Top 10 threats facing the enterprise - Part Two

Security

In part one of our countdown of the top 10 enterprise security threats, we looked at some serious dangers, like targeted attacks and super sophisticated malware.

In part two, our security industry experts cover everything from insider threats to supply chain insecurity.

6. The Insider Threat

In a recent survey by Cyber Ark, it was found that some 44 per cent of IT staff admitted to accessing data not directly related to their role, and another 31 per cent confessed to using admin passwords in order to gain access to confidential or sensitive data.

If that were not worrying enough for the average enterprise, it gets worse when you take into account that such insiders are often the very people most familiar with and therefore best placed to exploit network security controls.

"Associated with this insider threat is the need for organisations to implement comprehensive activity monitoring," advised Cyber Ark's Mark Fullbrook.

"Go beyond access control and privileges enforcement, and actually record and track the precise actions that were performed on which assets and by whom," Fullbrook suggested.

"Do that, and the enterprise should be able to integrate operational data and security analysis, providing a complete overview of their systems. Overall, if businesses are to mitigate the insider threat, they must look to invest in appropriate technology that ensures information is stored securely." Businesses also need systems that log and monitor all privileged identities and activities, Fullbrook concluded.

7. Mobile Device Security

The consumerisation of the smartphone and tablet computer is a real enterprise security hot potato at the moment, and for good reason.

Actually, a couple of very good reasons, as Dimitri Sirota from Layer 7 Technologies explains: "More individuals store personal information on their devices that could be stolen, and this risk will only compound as mobile devices become more popular payment technologies. Secondly mobile devices could bring Trojan horses into the enterprise as compromised apps provide a backdoor into enterprise systems."

The consumerisation of the smartphone and tablet computer is a real enterprise security hot potato at the moment, and for good reason.

There are as many different approaches to mobile device security as there are MPs at a free lunch, but the most effective include locking down access to the device, isolating different apps using a virtualisation layer and implementing SSH clients for secure tunnelling into the enterprise.

However, as Sirotafrom warned, much still depends on the OS vendors and the application approval process. The industry remains in its embryonic days.

8. Log Analysis (what log analysis?)

If your business is subject to Payment Card Industry Data Security Standard (PCIDSS) compliance, then you should already be aware of the requirement to monitor your logs.

Thing is, as Ron Gula from Tenable Network Security reminds us, this monitoring requirement is at an organisational level and there remain plenty of logs that are either missed or not even contemplated.

This lack of comprehensive log analysis remains a huge missed opportunity to close down attacks, and as such has a deserved place in our top ten list.

Think about it for a moment, both Anonymous and LulzSec have exploited some very well-known security holes yet hardly anyone at the organisations targeted by them even noticed.

"Organisations should unify their log analysis program with their vulnerability and configuration motioning programs to ensure that systems are configured to collect and send logs centrally for analysis," Gula recommended.

"In addition, any type of passive network traffic analysis should be used to compensate for the lack of system logs".

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.