Dimension Data, the global IT solutions and services provider, published its Network Barometer Report 2010 last month.
Interestingly enough, over one-third of all network devices surveyed had security or configuration vulnerabilities. The report also shows that the prevalence of vulnerabilities was almost three times greater in small organisations (60%) than in very large or enterprise organisations (22%).
This report is a stark reminder that having traditional silos of network and security experts is a great source of risk to the business. This is particularly true in smaller organisations where the lack of resources and budget forces the IT department to invest in personnel to “keep the systems/network running,” rather than security expertise to “keep the systems/network secure.”
Accordingly, smaller organisations tend to be an easier target for simple traditional attacks like Trojans, malware and botnets, which can cause millions of dollars in damage.
Cyber intrusions caused New Jersey’s Egg Harbor Township municipal funds to disappear, and a $3.8 million online theft attempt for a school district in upstate New York.
These cases, coupled with the Network Barometer Report, illustrate that simply watching network data without a security context is not enough, and organisations using this network-before-security approach are bound to fall prey to both savvy and not-so-savvy hackers.
However, there is a third dimension that must also be considered – the user. Identity theft is a major concern, and rightfully so. Even I, paranoid as I am after having spent several years thinking about technology security, admit to having clicked on that slightly suspicious link and entering my credentials into a web page at least once.
The FBI reports that cyber fraud losses doubled last year. Understanding who your users are and what they are doing is critical to prevent cases like the recent JE Systems loss in Arkansas in early April 2010, which resulted in a loss of $110,000; the medical records clerk at St. Peter’s Hospital who stole patient information to open credit card accounts; and the Valdosta State University breach, where 170,000 student records were improperly accessed.
Effective security cannot be accomplished without correlating security, network and user data. As point security solutions have improved, so has the sophistication of hackers – they are using multiple techniques that are harder to detect, and targeting smaller organizations with softer security expertise.
Until companies successfully tie all three dimensions together, I believe we will continue to see the loss of data, identity information and money.