Companies may be investing in next-generation security defences but many are still failing to address lower-profile but equally dangerous risks in collaboration platforms that are readily available to large numbers of employees and external partners, a security executive has warned.
Microsoft’s SharePoint, which has become broadly used across all manner of enterprises, was a particularly open case as it enabled the free flow of often mission-critical corporate data across corporate boundaries, Imperva senior vice president of worldwide marketing Mark Kraynak recently told CSO Australia.
“Almost every customer I’ve met with has the same story on SharePoint,” he said. “Their users had been using it for years, and they didn’t think there was anything sensitive in there – except when they found out that there was.”
While collaboration platforms typically include a range of controls to prevent unauthorised access, highly-granular security controls were often left inactivated as the business users – charged with administering the rights of their users – simply didn’t bother to do so.
“One of the underlying assumptions has been that business users are the ones that set the security controls,” Kraynak said. “But in a lot of cases, they just don’t. Last year, a lot of people figured this out – and they told IT security to go fix it. Unfortunately, they didn’t give IT security much budget last year, so this year we are seeing them make up for that.”
A rush of security investment had ensued – recent Gartner figures pegged Australia’s security spending as growing at nearly 50% faster than the rest of the world – yet Kraynak warned that many organisations were still compromising their security by holding on to outdated notions of what a security defence should involve.
“In general, information security has slowly failed to respond to the new reality of the world,” he explained. “It is stuck in the late 1990s, where we’re focused on infrastructure controls, like trying to secure your laptop against viruses – which it’s not doing a great job of.”
“Modern malware has gotten around traditional antivirus controls, and they couldn’t care less about your laptop,” Kraynak continued. “Where viruses used to propagate indiscriminately, now they do not because writers don’t want it to be noticed. What they want is to steal your credentials and get data that has value for them – so what needs to happen in information security is to realise what’s actually under threat.”
Tightening privacy controls will hasten the move to better secure collaboration platforms, with cloud-based security tools promising to hasten the process. Yet with many Australian organisations still going through something akin to the five stages of grief – denial, anger, bargaining, depression, and acceptance – around their security exposure, Kraynak warned that it may be some time before they’ve fully accepted the real nature of the cyber-security threat.
“To a large extent, we’re putting a lot of effort and resources and focus on yesterday’s problems,” he said. “But from a regulatory perspective Australia is still a couple of years behind Europe and the US. But now that hackers are using automation to find targets, Australia has come onto the radar.”
“There will probably be some big breaches as awareness of security grows – and if the curtain gets drawn back from mandatory breach reporting legislation, you’ll see that a lot more is going on than you realise.”