New Technologies vs Business Security

Social engineering by attackers over Facebook is new territory that demands to be addressed, but keeping departed employees from trying to break back into IT systems to wreak havoc or steal data is an even bigger concern at present, said Art Papas, CEO of corporate recruiting and staffing applications provider Bullhorn.

Helping its customers keep their information locked down even as they cut loose their own staff poses a huge area of risk, Papas said.

“We’ve got 15,000 users, and the staffing industry has really been affected by layoffs; so you have all these employees moving around from firm to firm, and many of them would love to have access to their old employer’s data, to their old account data,” he said. “We have to look at securing our applications in the same way that [a bank] looks at securing access to its money, except in many cases with our customers the data is worth more than money in terms of its value to them.”

As for cloud-based computing, or the sharing of computing resources hosted over a distributed infrastructure – often supported by a third-party application or services provider – many large enterprises have not rushed to embrace the architecture based on security concerns, as other studies have noted, said Walter Kuketz, CTO at business management consultancy Collaborative Consulting.

Big businesses remain dead set on retaining control of their IT operations, even though cloud computing offers the potential to save significant amounts of money by offloading overhead costs onto services providers, he said.

“We’re not seeing much use of data in the cloud. Big companies are more or less keeping their data internal. Their primary concerns come down to issues of data classification and security,” he said. “They want their sensitive data locked down, and cloud hasn’t been proven; it’s still about early adopters. There’s also the concern about these being new providers. When early cloud providers go out of business, customers are wondering, what will happen to their data?”

Moving forward, businesses will likely continue to straddle a fine line in trying to allow for the adoption of new technologies while doing the best job they can at maintaining sufficient security controls, the panelists said. One of the keys to succeeding in these efforts will be ensuring that end users themselves are consistently reminded of and somehow forced to comply with comprehensive security guidelines, the experts suggested.

“People always follow the path of least resistance. You can have lots of policies, but if an employee wants to do something, they’re probably still going to do it unless you can push them not to,” said Gene Meltser, senior consultant at IT risk management and security services provider Neohapsis. “If you really want to be protected, you have to have policies and some real method of enforcing them, because having policies alone isn’t going to help.”