Brian Pennington

A blog about Cyber Security & Compliance



Corporate Data: A Protected Asset or a Ticking Time Bomb?

Corporate Data: A Protected Asset or a Ticking Time Bomb? is a Ponemon Institute study sponsored by Varonis, surveying a total of 2,276 employees in US and European organizations (United Kingdom, Germany and France), including 1,110 individuals (hereafter referred to as end users) who work in such areas as sales, finance and accounting, corporate IT, and business operations, and 1,166 individuals who work in IT and IT security (hereafter referred to as IT practitioners).

In the context of this research, both IT practitioners and end users are witnessing a lack of control over their organizations’ data and access to it, and the two groups generally concur that their organizations would overlook security risks before they would sacrifice productivity. Employees are often left with needlessly excessive data access privileges and loose data-sharing policies.

Compounding the risk, organizations are unable to determine what happened to data when it goes missing, indicating a lack of monitoring and further absence of controls.

This presents a growing risk for organizations due to both accidental and conscious exposure of sensitive or critical data. Efforts to address these risks will need to overcome employee perceptions, as they believe data protection is not considered a high priority by senior leadership.

Following are research findings that illustrate the growing risks and challenges to productivity that data growth and a lack of internal controls currently present for organizations of all sizes:

End users believe they have access to sensitive data they should not be able to see, and more than half say that access is frequent or very frequent. 71% of end users say that they have access to company data they should not be able to see. 54% characterize that access as frequent or very frequent.

End users believe data protection oversight and controls are weak. 47% of end users say the organization does not strictly enforce its policies against the misuse or unauthorized access to company data and 45% say they are more careful with company data than their supervisors or managers. Furthermore, only 22% of employees say their organization is able to tell them what happened to lost data, files or emails.

IT agrees. Most IT practitioners surveyed state that their companies do not enforce a strict least-privilege (or need-to-know) data policy. Four in five IT practitioners (80%) say their organizations don’t enforce a strict least-privilege data model. 34% say they don’t enforce any least-privilege data model.

End users and IT agree that data growth is hindering productivity more every day. 73% of end users believe the growth of emails, presentations, multimedia files and other types of company data has very significantly or significantly affected their ability to find and access data.

Uncertainty about whether senior executives view data protection as a priority affects. compliance with security policies. Only 22% of end users believe their organizations overall place a very high priority on data protection. About half (51%) of IT practitioners believe their CEO and other C-level executives consider data protection a high priority.

IT practitioners say end users are likely to put critical data at risk. 73% of IT practitioners say their department takes data protection very seriously. However, only 47% believe employees in their company take the necessary steps to make sure confidential data is secure. Thus, IT departments know end user security risks exist but think they are limited in what they can do about it.

End users think it is OK to transfer confidential documents to potentially unsecure devices. 66% of end users say there are times when it is acceptable to transfer work documents to their personal computer, table, smart phone and even the public cloud. Only 13% of IT practitioners agree.

End users and IT practitioners do not think their organization would accept diminished productivity to prevent the risk to critical data. 55% of end users say their company’s efforts to tighten security have a major impact on their productivity. Only 27% of IT practitioners say their organization would accept diminished productivity to prevent the loss or theft of critical data.

End users and IT agree that employees are unknowingly the most likely to be responsible for the leakage of company data. 64% of end users and 59% of IT practitioners believe that insiders are unknowingly the most likely to be the cause of leakage of company data. And only 46% of IT practitioners say employees in their organizations take appropriate steps to protect the company data they access.

7 experts predict the IT security and compliance issues and trends of 2012

Here we are on the edge of another year and it is the time of year when the predictions start.

Everyone has an opinion on what could be around the corner, some are based on extensive research and market trends, and some are based on customer expectations and experience.

Rather than bore you with my predictions I thought I would extract the predictions of several leading vendors and consultants and put them into one single post.

The plan is to use a range of industry specialisations, for example Anti-Virus and Authentication, and run them side by side for an easy comparison and to see if there is a trend in the predicted trends.

The 7 specialist predictors are from the organisations listed below

  1. Confident Technologies
  2. Cryptzone
  3. Deloitte
  4. Lancope
  5. Trend Micro
  6. Varonis
  7. WatchGuard

Other opinions and predictions are available and the full predictions of the specific organisation are within the links and the end of each prediction.

Top 5 Authentication Predictions for 2012 from Confident Technologies

  1. BYOMD (bring your own mobile device) will spell big trouble for businesses in terms of data loss in 2012.
  2. There will be a large data breach (reminiscent of the Sony online gaming breach of 2011) which will finally cause organizations across many industries to realize they cannot rely solely on passwords to protect user accounts.
  3. Targeted Variations of Zeus-in-the-Mobile style attacks will grow
  4. Smart devices enable smart authentication: image-based authentication, biometrics and more.
  5. Retailers and mobile payment providers will lead the adoption of new mobile authentication techniques in 2012

Find the Confident Technologies predictions here.

Cryptzone predicts Trends for 2012

Cryptzone, the IT Threat mitigation experts, announced its 8 key predictions for the top security trends for the coming year.

