In 
In conversation with N Geetha, Voronkov says that security training for employees is crucial and that monitoring would help mitigate risks. Here is the detailed interview.
New generation threats that spell sleepless nights for CISOs
There are a couple emerging out of the various technology trends, which are termed as new generation threats. Some of these are:
Cyber-espionage
Cyber-espionage is a tangible and growing global threat today. We see a flood of black market “cyber-mercenaries”--groups of criminals offering a wide range of illegal services. The trend shows no sign of abating. High-profile targeted attacks on companies--mostly at the enterprise level--are becoming increasingly widespread. Thousands of businesses have already been hacked and had their sensitive data stolen, resulting in multi-billion dollar losses.
Third-party threat
Even if the target company itself is well protected, criminals could still get access to confidential information through the company’s less protected partners. Nowadays, many companies outsource a wide range of business tasks. Such tasks--developing a marketing campaign in a foreign region, for example--often involve sensitive information processed by third parties.
If the criminals know which organisations work with the target company, they can attack the partner instead of the company itself. As a result, they can get access to any sensitive data from the target company which is stored on the partner’s IT infrastructure, or to authentication tools that will enable them to breach the company’s security perimeter.
That is why IT security managers should raise security questions when transferring sensitive data to outsourcers.
Human factor
As usual, human error remains a big source of risk, now multiplied by BYOD and BOYC trends. While it is sometimes possible to predict the main routes for external attacks--be it malware penetration or network intrusion--and to address such threats properly, employee mistakes are almost always unpredictable. Even when mobile devices and cloud services were less popular, there were regular stories of accidental data leaks as a result of careless use of email or IM software. As connected devices and cloud services become ever more common in the workplace, the likelihood of more of these gaffes occurring only increases. Addressing these risks will be one of the biggest challenges for IT security managers in the near future.
Critical Infrastructure protection (CIP)
CIP is a pain for IT security managers. On one side, all critical infrastructure objects are part of the whole company’s IT infrastructure, and securing that is the responsibility of IT security managers. However, CI operators have many concerns about security tools--and their conditions of use--that can be installed in very specific environments. Our partners around the world tell us that often, protection solutions are either not installed, or they are installed but then switched off. That’s a huge problem, since it means the CI could be seriously damaged by a fairly simple generic malware attack.
However, we must also understand that generic protection solutions are not always a good match for the security needs of a demanding CI environment. The security industry therefore faces the challenge of developing highly tailored security solutions to address specific ICS operators’ needs. These would enable IT security bosses to reliably secure every part of the company’s infrastructure.
Ways to mitigate risks emerging out of these threats
A three pronged strategy to mitigate risks emerging from the next generation threats is the need of the hour:
Education: Implementing software security solutions is a good step towards securing a company’s IT Infrastructure, but it is not enough to develop solid protection. Employees should be aware of existing IT security risks and realise the precise impact any security incident could have on the company. That is why employee security training is very important.
Security policy execution control: Even if employees are well educated in the area of IT security, it doesn’t mean that they will automatically follow corporate IT-security policies. This is why it is extremely important to constantly monitor security policy compliance inside the company.
Implementation of pro-active defense tools: Reactive defense tools are good only against generic threats, but nowadays, more and more companies encounter complicated threats involving software vulnerabilities, mobile malware and other specific malicious tools. Now it is very important for companies to have tools that can address such threats. And of course, encryption is still a must-have feature. The main challenge in this area today is to choose a really strong, reliable encryption tool.
Add new comment