Although it is possible to protect the corporate network from threats by restricting end-user activity, it is more effective to protect staff communication from links to infected and phishing Web sites.
This kind of protection should cover the most frequently used means of communication, including e-mail and instant messaging.
So said Alexander Erofeev, director of market intelligence and insight at Kaspersky Lab, speaking during the company's Virus Analyst Summit, in Spain, this week, on some of the findings of global security research commissioned by Kaspersky Lab.
When taking into account the fact that end-users are not well educated about security threats, most companies restrict their employees' social networking activities in some way or another, he noted.
“This resulted in 57% of companies concurring that use of social media by employees introduces significant risks. Fifty-three percent of companies have banned these kinds of services for end-users, and a further 19% restricted access in some way.”
Erofeev said social networking is the second most restricted activity, with the most restricted being file-sharing, followed by video streaming, instant messaging, personal e-mail, and VOIP. Larger organisations lead the way in terms of restricting their users.
Mobility concerns
“Mobile device security was revealed as another issue for businesses, with over half the companies reporting they are much more concerned about the mobile workforce than they were a year ago. However, only 36% of companies have a fully implemented policy to deal with security off-site. Just 30% have separate policies for mobile devices, and even less require mobile data encryption.”
Companies that have actually implemented these measures, however, evaluate them as least effective. “It comes as no surprise that 33% of businesses view mobile computing as too risky to adopt. There is no doubt that the number of mobile personnel will grow, so mobile devices should be guarded by the same security policies and solutions as traditional PCs.”
Cloud-based services and other emerging technologies were also judged a potential source of security risk. “Forty-two percent of companies are occasionally reluctant to adopt new technologies, because of the risks involved. Software-as-a-service (SaaS) is viewed as an opportunity by 38% of organisations as a means of effectively 'outsourcing' security issues.”
However, some surveyed believe cloud computing to be more of a threat than anything else. “Others are undecided, viewing cloud as both an opportunity and a threat. Thirty-eight percent of businesses said they do not trust third-party suppliers of SaaS.”
Erofeev explained that implementing SaaS solutions does not mean cancelling in-house security.
“There is no difference for cyber criminals where to steal data from - be it on local or cloud infrastructure. Criminal techniques are mainly the same in both cases.”
Education and endpoint
He pointed out that IT security is dependent on end-users' understanding of cyber threats.
“They do not have to be experts, but it would be wise to spend the time and budget to make them learn more. Bear in mind that targeted attacks could not be executed without the unintentional assistance of an employee.”
Effective protection must be enforced for all endpoints.
“This recommendation also applies to mobile devices, which are increasingly becoming points of vulnerability. The most effective solution is to expand a company's security policies and introduce centralised control and malware protection for employees' smartphones. Protection of sensitive data in case of device loss or theft is also recommended.”
Share