  1. Targeted Attacks
  2. Bring Your Own Device (BYOD)
  3. Greater Security for Production Systems
  4. Intranets on the iPAD
  5. Incident Response Management
  6. Context Awareness for Access Rights
  7. Content Security verses Hardware Security
  8. Shortened Product Development Lifecycles

Peter Davin, CEO of Cryptzone, comments “Employees are now demanding to use their own devices for work with security as a prerequisite. On the other side, hackers have become more sophisticated in whom they target, opting away from indiscriminate strikes. 2012 will see these trends develop even further.”

Find Cryptzone’s predictions here.

Deloitte’s Top five security threats in 2012

  1. Mobile devices (34%)
  2. Security breaches involving third parties (25%)
  3. Employee errors and omissions (20%)
  4. Faster adoption of emerging technologies (18%)
  5. Employee abuse of IT systems and information (17%)

Find Deloitte’s predictions here.

Trend Micro 2012 Threat Predictions:

Attacks Take on More Sophistication in the Post-PC, BYOD Era Trend Micro’s “12 Threat Predictions for 2012” include:

  1. The real challenge for data center owners will be the increasing complexities of securing physical, virtual, and cloud-based systems
  2. Security and data breach incidents in 2012 will force companies worldwide to face BYOD (Bring-Your-Own-Device) related challenges
  3. Security vulnerabilities will be found in legitimate mobile apps, making data extraction easier for cybercriminals
  4. More hacker groups will pose a bigger threat to organizations that protect highly sensitive data
  5. The new social networking generation will redefine “privacy.”
  6. Supporting assets

Find Trend Micro’s predictions here.

Lancope Announces Top Five Security Predictions for 2012

Lancope, Inc., a leader in flow-based security, network and application performance monitoring, unveiled its top five security predictions for 2012.

  1. Advanced persistent threats (APTs) will become more predominant
  2. Insider threats will grow
  3. Industrialized attacks will remain stable
  4. Employee misuse and abuse will create steady risk
  5. Fully automated attacks will trend down

If 2011 taught us anything, it’s that the targeted, highly motivated attacker is real. Tomorrow’s threat landscape requires a new level of preparation when it comes to security,” said Adam Powers, chief technology officer at Lancope.

Find Lancope’s predictions here.

Varonis gives its top predictions for Data Governance in 2012

Varonis Systems Inc., the leading provider of comprehensive data governance software announced its top-level predictions for the Data Governance field in 2012.

  1. Secure Collaboration Goes Viral in 2012. It will be the year data owners take back access control decisions from IT, and demand automation to analyze data, make better decisions, and eliminate costly, ineffective manual processes
  2. Big data analytics will expand its focus to the biggest data of al unstructured information sitting on file servers, NAS devices, and in email systems
  3. We will see some IT departments taking drastic measures, such as shutting down “at risk” servers or access to e-mail if the proper audit trails are not in place
  4. Internal threats will still be a major worry for corporates in 2012 despite the demise of Wiki Leaks

David Gibson, Director of Technical Marketing and Strategic Sales at Varonis said: “When it comes to data loss, threats from inside the organization have become as worrisome, if not more so, than those from outside. In many of the security breaches in 2011, employees or contractors were able to delete or download thousands of files without raising concerns because often no one was able to determine what sensitive data they had access to and secure it before information could be stolen, view an audit trail of what they actually did access after the fact, and certainly not hear any alarms go off while the breach was in progress, when access activity was unusual. Corporates will have to address this issue properly in 2012.”

Find Varonis’s predictions here.

WatchGuard Unveils Top 10 Security Predictions for 2012

WatchGuard Technologies’ security analysts provide their 2012 security predictions

  1. A major cloud provider will suffer a significant security breach. Cloud Computing brings chance of malware-storms
  2. Organized criminals will leverage Advanced Malware techniques in targeted attacks against businesses
  3. The barrage of noteworthy data breaches continues through 2012
  4. Increased reliance on virtualization reawakens need for virtual security. Unprotected virtual machines make bad neighbors
  5. Smartphone app stores and marketplaces help proliferate mobile malware in the real world
  6. Adoption of BYOD and IT self-service results in more data loss. Bring your own device means clean your own infections
  7. As the top vector for social engineering and malware, Facebook is forced to increase its security. In 2012 WatchGuard forecasts Facebook-based attacks will increase and Facebook will be forced to sit up and take notice. Specifically, Facebook will implement new security solutions on their site to avoid losing fed-up users
  8. Attackers launch a digital attack that affects physical infrastructure or equipment. My power plant got a virus infection. Expect at least one digital attack in 2012 to cause a significant repercussion to a physical infrastructure system
  9. Location aware malware customizes its attacks. Spyware knows where you live
  10. HTML5 offers five times the ways to hijack your website. New web technologies like HTML5 fuel the growth for next year’s web application attacks

2012 stands to be a dynamic year for network security as criminals and hackers take threats to new levels,” said Eric Aarrestad, Vice President at WatchGuard Technologies. “Given how new threats are constantly evolving, WatchGuard remains ever vigilant in staying one step ahead of these threats, which gives our customers unparalleled protection for their networks, applications and data.”

Find WatchGuard predictions here.

It appears the common theme is “mobile” as the biggest threat, whether the device is employee owned or not. Similarly they agree that the bad guys will continue to focus of target attacks.

Let’s just hope that 2012 is a more secure year that 2011.


Blog at

Up ↑

%d bloggers like this: