The biggest security concerns for Australian companies turn out to be virtualisation, mobile devices and social networking. The bad news? There's no totally effective way of securing any of them, and we're still making elementary mistakes in the security strategies we do adopt.
Picture by Duncan Harris
I attended a security roundtable with a bunch of security vendors in Sydney yesterday, discussing broad trends in the business security space. Frost & Sullivan research director Arun Chandrasekaran said that virtualisation (including cloud), mobile device strategies and how to deal with social networking accounted for 80 per cent of the queries he received from clients relating to security topics. All present significant security challenges, but one evident disturbing trend is that we're often getting the basics wrong. There's not much point stressing about newly-emerging threats if you're not taking steps to deal with security problems that we have known about for a decade.
That's evidently what's happening with virtualisation. Australia has one of the highest uptakes of server virtualisation in the world, but because many virtualised servers were originally used for test and development rather than production systems, security has often been something of an afterthought. That approach can have dangerous consequences. "If we get the virtualisation foundations wrong from a security aspect, then something's going to break down the track and when it breaks it's going to be big," said John Reeman, founder and CTO for VMinformer.
Reeman also made the equally important but often overlooked point that human error — something that it's hard to automate against — is still a major factor. "90 per cent of the common attacks that occur boil down to human failure," he said. But that, of course, makes it even more important to follow the dull-but-essential security basics: keep systems patched, analyse incidents, and set clear policies. "Organisations who choose to be complacent will undoubtedly have a failure."
One major challenge for security when exploring social networking is that the underlying code isn't available for inspection, and changes extremely frequently, but people continue to provide information to them. "Social networks create a culture of trust," said Scott Robertson, VP Asia Pacific channels and alliances for WatchGuard. That same criticism can be levelled at almost any cloud-based app, but the widespread use of social networking tools arguably makes them a more urgent issue.
Two factors mean that security will never be perfect. One is the human element: even with well-developed security procedures, people are hard to protect against. "Hacking can start with a phone call saying 'It's Adam from IT and we're going to be working on your system so we need your username and password', and a lot of people will still fall for that," said Adam Bradley, ANZ managing director for Websense.
The other, regrettably, is that we still continue to neglect the basics. As Bradley points out: "We can't offer stability and security for people who don't patch." IT work often involves repetitious tasks, but it seems in this case too many of us aren't trying. How well does your organisation deal with security? Tell us in the comments.
Evolve is a weekly column at Lifehacker looking at trends and technologies IT workers need to know about to stay employed and improve their careers.