Simply Security - News, Views, and Opinions from Trend Micro

Posted on April 19th, 2012 in Privacy & Policy by Simply Security | 1 Comment | Tags: Policy - DO NOT USE

CIOs need to focus on data loss prevention.

Social media, cloud, mobility and other advancements in technology enable businesses to store information on the web that can be accessed virtually anywhere in the world. While these capabilities have allowed companies to improve efficiency and promote teleworking capabilities, they have also invited unfamiliar threats into the office. Hacktivism, for-profit attacks and other cybercime instances are becoming more prevalent, forcing businesses to batten down the hatches in an attempt to protect themselves from losing valuable information.

Much of the responsibility of data security falls on the chief information officer’s shoulders. Strategies to safeguard information typically include eliminating access to corporate networks and files to unauthorized individuals and improving data loss prevention capabilities, according to an InformationWeek report.

Educating employees and users on data protection best practices can be one of the most effective ways to prevent the loss of important information. InformationWeek pointed out that no security tools can be everywhere and individuals should be reminded that working from outside the office can still invite threats to the corporate system.

Additionally, CIOs should regularly update strong antivirus software on the company’s network and employee-owned electronics, InformationWeek noted. This is especially important in today’s business world with the advent of BYOD (bring your own device) programs, which allow individuals to use personal computing gadgets to do work in and outside the office.

Almost three-quarters of IT professionals at the recent RSA Conference said that mobile device data protection is one of their top security priorities for 2012, according to findings from a Tenable Network Security study.

“With the proliferation of enterprise mobility, the ability to keep track of these devices and understand how they impact your network and pose new security risks is critical,” said Tenable Network Security chief executive officer Ron Gula. “Mobile device security needs to be a top priority, especially considering the majority of the mobile workforce will circumvent mobility policies in order to do their jobs.”

A recent study by the Ponemon Institute further demonstrated the necessity of mobile device management when it found that roughly 59 percent of survey respondents reported employees would circumvent security features like passwords when using portable electronics to access corporate networks. As a result, more than half of businesses experienced a data breach in the past year due to insecure portable gadgets.

All mobile devices should be equipped with strong encryption technologies, robust passwords and have the ability to be remotely wiped if they are lost, stolen or compromised in some other way. These requirements aren’t limited to smartphones, tablets and laptops, but should also include USB flash drives and other portable storage tools, InformationWeek said.

Having robust passwords will also reduce the chances of unauthorized individuals accessing confidential data. While this concept might be basic, many employees underestimate the power of strong logins and their ability to reduce vulnerabilities, InformationWeek noted. Passwords should comprise of at least six or seven characters and contain at least one capital letter and a number or special symbol.

However, a Trustwave study that analyzed 2011 data breaches found that many businesses around the world are not enforcing the use of strong logins. In fact, “Password1″ was the most common key, as it satisfies the minimum amount of complexity settings required by most operating interfaces.

Administrators should have even more complex logins, as they have the ability to access the most sensitive information. These individuals should also have all of their commands logged and reviewed by IT departments or security officials to ensure they follow safe practices, InformationWeek noted. If CIOs or other administrators want to work remotely, they should have to pass through a two-factor authentication process, such as typing in a password and swiping an ID card.

Decision-makers should also regularly perform network penetration tests and data protection audits, especially with the advent of cloud computing and BYOD. CIOs need to hire an unbiased and reputable third party to perform these analyses, InformationWeek said.

Of course, employing these various security measures, while valuable, can be a complex and costly pursuit. As a result, companies are increasingly implementing data-centric security practices to fill the gaps in their current protection models. Doing so puts the focus on protecting the data itself rather than the individual endpoint. While safeguarding a smartphone, laptop or the network itself is crucial, data-centric security ensures information is protected regardless of where it travels – an important consideration with the growth of cloud and mobile computing.

Data security should be at the top of every CIO’s priority list, as exposing sensitive customer, employee or corporate information can result in fines or worse, like the loss of consumer confidence and damaged a reputation. CIOs must be vigilant in their approach to data protection and ensure that all their bases are covered as effectively as possible.

Data Security News from SimplySecurity.com by Trend Micro