Q&A: The State of IT Security

Recommendations for making data safer that won’t decimate your IT budget.

What are some of the challenging aspects of keeing your data safe? Can hosted solutions ease the strain of securing an enterprise? For a closer look at contemporary security issues, we contacted Andrew Schrader, national sales director at AppRiver.

Enterprise Strategies: Why is interest in hosted security solutions running high? What makes them different than traditional security solutions?

Andrew Schrader: Hosting solutions divert the burden of performing in-house IT security maintenance by outsourcing the responsibilities to a service provider who oversees a company’s network and information system security.

As today’s IT threat landscape continues to evolve in sophistication, end-users must remain vigilant with their security practices and organizations must be equipped with the latest security service solutions in order to keep their networks safe. Hosted security services provide real-time threat protection and eliminate the need for deploying andsupporting applications internally. Additional advantages of leveraging a managed security service provider include:

  • Easy, cost-effective deployment (there is no on-site hardware or software to maintain, upgrade, or support), there are lower upfront and IT staffing costs, and an enterprises has operational, not capital, expenses.
  • Real-time threat protection, stopping threats before they enter the network
  • Scalability and performance; no additional hardware or upgrades are needed when traffic volumes increase

Are there any “sweet spots” with hosted offerings in terms of particular threats (Web filtering, e-mail, endpoint, etc)?

E-mail security. An organization’s security has a lot to do with its e-mail system. Knowing this, cybercriminals continually create innovative ways to keep their businesses alive (this can include anything from phishing scams to social engineering ploys). From spam and virus protection to e-mail encryption, hosted security services help protect important information and mitigate security risks.

How has e-mail security changed over the past several years?

There are new, innovative ways spammers are keeping their businesses alive. Gone are the days when miscreants used e-mail alone to deliver viruses or advertise products. Instead, spammers today use e-mail as an avenue to entice users to click on an attachment or a link within the e-mail, thereby connecting users to a malicious Web site that can infect machines and possibly harm entire organizations. These tactics are difficult to detect and quickly steal information, productivity, and money. That’s why it is so important to remain vigilant about e-mail use and security practices.

What are the most prevalent types of attacks directed at e-mail inboxes?

Innovative spammers are using sophisticated tactics to lure unsuspecting users to malicious sites, thereby infecting machines and harming entire organizations. A variety of hostile, intrusive, and unwanted computer contaminants are plaguing the Internet and e-mail today.

Some of the most common types of e-mail attacks include sending winning lottery notification messages to lure users into sharing their personal data and intercepting their credit card purchase transactions and cardholder information. Online gaming also continues to be a target for hackers. The goal is to compromise accounts and pilfer in-game money or gold for resale. Also, as more and more games begin to incorporate social networking sites such as Facebook to share in-game achievements and the like, we may see possible personal information breach vulnerabilities between platforms.

Additionally, with banks beginning to release mobile online banking applications, there has also been an increase in mobile e-mail attacks. These include malicious text messages containing links to phishing pages, possibly even customized for the mobile format, mimicking their appropriate mobile app.

What are some of the more challenging aspects to keeping customer and employee data safe?

Many organizations feel the pressure to comply with an ever-increasing number of rules and regulations regarding storage and access to data. The fact that most businesses gather more bits of data rather than fewer bits of data does nothing to ease the difficulty of that burden.

Securing the entire pathway of data is a difficult task since all data, no matter what level of security is required- is seen by someone. In order for a business to comply with today’s strict regulations, the entire pathway for data (from secure storage to the point of dissemination) must be secured. Suffice it to say, it is no longer adequate for organizations to simply store customer/employee data in an encrypted form on a secure server with good access policies in place.

How has IT been addressing these challenges? Have these approaches been successful?

