Security breaches: shock figures

Information security has never been so important, with cybercrime, industrial espionage and denial of service attacks, not to mention employees losing laptops containing customer details and intellectual property. However, there is an in-built tension between the corporation and its employees.

IT managers should always be careful to ensure that the technology they provide to their users is efficient, effective, robust and secure. These are all important attributes that take time to evaluate, implement and test. As a result, the evolution of corporate computing and mobility has necessarily been slow.

The problem is that computers and mobile devices have evolved more rapidly, increasing in functionality and ease-of-use, and coming down in cost. Workers bought them for their own use, realised how much more productive they were than the office devices and demanded to use them for work.

As Invasion of the Mobile Monster shows, 80 per cent of mobile devices are now employee-owned. However, 71 per cent contain high severity application and operating system vulnerabilities, 59 per cent of employees bypass security and 26 per cent have been inactive for more than 30 days, suggesting that they are lost or stolen. As a result, 51 per cent of cautious IT managers have experienced data loss from employee use of unsecured mobile devices.

It is essential that all organisations ensure they have an effective information security strategy that is part of its overall security strategy, including physical security

Unless businesses can get the situation under control, it will get worse. Cisco’s Visual Networking Index global mobile data traffic forecast shows that workers are likely to increase the number of devices they own. In 2012, only 8 per cent had more than one device, but this will increase to 25 per cent by 2016.

This trend for employees to “bring your own device” (BYOD) will be accelerated by the amazing growth of mobile (56 per cent) and smartphone (31 per cent) connection speeds forecast by Cisco. Faster connections make the devices more efficient, permit more functions and allow them to access much richer corporate information. This will include critical business intelligence reports, pictures and video that could help competitors or be embarrassing if passed to the media.

The hackmaggedon figures show that cybercrime is still the main driving force, with hacktivism the other major factor. They also clearly show that the public sector accounts for half of all attacks – that’s government, education, law enforcement, military and non-governmental organisations. However, nearly a third of all attacks (31.3 per cent) are against industry and other businesses, such as online services, e-commerce and news.

As Verizon’s 2012 Data Breach Investigations Report shows, users are at the heart of many security breaches. These attacks include malware to capture data from user activity (48 per cent of breaches), default or guessable credentials hacking (44 per cent), stolen login credentials (32 per cent) and tricking users into sending data to an external website entity (30 per cent). However, to be fair to users, 5 per cent of breaches are the fault of their organisation, because there was insufficient authentication, such as no login required.

It is essential that all organisations ensure they have an effective information security strategy that is part of its overall security strategy, including physical security. This must be backed by security policies, education and training, so that employees are aware of the threats and how the policies combat them.

Security will only work if a culture of security is created, where security is part of every employee’s daily behaviour, and they help and support each other. Only this way can the tension between the organisation’s desire for security be reconciled with what may be the employee’s natural inclination to cut corners to maximise their productivity.