologies clearly delineated what was internal to the network, and what was external, much like a moat around a medieval castle. External devices were considered untrusted, and those inside benefitted from the protection of the corporate firewall, much like the castle walls. Businesses worldwide are seeing increasing benefits from empowering remote or mobile workers. Advances in mobile technology have allowed companies to create an ever-connected worker who can have full access to critical corporate resources, such as applications, documents, and email, from anywhere in the world, as they travel. That access includes handheld devices. Mobile employees access corporate networks and data from airport lounges, hotel rooms and in-flight Internet connections all of which are unsecure. Consequently, the common workday is hardly restricted to 9 to 5 anymore. People are working accessing the most up-to-date information, responding immediately to client contacts, and taking care of many more daily tasks around the clock. However, this environment has created a new corporate vulnerability that is likely to be targeted by emerging threats (Mobile Security IDC.) A strong security policy for a laptop computer fundamentally differs from one for a desktop computer. Often, desktop computers that are used only within the business place don t need certain technologies, such as individual firewalls. But laptops need situational awareness. When they leave the relative safety of the business network, security enhancements should be automatically programmed to switch on. Security measures such as enabling a firewall, disabling non-passwordenabled Bluetooth and wireless connections, and increased scrutiny of USB devices should be automatically engaged whenever a laptop is taken out of the company network. 6

Enabler #5 Adoption of Social Media without protection Social Networks are here to stay. This is the new must have technology that segments of your business are demanding for growth. When properly used, it can help tremendously. Ten years ago, the pressure on IT departments was for basic Internet access. Then the demand came for corporate email, and then for Instant Messaging applications. Each of these eventually became mission-critical business tools. Social media is merely the next wave, and we need to be prepared for it. Many organisations are struggling with the question of how to allow their employees to use Web 2.0 tools responsibly without sacrificing security and regulatory compliance requirements. Social media and Web 2.0 technologies, if used securely, can help organisations increase collaboration and productivity and drive revenue. The focus should be on how organisations should embrace social media in a secure fashion because, with a few exceptions, the outright banning of social media will eventually prove impractical. A formal policy to control the access and management of social media is essential. For example, if a company protects its perimeter against malware attacks but lacks adequate control for social network access, one employee s carelessness could lead to malware infecting the company network and causing significant economic losses, either directly or indirectly. Social networks are also a possible means for information leaks by employees who voluntarily share information with third parties. With the exception of some very controlled academic environments, banning social media will eventually prove impractical. A more practical approach is to employ technology that closely watches the traffic that crosses social media websites and blocks known malicious sites. 7

Enabler #6 Focus on Protection vs. Detection and Response Consideration of comprehensive security schemes involves multiple capabilities. These basic capabilities are protection, detection and response. Anti-virus products are often overlooked, considered to be commodities, and automatically renewed annually. This results in the quality of detection and response capabilities also being overlooked. As we have demonstrated, these are imperative elements in your security strategy. And, there is a vast spectrum of Protection, Performance, Manageability, Deployment Capability and Support in the industry. The focus of many organisations is shifting to newer security technologies, such as DLP, Encryption, etc. While those are helpful tools, the overall number of malware incidents and infections continues to grow. An IDC survey found that 46 per cent of organisations experienced an increase in malware incidents, while only 16 per cent experienced a decrease. The SMB environment (500 2,499 employees) had the most dramatic difference, with 44 per cent seeing an increase in malware and only 7 per cent seeing a decrease. That means malware is still slipping through these enhanced prevention measures, demonstrating that increased emphasis must be paid to detection and response capabilities. IT departments have invested in protection mechanisms at the gateway, yet open up wide doors for employees to surf the Web without the proper detection mechanisms in place to ensure that criminals are detected and effectively blocked. Because cybercriminals today target the endpoint, robust detection and response technology needs to be deployed at the endpoint to protect it from malware designed by cybercriminals to steal data, credentials and revenues. 8

Enabler #7 Failure to foster a culture of awareness End-user awareness and training are critical at all stages and levels of information security. For example, employees must be taught how to defend themselves against malicious code safe surfing, avoiding spyware and scareware, attachment etiquette. Password policies must be evangelised and enforced. Web usage policies must be clearly communicated, monitored and enforced. Awareness of threats, their impact, and proliferation methods helps keep users vigilant and deters them from making poor decisions that could infect their endpoint. Security awareness campaigns on a recurring basis are vital to keeping employees informed and protected. Of course it is of great importance that IT staff are well educated on current threat technologies and vectors so that they can make knowledgeable decisions on protection and prevention technologies. 9

Enabler #8 Under-reporting of security breaches Although cybercrime security breaches increased more than 23%, and the cost of those breaches has more than doubled, this is only the tip of the iceberg. This data, released by the FBI, is misleading because companies generally do not report when they have been breached. Companies simply do not want the world to know they ve been breached for fear that their stock, value, brand and reputation would be negatively impacted. While this impulse to suppress is natural, the result is a skewed view of the growth in threat across the Internet. Under-reporting gives companies the false impression that the malware threat is minimal and that the growth in cybercrime is over-inflated. The reality is that the threat grew well over 23% the FBI just cannot quantify it because of the unreported breaches that occur every day. Companies like yours will benefit greatly by knowing of breaches that occur, how they were perpetrated, and how they can protect themselves from a similar attack. 10

Enabler #9 Settling for compliance Regulatory compliance and IT security are not always synonymous. You can easily be compliant with a regulatory body yet be very non-secure. Many organisations view malware protection as a check-off item I have to have it and I have to maintain it, but that s all I have to do. Regulatory compliance often involves a top-down approach. A cookie-cutter template typically defines the initiative. The company must look at its products and processes to figure out how they can mesh with the template. Security, on the other hand, is a bottom-up initiative when done correctly. Whether you are designing a software product or the architecture for your organisation s new network, security elements should be included. When you are designing product architecture, for example, just as a good initial pass would describe communication, localisation, versions, and so forth, so should it describe the security elements that need to be built into the application from day one. The security elements should be revisited and refined throughout development. Compliance may provide an illusion of security to those who do not understand the complexities of securing the digital business world. Compliance alone should not be the end goal. 11

Enabler #10 Assuming everything is OK Although systems might be bulletproof, ultimately, human beings operate them. In many cases, problems arise as a result of this human element of simple honest mistakes or a lack of necessary knowledge and best practices. Company personnel should be trained on information management, including how to act in specific situations, how to follow clear, company-wide safety policies and procedures, how to avoid malware by being diligent and careful and, if malware has already broken into the network, how to act correctly to secure data and prevent further losses. Take a hard look at the probability of a security event in your business. Everything is not okay. We can all do a better job at ensuring our business-critical data does not find its way into malicious hands. Summary Every day cybercriminals find new ways to infiltrate the corporate endpoints for the sole purpose of stealing data and money. According to a SANS.org report entitled The Top Cyber Security Risks companies are losing thousands of dollars each day while thinking they are secure. Kaspersky Lab 97 Milton Park Abingdon Oxfordshire OX14 4RY, UK 12 sales@kasperskylab.co.uk www.kaspersky.co.uk www.securelist.com www.threatpost.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information