The latest headlines are awash with news of security breaches at major companies, including the likes of Morrisons, Target and Kickstarter.
We spoke to Catalin Cosoi, Chief Security Strategist at Bitdefender, about whether businesses can better educate their staff to be security aware, and how security strategies can be simplified..
TechRadar Pro: Could the enterprise do better when it comes to the education of staff as far as IT security is concerned?
Catalin Cosoi: The average enterprise does not train general staff in IT security matters and this is more or less as it should be. Training should be restricted to familiarisation with job-relevant security procedures, of which the fewer there are, the fewer there are to get wrong. IT staff on the other hand really should be more security-aware.
TRP: How should training differ at different levels of the business? Should all employees receive the same level of education?
CC: Generally speaking, an attacker will aim for the 'low-hanging fruit' first and will look to spear-phish the director's secretary, not the director himself – at least not initially. One of the jobs of IT security is to ensure that the gains are similarly low and that "privilege escalation" attacks are hard.
That being said, a small dose of operational paranoia instilled into key personnel can work wonders. To give an example of why education at all levels is so important, the HBGary "hack" was only possible because an administrator was a bit too trusting and accepting.
TRP: What would Bitdefender consider to be best practice when it comes to IT security education for businesses and their staff?
CC: Identify who needs to be educated and then think long and hard about what you want to teach. For example, training people to change their passwords often is pretty useless, while showing them how spear phishing works might be useful.
Keep in mind that normally there is a tension between security and convenience and a harried middle manager will always choose convenience, unless training has convinced him or her that it is necessary to make such decisions in a conscious manner and that taking on security risks is not "free".
TRP: Should network security now be reliant on more than just passwords following the recent news that researchers in Liverpool have created a computer virus that can spread via Wifi?
CC: The Chameleon virus' potential to spread through networks "like a common cold" highlights the importance of having robust administrative security procedures in place; an area that is overlooked by many.
Organisations should take steps to ensure that critical infrastructure and routers are protected from this, and similar, virus threats and technology should be the element that makes the difference.
Home routers and networks are actually beyond most people's IT administration skills, and as such the need to secure them doesn't even register. This is why passwords are often not secure enough.
In order to achieve true protection, security and maintenance should be simplified and automated as much as humanly possible. Things should just work securely out of the box, because most people don't have the time, inclination or indeed motivation to become network security professionals.
TRP: What are considered industry gold standards in today's cloud security industry?
CC: Despite industry efforts, cloud providers have yet to establish a standard framework to guide the interactions between enterprises and cloud service providers.
There are a number of organisations that ratify proposals for open standards and develop cloud security guidelines. Cloud Security Alliance (CSA) provides one of the industry's most comprehensible set of best practices for secure cloud computing.
The CSA has developed a compliance standard known as the CCM or Cloud Control Matrix, which describes various areas of cloud infrastructure including risk management and security threats.
