FeaturesSecurity Compliance

An increasingly mobile workforce demanding anytime, anywhere access from any device to corporate systems and lines of business adopting cloud services increase the vulnerability of an enterprise network drastically.

To make matters worse, "over the past 8 or so years during the recession, there was an 80% decrease in the amount of funding for security technology amongst the venture capitalist community," said Kristin Lovejoy, the vice president of IT Risk and chief security officer at IBM. "There has been less innovation during this period to deal with [emerging threats such as hacktivism and advanced persistent threats (APTs)]. The APTs are what keeps me up at night."

So, as organizations strive to reduce costs and increase efficiencies, the risk of skipping over steps due to inadequate resources increases. "We estimate that between 80% and 90% of all sophisticated attacks could have been prevented through simple controls," said Lovejoy.

Despite worries about hacktivists and APTs, the reality is that "99.9% of the incidents involve the [end user] as the inadvertent actor," added Lovejoy. "The irony is that hardware and software are more secure than ever before. The problem is that the systems are now in the hands of the end users. You've got mobile devices and cloud images that are being made available to more people. These are being used by cybercriminals to get inside the organization."

IBM is certainly a giant target with an attack surface spanning "250,000 applications running on about 800,000 IT assets; 250,000 network assets and more than 2 million laptops and another several hundred thousand mobile devices," said Lovejoy. "We change about 4 million user names and passwords daily and expire about 40,000 patches a day."

To help senior executives at IBM understand what is required to balance security or business transformation risks and business innovation, Lovejoy created a list of 10 basic but essential controls for providing in-depth security.

"We have to better understand the DNA of our business, the risks associated with it and implement the appropriate security controls that make sense for the business," said Lovejoy. "More focus on the concept of risk management, risk management processes and tools will help people to prioritize what they're doing."

In securing cloud environments, Lovejoy believes the security issues lie with the way cloud images are managed. "Think of the cloud as having two layers," she said. "There is the infrastructure under the hypervisor that the cloud is built on and there are the cloud images above the hypervisor. People are buying the cloud services or images."

While the cloud beneath the hypervisors and the image, by default, are generally secure, the cloud services are another matter, especially when a line of business, instead of IT, owns and manages the image. The marketing group, for instance, may experience an attack within minutes of spinning up an image running risky customer data analytics.

"[With cloud security], do not just simply think about the above-the-hypervisor security tools," said Lovejoy. "Mandatory education for the people who are consuming the cloud is also critically important."

The best approach to ensure end users play their part in a risk-aware culture is "to bind security education with the benefit, such as the user's right to use social media or to bring one's own device," said Lovejoy.

"The takeaway is if you want to get into the heads of your audience, educate them on their rights and their responsibilities. You will get better overall adoption and more thoughtfulness from the end user." Indeed, IBM has instilled high user awareness of cyber security risks with surprising results. The company has one of the lowest adoption rates of social media and bring-your-own-device in the industry.