Mobile devices have become an entrenched part of today's business reality. Business executives are becoming more reliant on their own devices so they can remain productive and connected to their corporate environment, suppliers and customers. But for IT managers, this rise in mobile device use for business purposes presents a unique set of challenges. IT managers have to toe a very tricky line, trying to find a balance between providing employees the freedom and trust of access to corporate data and applications, and protection of their organisation's infrastructure. This is not an easy task.
While installing an anti-malware solution on the endpoint would previously have sufficed as a means of protecting endpoints, the threats we face today are far more sophisticated than their malware predecessors. Organisations now need to employ a 'defense in depth' strategy - a layered approach in defending their network.
While defense in depth has its origins as a military strategy, when applied in IT security it involves the placement of defences on different points within the network. This has the aim of preventing a single point of failure, as well as mitigating and slowing down the propagation of an attack within the corporate network.
A layered approach to security is becoming increasingly important, as the malware we face today are extremely sophisticated and persistent. Popularly referred to as Advanced Persistent Threats (APTs), these malware are advanced and stealthy. They are tailored to target selected organisations to retrieve specific data and information - such as trade secrets and financial blueprints - to either be sold on the black-market or for corporate espionage. These attacks target individuals within an organisation by using methods such as zero-day exploits, or by means of social engineering.
Zero-day exploits are notoriously difficult to detect. They evade conventional anti-malware solutions by using previously unknown malware signatures, hence avoiding detection.
The second threat vector, social engineering, is the preferred weapon of choice. Social engineering is a tried and tested method of infiltrating an organisation and has been the modus operandi (method of operation) of many of the attacks we have recently seen.
To best address this threat, employees must understand that there are not many differences between social engineering and traditional methods of defrauding. Investing in corporate training and education is important to ensure that employees are prudent with the technology provided to them, as the human link is most often the weakest in the chain. Being constantly vigilant and maintaining a healthy level of skepticism is a good start. Restraining the disclosure of confidential information, unless it is verifiable, will allow employees to remain at least one step ahead of malicious actors.
Organisations can also play a larger role in ensuring that their infrastructure remains secure by carrying out regular risk-assessments to expose current potential vulnerabilities. While many organisations believe that being compliant with industry standards or legal requirements under trade law is sufficient to remain protected, recent evidence suggests that this may not be the case. While being compliant is a good thing, organisations should identify the information that is most important to them, and wrap stronger security profiles around these areas to protect their most vital assets, too.
By Simon Piff, Associate Vice President, Enterprise Infrastructure IDC Asia/Pacific. All views expressed are the author's own.