According to Cisco’s 2010 Midyear Security Report, published today, time travelers from the 1970s would barely recognize the workplace of 2010. We have experienced tectonic changes such as the rise of social networking, the widespread adoption and proliferation of network-connected devices, and the embrace of virtualization. The security report reviews the risks we face and suggests five tips to help enterprises strengthen their security by 2011:
1) Close Gaps In Situational Awareness. It’s not enough for IT departments to focus on blocking immediate security threats or patching major vulnerabilities. They also need to have “moment-to-moment” awareness of the state of the network because the enterprise is in a constant state of change. As new companies are acquired, new employees hired, applications changed, and new devices added, these changes can present real risk. By taking stock of elements such as mobile workers, mobile devices, web-based collaborative applications and the cloud, IT teams gain better visibility into the network. The report recommends IT departments disable unused services, such as operating system add-ons. It also recommends a “change-control” approach to managing devices, whereby stakeholder groups are informed when a device is connected to the network, as well as when it has been removed from use.
2) Focus First on Solving “Old” Issues – And Doing It Well. Organizations should start by tackling a limited number of security issues and doing them well, rather than trying to solve too many things at once with mediocre results. A good place to begin is software updating and patching. But with today’s shrinking development cycles and expansive networks, it’s harder than ever for enterprises to guarantee that everyone is using approved versions of corporate software. One solution is to develop a system for centralized management of approved software and for delivering updates, such as automated patching and software updates. Businesses are also advised to combine this with such practices as blacklisting, whitelisting, and ingress and egress filtering.
3) Educate Your Workforce on Security – and Include Them in the Process. Allow workers to be part of the solution by encouraging bidirectional communication. Explain the security issues the enterprise needs to address, and ask workers how they can help solve these problems. The most effective training uses real-world examples of criminals and attacks to show employees that threats are real and can cause significant damage. Be sure to target C-level and other VIPs for extensive education, as they are prime targets for phishing and social engineering schemes. And be sure to enlist your “millennial” workforce, or Gen Y employees, in the effort. They can help workers from other generational groups navigate social networking and other popular technologies. Enterprises should also advise users about the potential impacts of sharing business information – for example, via indiscreet chat about upcoming product launches or personnel changes.
4) Understand that One Security Border Is No Longer Enough. In the past, IT professionals took a “fortress” approach to security – focusing on finding better ways to strengthen the security border that protected the network. But business today is becoming “borderless” and so, too, is the network, meaning there is not one but multiple borders to protect, often extending to the end user or their device, and these borders are constantly changing. With workers collaborating and sharing vital information far beyond the walls of the workplace round the clock, security that’s limited to the network edge is bound to fail. Never before has it been more important for enterprises to adopt a “layered” approach to security, meaning one that includes depth and breadth of defense.
5) View Security as a Differentiator for Your Business. Robust security practices are an asset for businesses, and can be a competitive tool. They should never be a back-burner agenda item. Leading organizations are aligning their security investments with their business objectives and finding that it allows them to adapt more quickly and confidently to changing business conditions, take advantage of new technologies and markets, and enhance the customer experience. Stronger enterprise security can also help ensure compliance with industry and government regulations and reduce the risk of litigation from data loss or security breaches. How an enterprise approaches security and responds to trends such as social networking and mobility can also have a direct effect on its ability to hire and retain talent, especially from the Gen Y demographic pool.
Businesses must act now to test the robustness of their infrastructure and implement effective security practices so that they can endure, if not thrive, in the workplace landscape of today. There is no “silver bullet” technology solutions that can meet all their security needs, even the time travelers of today would have a hard time accurately seeing where we are headed. But I think we would all agree, a layered approach is the only way to meet the challenges and protect the opportunities facing enterprises today.
- Cisco 2010 Midyear Security Report
- Cisco Security Intelligence Operations
- Cisco Security Products and Services
- Follow us on Twitter @CiscoSecurity and become a fan on Facebook
- Visit the Cisco Security Blog
- Read Cisco Security Strategy Explained: Q&A with Cisco’s Tom Gillis.
Cisco 2010 Midyear Security Report
Cisco Vice President and Chief Security Officer John N. Stewart highlights findings from the Cisco 2010 Midyear Security Report.