Q&A: Real-World Security Decisions
How do you secure an environment in which risky behavior is business as usual?
Security administrators are constantly battling vulnerabilities from the outside. At many organizations, Internet access may be limited (IM may be blocked, for example), but at others, unfettered access is needed so employees can do their job. One such case is Direct Agents; the company’s employees need to monitor their clients’ ad campaigns, and that means having unrestricted access, and employees must visit potentially dangerous sites. When risky behavior is business as usual, how does the company protect itself? To learn how Direct Agents one organization faces security vulnerabilities every day, and the what choices it has made to protect its users, we turned to Josh Boaz, managing director at Direct Agents.
Enterprise Systems: Tell me about Direct Agents -- what do you do for your clients and who some of your clients are.
Josh Boaz: Direct Agents is a full service, performance-based interactive advertising agency. We provide brand advertisers with customized online advertising campaigns that help advertisers achieve quality and measurable results. We handle all different aspects of the campaign from strategizing, to creative design, to positioning and purchasing online media, to tracking and analyzing all online campaigns. Among our clients are several Fortune 1000 companies including AccuQuote, Scholastic, and Disney.
Why do Direct Agents' employees have to expose themselves to Web sites and e-mail messages that other companies would typically avoid due to security concerns?
As an advertising agency that handles interactive marketing such as search engine links and e-mail campaigns, Direct Agents employees spend their days visiting Web sites, clicking on links, and opening e-mail messages that many IT managers would want users to avoid. Our employees need to view all different types of Internet ads and e-mail messages as they create and manage online marketing campaigns for clients. To make sure that employees receive all client materials, many employees have to temporarily turn off their spam filters, greatly increasing the exposure of their computers and our entire network to malware.
What sort of confidential/sensitive information do your employees need to have access to that cannot fall into the wrong hands?
Although Direct Agents does not collect personal identifiable information about consumers, we do track campaigns to see how well they perform and what types of leads our clients receive. This information could include the number of clicks an ad receives, the number of people who fill out a form, the geography of the person responding, and the time of day they completed the action. In addition, some of our employees have access to client billing and bank information.
How have security threats and attacks changed over the past five years -- do you see more variety, more frequency, greater damage from the threats?
Security threats have become more cutting edge as technology progresses. We now have to worry about security threats coming from a greater variety of channels like e-mail, software, and files. We are also experiencing more advanced threats
Although information protection has never been more important to us, it has also never been more challenging. We have more information to protect at more points against more threats than ever before. The viruses, worms, and other types of malicious code are not the only threats. We’re also at risk from botnets, phishing attacks, and spam, and these threats carry a greater danger as a result of increased containment and removal time.
The attackers' motivations have changed. Their primary goal used to be achieving the public notoriety of successfully hacking into a company’s network. Now, however, they’re motivated by the theft of confidential information, and their tactics are much more targeted and difficult to detect.
Also, it’s important for us to be aware of potential internal security threats. Well-meaning employees who have legitimate access to corporate information may lose their laptops or USB drives, or have them stolen, exposing confidential information to anyone who tries to access the information stored on that device.
Software can only do so much to prevent data loss or theft. What training programs and/or policies have you implemented to help ensure employees don't unknowingly expose their systems and information to threats or loss?
All new employees at Direct Agents go through a training seminar about IT best practices including how to differentiate between legitimate versus SPAM e-mail messages, how to identify files that contain viruses, and how to distinguish appropriate from inappropriate Web sites.
Direct Agents also compartmentalizes confidential information so if one section gets attacked, not all information is leaked or affected.
Can you discuss a specific attack you've had to contend with over the past few years? What was the attack, how did you discover it, and how did you remedy?
Our employees were very susceptible to e-mail virus outbreaks. As often as once a week, our Technology Manager was handling virus outbreaks which would take between two to three hours to control. It was a real mess, so we decuded that we needed a single, consistent, centrally managed endpoint protection solution.
How has your approach to endpoint security evolved with those threats?
In two key ways: the number of endpoint security technologies we have deployed across our network and the management of those technologies.
Frankly, antivirus software alone can no longer provide adequate protection. Signature-based antivirus software is not effective against more targeted attacks. That is one reason why we implemented Symantec Endpoint Protection, which offers multiple security technologies including antispyware, desktop firewall, IPS, device and application control, all on a single agent our IT team can manage via one console.
Direct Agents used to allow users to have full control of their antivirus software, including the responsibility of installing patches, but that made it impossible to understand which systems require patches and which are up-to-date. Manual patching processes usually result in inefficiencies and errors. What’s more, poor patch deployment processes can hamper the productivity of end users and force our IT team to devote more time responding to incidents than to proactively managing day-to-day procedures.
Can you point to specific ROI as a result?
We can directly prevent threats by using alerts. By ensuring all definitions are up-to-date, the risk of outbreaks decreases and we are able to guarantee that all computers are functioning properly and scanning on schedule. Specific results include security-related time savings of up to 20 hours per week, a 40 percent reduction in licensing costs, and $1,500 in monthly savings for outside IT support. By having all the protection features integrated in one client, we did not have to spend time running through compatibility tests, deploying various products and patches, and paying the cost of the multiple agents consuming resources.
What mistakes did you make in your project or what would you advise your colleagues to do differently?
We would advise our colleagues to simplify their protection environment as much as possible. Rather than have individual protection systems, like we did in the past, a centrally managed one makes for a much more efficient workspace.
Companies should also work to develop an understanding of today’s threat landscape and identify their own specific areas of vulnerability, like we did by examining how our employees interact with clients on a daily basis. Armed with this information, organizations can then develop a security blueprint that is right for them.