By Jim Ebzery, Senior Vice President, Identity and Security Management, Novell
***Editor's Note: Tune-in this Wednesday to ebizQ's Threatscape
2008 for an in-depth look at the next wave of attacks being planned
by hackers. Sign-up right
Let's face it, though the Internet has made it easier to get information and
services, it can be a dangerous place to compute. Every day, cyber criminals
are unleashing malware, worms and spam, hoping to pry loose critical information
for monetary gain.
Last year was plagued by several costly international security incidents, with
hacker hotbeds in China, Russia, the U.S. and the U.K. Research Firm Ponemon
Institute revealed that the average cost per security incident was $6.3 million
in 2007, compared to an average per-incident cost of $4.8 million in 2006 --
and this was in the U.S. alone.
These numbers demonstrate that CISOs must focus more efforts on best securing
their enterprises in 2008, so the cost per incident doesn't skyrocket yet again.
Now that we have a few weeks of the New Year under our belts, here are the trends
I see persisting and the areas CISOs should pay the most attention in 2008.
SOX, HIPAA, PCI-DSS and HSPD-12. This alphabet soup of compliance regulations
are major pain points for enterprises. In the past few years, increasingly strict
deadlines for global compliance laws have forced companies to reevaluate their
security practices and take more steps toward improvement. Businesses are already
using technology that identifies who accessed what on their systems, and detects
and resolves security problems. It's a good start, but there is still much more
that needs to be done.
In 2008, businesses can expect the government to become even more involved
with compliance and security standards. Therefore, CISOs must be able to demonstrate
they are meeting mandated requirements. Specifically, CISOs will be asking,
"How can I prove to auditors that I am compliant and how can I simplify
the process?" This is the underlying theme for all compliance efforts,
and the number of fines will increase if businesses do not find the answer.
As such, technology that can automate and validate network activity to meet
compliance requirements will be incredibly important.
2. Insider Threats
There were many high-profile security breaches last year, creating great concern
for incidents such as phishing and Denial-of-Service (DoS) attacks. While CISOs
should continue to invest in technologies that prevent external attacks, for
the rest of 2008 they should focus more on threats from internal sources.
Unintentional employee errors and omissions are huge causes of security breaches.
As the evolving workforce calls for more collaboration, file-sharing and mobility,
employees should be educated on how to avoid putting their companies at risk.
Mobile devices such as laptops, PDAs and thumbdrives can hold a great deal of
information. But because of their size and mobility, these devices, which often
contain critical work files and sensitive personal data, can be easily lost
or stolen. Therefore, in 2008, CISOs should increase password protection, encryption
and personal firewalls on those devices to remediate breaches caused by employee
Fight back against security threats by getting ebizQ's Security Newsletter delivered to your inbox. Sign-up here.
Another area where internal sources can cause a security breach is when someone
attempts to exceed access privileges. Whether it is to excel at work, or there
is true malicious intent, CISOs should have insight into who is accessing what
inside the network, and be able to immediately revoke privileges before damage
is done. Many vulnerabilities stem from companies giving employees and contractors
broader access than they really need to do their jobs, or neglecting to quickly
deprovision an account when a user is terminated. There will likely be a renewed
focus on analyzing the ways employees are using systems and immediately stopping
access when employees go beyond the normal scope for a particular transaction.
3. ID Theft & Privacy Violations
The latest headlines tell us that identity thieves are getting younger and the
scams are getting more sophisticated and harder to trace. To combat ID thieves,
stronger authentication combined with better validation is a necessity. Authentication
methods that depend on more than one factor, such as personal identification
numbers or biometrics, can be more reliable and are stronger fraud deterrents.
The single-factor authentication process of using a login ID and password will
not stop identity thieves. If the only thing between you and your bank account
is a username and password, that is cause for concern. Multi-factor authentication
will also drive a stronger push toward converging IT security with physical
security. Right now, this trend is primarily being implemented in the government
sector, but more banks, retailers and healthcare facilities will begin using
access cards and tokens to tighten access security and prevent ID theft and
Combating insider threats, meeting compliance standards and preventing identity
theft are not new security challenges, but these are issues that continue to
persist. Through the rest of 2008, we will see a strong focus on these three
areas and businesses will invest in the best combination of technologies to
About the Author
Jim Ebzery is the senior vice president, Identity and Security Management, for Novell. Before joining Novell, he served as president of the Viisage Division of L-1 Identity Solutions, a leading identity management vendor, until the company was acquired by L-1 Identity Solutions. Prior to Viisage, Ebzery spent two years at the Internet Capital Group as vice president of operations. Ebzery began his career in sales at IBM then rose over a 17-year period to sales management, business development and executive roles, serving in his last position as worldwide solutions executive for the IBM supply chain business. Ebzery has a Bachelor of Science degree from Boston College in Computer Science.