Protecting the privacy of e-mail communication across all departments and business units can be challenging. Whether it’s financial data in spreadsheets, confidential business plans, or e-mails from HR to your health provider, data needs to be kept private. On top of this, regulations such as Sarbanes-Oxley, GLBA, and HIPAA place an emphasis on ensuring that confidential and personal information is protected, wherever it resides.

IT has been addressing these concerns by offering cost-effective encryption solutions that provide high security, security policy management, and usability ease. One example that comes to mind is a solution that automatically secures sensitive data using end-to-end encryption. Such a policy looks for cues in an e-mail, and then makes a decision if the e-mail should be sent encrypted or unencrypted. Businesses should consult their compliance regulations and find a solution that satisfies the requirements.

Are there certain industries in particular that need to ramp up their safety measures, and if so, what should those industries be doing to go above and beyond what’s required?

Generally speaking, anyone who deals with sensitive data (whether that data is defined as “sensitive” by law or company policy) should make a point of considering the above points for his/her organization. Regulatory compliance continues to add pressure to already strained budgets and mounting end-user requirements, and so organizations may view them as an opportunity to improve systems and upgrade infrastructure to stay ahead.

What strategies can you recommend for making data safer that don't require a large chunk of IT's budget?

Outsourcing security needs is one cost-effective way organizations can secure data without sacrificing much time, personnel, and money.

With today’s workforce becoming more mobile, access to e-mail and shared resources has become even more critical. What is the risk of infection to mobile phones?

Mobile devices have morphed into “Pocket PCs” and are beginning to face the same threats of infection as traditional PCs. Although not nearly as abundant as traditional PC malware, there are just as many mobile infections found in the wild as there are in the proof of concepts:

  1. Mobile phone prices have become extremely low, allowing nearly anyone to obtain one. We know malware is a numbers game, so having more mobile users/potential victims will greatly increase the success rate of malware.
  2. The performance/computing power of these devices is constantly improving. The more functionality the device has the more ways malware authors have to exploit.
  3. Increased usage and performance will lead to more people entering and storing personal data on their phone, leading to opportunities for identity, credit card, andbank account theft.
  4. As the mobile app market grows, so will the use of malicious apps.
  5. The weakest link in any security policy is always the human factor. Since it took many years for most people to recognize the danger of malware on PCs, it may take even longer with unsuspecting mobile device users.

What measures can organizations deploy to safeguard their mobile workforce against e-mail-borne threats?

Organizations should use the same multilayer approach for securing handheld devices as they do for desktop and laptop computers.

For the user: Enable the password protection feature to access handheld devices and train users about the risks of visiting unfamiliar Web sites or downloading unfamiliar applications or message attachments.

For the device: Install good antivirus and anti-spyware software on all devices and consider software that encrypts data stored on it.

For the network: Deploy security solutions that screen all traffic to and from devices for malware at the network gateway, consider using software that allows administrators to remotely erase, back up, or locate lost or stolen devices.

What specific products does AppRiver offer businesses to combat today’s IT security threats?

AppRiver protects companies from multi-vector blended threats by thoroughly securing every connection to the Internet. It does so by offering a fully integrated suite of secure hosting services, including anti-virus/anti-spam protection, Microsoft Exchange hosting, Web filtering, encrypted mail, e-mail archiving, and mobile messaging solutions. With AppRiver, businesses are granted access to enterprise-grade applications in highly available data centers for a fixed cost per month, which is usually a fraction of the traditional in-house IT costs. The ability to adopt on-demand services on a pay-as-you-go basis gives each AppRiver customer greater cost-controls and flexibility.

How is AppRiver involved in IT security?

AppRiver is committed to keeping networks’ e-mail systems clean and employs a team of experienced security experts who actively monitor cyber-risks on a 24x7 basis, filtering out malicious content that can launch viruses and infect computer systems. Through their monthly “Threat and Spamscape” reports and a dedicated blog, AppRiver keeps the public informed of potential e-mail and Internet threats while offering tips to mitigate these threats at http://www.appriver.com

Must Read Articles