If we're all so concerned about data security, why does the issue remain? Chalk it up to a combination of complexity, laziness, greed and a lack of training.
Picture by Diego Torres Silvestre
Earlier this week, I attended a roundtable discussion hosted by content security specialist Websense. The conversation ranged widely, but the underlying theme was clear: security is difficult, and that isn't primarily a function of having a wide range of devices. It's because any medium which allows information to be shared can enhance business, but also has enormous potential for abuse.
The mildly good news is that security issues are more widely recognised. "These days I can have a conversation with a board member and they know what I do," said Alison Higgins-Miller, Websense's Asia-Pacific vice-president. "The number one issue for them is risk management and compliance." However, acknowledgement of the issues isn't enough to solve them. Here are four factors that remain problematic.
1. We can't train experts fast enough
"The security industry is growing faster than the ability to train people," said Higgins-Miller. That makes security a solid career choice, but you have to be prepared to constantly re-educate yourself, as threats rarely remain static.
2. Threats are very sophisticated
It's well-established now that the majority of new threats are aimed at specific companies and individuals, rather than aiming for widespread distribution. This can involve incredible levels of complexity.
Websense has detected threats which are aimed at specific individuals in a company, sent in a carefully-constructed email with a single, plausible web address linked in it. Many threat detection systems will scan all incoming emails and check those URLs for suspicious content. To avoid that, sites are often set up to change their content at a specific time after the email has been opened. If the message is sent at midnight and passed through the security system, the address will look benign. The site content is then changed at 8am, just before it's likely to be read by someone arriving at work.
How can you protect against that? Advance scanning URLs at the time of access is the obvious solution. That imposes an overhead, but the alternative could be much riskier.
3. Greed is a constant factor
The going rate for a credit card number acquired from a call centre in India is $12. Selling a thousand of those a year pays better than a call centre staff member's entire annual salary. Under those circumstances, it's no surprise that workers can be tempted (and that highly efficient security systems are needed).
4. Not everyone has a solid policy
Notwithstanding higher levels of awareness, many companies don't have robust security policies. "I'm constantly surprised by organisations that don't have a policy around information security," Higgins-Miller said. While threats constantly evolve, basic mistakes are often repeated. Just as we don't eliminate the police force when crime rates fall, keeping IT systems secure doesn't allow for much breathing space. The next threat is often no more than a foolish click away.
Evolve is a weekly column at Lifehacker looking at trends and technologies IT workers need to know about to stay employed and improve their careers.