There have been two challenges keeping IT leaders from tems and steal data. Signature-based protection cannot protect
asking for these changes. First, some of the newer technologies against custom malware that has never been detected before.
designed to address recently identified risks such as data leakages had been too immature or too expensive to invest in. Even 5 Social Engineering
when a technology is ready for widespread implementation, When users provide log-in information to a “tech support” guy
it is often difficult for many security practitioners to justify who doesn’t exist, or they unknowingly respond to spear-phishing
additional costs beyond the current budget items with which attempts to steal their credentials, the bad guys gain unfettered
nontechnical executives are familiar. access to your systems. These tricky attacks that prey on user
“The obvious things that you can see day to day—anti- ignorance must be headed off through education, policy creation
virus software, spam protection and firewalls—have been and enforcement measures. —E.C.
getting the most attention,” Bhatt says. “An average Joe
knows about viruses and firewalls, even if he isn’t in IT. The
first thing everybody says is that you’ve got to have a firewall and even the PCI data security standards. So everyone
spends more money on those things.”
This attitude (often held by the executives who hold the
purse strings) that anti-virus software and firewalls are indispensable and everything else is under discussion can be self-perpetuating, primarily due to the craftiness of resourceful
security managers. As Robert Ayoub of research firm Frost
& Sullivan explains, some of the newer technologies often get
stuffed into old budget categories, such as firewalls or anti-virus
software, either because they’re too new to have their own category or because the security manager wants upper management
to sign off on them with as little fuss as possible.
“There are definitely folks thinking beyond the firewall,
but some of the newer technologies that don’t have a budget
item are cannibalizing other budget categories,” explains
GREATEST CURRENT DATA
SECURITY ISSUES
Internal users' ignorance of privacy
regulations
Theft of laptops & PDAs
External network breaches leading to
identity/data theft
Internal users' theft of data
Phishing for employee/
company information
Phishing for customer information
Theft/loss of portable media
Other social engineering to get
confidential information divulged
Theft of desktop computers/servers 5%
Internal users' database attack
Other threats to data/identity
AREAS OF GREATEST
RISK EXPOSURE
33%
Infection of company's
computers with malware
55%
31%
24%
21%
Network-based theft of
data/intellectual
property/customer data
48%
18%
17%
17%
Physical theft of firm's
computers/storage/
portable media
30%
13%
Noncompliance
with security regulations
30%
4%
2%
Disturbance of
company's Web sites
16%
