As technology evolves with the rise of the cloud and BYOD, so does the debate on keeping corporate information secure.
Many companies also require remote wiping capability on employee devices in case they are lost or stolen, plus communication encryption software. They also require employees not to use a single password for multiple sites, and some are forbidding passwords of a single word.
But Parris, who formerly held technical and sales management positions at Boeing Computer Services and founded Intercede, argues that securing email also requires identity management — a system that creates a digital identity for employees and other third parties connected to an enterprise, which will then track, “who is sending which email and information to whom, when and protecting it in transit and at rest.”
Even that will not ensure protection of the email, he said. “It must also be run on a secure platform that delivers tightly controlled policy to enforce data labeling, digital message signing, encryption and checking of the actual content.”
Jeff Wilson, principal analyst for security at Infonetics, agrees that an email management platform would help, since “most people are getting email on [multiple] mobile devices that could be lost, stolen, or compromised.”
But he noted a more basic problem for many companies: “They don’t even have an accurate inventory of devices connecting to their network or a framework for building a security policy and buying appropriate security solutions.”
Since email is the primary method of information sharing, enterprises must keep it secure, “to protect intellectual property and to compete in the global business environment,” Parris said.
Mobile devices allow workers, including government employees, to work in multiple locations and to improve their efficiency. But the same features that make these devices desirable make them a security challenge. Mobile
devices can easily be lost or stolen, and users may be tempted to download nonsecure apps that might conceal “malware” that could be used to steal confidential data. Since security is minimal for mobile devices, a thief can retrieve sensitive data directly from the device, or use the phone or tablet to access an organization’s computer network remotely.
The revised guidelines recommend using a software technology that centralizes device management at the organization level to secure both agency-issued and personally owned devices that are used for government business. Centralized programs manage the configuration and security of mobile devices and provide secure access to an organization’s computer network. They are typically used to manage the smart phones that many agencies issue to staff. The new NIST guidelines offer recommendations for selecting, implementing, and using centralized management technologies for securing mobile devices.
“Mobile devices need to support multiple security objectives: confidentiality, integrity and availability, so they need to be secured against a variety of threats,” explains co-author and NIST guest researcher Karen Scarfone.
This is not good.
Powered by ScribeFire.
- Blatant Stupidity: Latest Banking Mobile Apps Riddled With Flaws (infosecurity.us)
- “WARNING: Bank Of America, Chase, TD, USAA and Wells Fargo iPhone banking apps all have serious security vulnerabilities” and related posts (iphoneworld.ca)
- Vulnerabilities Found In Banking Apps (informationweek.com)
being neglected by employees.
More employees are ignoring data security policies and engaging in activities that could put a company at risk, according to a survey released by Ponemon Institute on Wednesday.A large number of employees copy secure data to USB drives or turn off security settings in mobile devices like laptops, which could put a company’s data at risk, according to the survey. The rate of noncompliant behavior was worse in this most recent survey compared to a similar survey conducted in 2007, Ponemon Institute said in a press release.
Around 69 percent of the 967 IT professionals surveyed said they copied confidential company data to USB sticks, even though it was against the rules. Some even lost USB sticks that store confidential corporate data, but did not report it immediately, the survey said.
The survey also took into account new technologies that could bring rogue software to computers, like social networking. Close to 31 percent of respondents engaged in social-networking practices on the Web from work PCs. Additionally, around 53 percent said they downloaded personal software on corporate PCs, which could increase the risk of bringing malware to the workplace.
Mobile technologies that let employees do more while on the road are contributing to the issue, said Larry Ponemon, chairman and founder of Ponemon Institute, in a blog entry. As the use of mobile devices grows, the inability to enforce data security policies could increase the possibility of data breaches. “I’m seeing a confluence of conditions that appear to be contributing to this challenge to data integrity,” he said.
Some professionals surveyed blamed companies for poor training or ineffective data security policies. Close to 57 percent said their company’s data protection policies were ineffective, and 58 percent said they were not provided with enough data-security-related training. (Source: More employees neglecting data security, survey says – CIO-Security)
Hard to enforce security policies when the IT staff violates it.
Related articles by Zemanta
- How to guard your digital data as you travel (cnn.com)
- Malware Found On Brand-New Windows Netbook (it.slashdot.org)
- When Hacked PCs Self-Destruct (it.slashdot.org)
- Data Security Regulation 2.0, Part 2: Massachusetts Has Written Your Information Security Program (revenews.com)
- New BIOS attack renders antivirus useless (vnunet.com)