Viruses are getting more virulent, and hackers faster and smarter. The threat of a zero-day virus attack is rapidly becoming a reality.
These risks, according to Jean-Noel Ezingeard, Professor of Management Studies at Henley Management College in the U.K., while concerning, are not what should be keeping CIOs and IT managers awake at night.
“Security vendors and the like are not doing enough work around new types of viruses,” he said. “Specifically, those which attack mobile/wireless devices.”
“I think vendors and users need to be more concerned. The technology is not uniform — there are many manufacturers and operating systems, and keeping up with threats is going to be more difficult as these devices proliferate,” he said.
User education is critical here, especially as viruses begin to hit mobile phones, which are increasingly connecting to corporate networks these days.
“The network operators have a role to play in terms of paying better attention to what goes on in their networks,” Ezingeard said. “I have never heard of an operator sending out a warning along the lines of the warnings issued by antivirus vendors.”
Ezingeard believes hardware manufacturers, software providers, network operators and users need to work together to negate threats in this sphere.
Another growing threat to corporate security are blogs (web-logs). “IT security people are often paranoid about access control, viruses and so on, but they forget about the engineer who has posted part of the company’s IT architecture diagram onto his blog for the whole world to see,” said Ezingeard. “These will be logged on the Internet forever. There are nine million blogs out there, which, for the most part, will never be erased.
“This is what people should be thinking carefully about,” he continued. “Blogs can do a lot of damage, in PR and information security terms.”
A further threat that has hitherto gone unnoticed, comments Ezingeard, is the security implications of the move towards service-oriented architectures (SOAs). While the protocols are solid and secure, no-one has yet considered the governance of SOA arrangements.if a company outsources its CRM to company A, desktop management to company B, the firewall to company C, and so on, you potentially end up with a big mess, and no real ownership in terms of how it fits together, and no clear responsibility when something goes wrong. Jean-Noel Ezingeard>Text “We are already seeing companies using many different service providers to do different things. So, if a company outsources its CRM to company A, desktop management to company B, the firewall to company C, and so on, you potentially end up with a big mess, and no real ownership in terms of how it fits together, and no clear responsibility when something goes wrong. Who is responsible for the security of that data?” he said.
“SOA, mobility and blogs do not feature on the CIO’s radar,” Ezingeard said, “Mobility is starting to get some attention, but the governance aspects of SOA, and the risks associated with employee blogs, have not yet been able to do so. Technologically we can cope with the increased security threats, but we still need to work on the management, responsibility and people aspects.”