ICSA Labs, which sets standards for commercial security products, plans to announce on Monday a new program for helping corporations protect themselves from attacks and snooping via Internet-connected devices such as printers, copiers, ATMs, and security cameras.
Under the ICSA Labs Network Attached Peripheral Security Certification and Assessment program, experts will evaluate devices used in corporations and work with vendors to help them understand the inherent security risks to Internet-connected devices, said George Japak, managing director of ICSA Labs, which is an independent division of Verizon Business.
The devices targeted are not those that are part of the computing network infrastructure, like desktops, servers, and routers.
"There is a lot of functionality on those devices being centrally managed and controlled via an Internet connection, and those Internet connections can be compromised," he said. "These unsecured devices are as much of a risk as an unsecured server sitting out on your network."
Remote attackers can exploit weaknesses in software to remotely steal data that sits on the devices, such as sensitive documents that someone has printed or copied. But the devices can also be used to propagate malware across the network, he said.
There is an old saying in the security world stating that people are the weakest link in the security chain. Here is a bit of data that reinforces this ancient security adage.
ESG Research recently conducted a project focused on confidential data security that will be published soon. However, here are some interesting advance results that support this venerable security dictum. ESG asked 308 North American and European security professionals from large organizations (i.e. 1,000 employees or more) a number of questions about data security risks, policies, and technology safeguards. When asked to define the most important measures for protecting confidential data, nearly half of all respondents said, "communicating and training users on confidential data security policies." This was the top response followed by, "physical security," and "access controls for private data."
Now here's the scary part. When asked to rate their organizations performance with regard to, "communicating and training users on confidential data security policies," more than one-fourth of security professionals gave their organization a rating of either "fair" or "poor." In other words, many organizations aren't doing a good job in the most important aspect related to data privacy and security-communicating and training employees. Yikes!
This problem appears to be more acute in Europe than North America. In North America, "only" 24 percent of security professionals responded either "fair" or "poor," while in Europe, the number increased to 38 percent. The problem is also more pronounced in the public sector where 34 percent of security professionals gave their organization a "fair" or "poor" rating. Finally, there is also a correlation with organizational size as larger firms do a better job at "communicating and training users on confidential data security policies" than smaller ones.
To me, the message is clear and frightening. The "people" part of information security (i.e. the most important part) is being minimized or managed very poorly. No wonder there are so many breaches! If this problem isn't addressed, we may as well give up. You could invest $1 billion in security technologies but if your people don't know about or understand the problem, you may as well leave the corporate networks wide open.
- prev
- 1
- next
