September 15, 2015 By Fran Howarth 4 min read

With the current threat landscape so complex, sophisticated and pervasive, all organizations need to pay strict attention to information protection to ensure that sensitive data is safeguarded, assets are protected and personal privacy is ensured. For many, that requires rethinking how security practices should be adapted.

Outdated Information Protection

Many enterprises have traditionally taken a fortress-like approach to security, looking to defend their perimeters and bolt down the hatches when an incident occurs. Typically, they have spent more on network security than on protecting the endpoints that connect to and interact with those networks. They are also known for being tight-lipped, keeping information regarding security incidents and approaches for defending against them to themselves, possibly in the belief that they will do a better job if other organizations don’t know what’s going on.

The perimeter approach is no longer sufficient. As the Jericho Forum, the work of which has now been morphed into the OpenGroup, has long espoused, networks have become deperimeterized. The group introduced the concept of the porous firewall, caused by more and more devices punching holes through seemingly sufficient controls. Endpoints are the new perimeter.

A recent Security Intelligence article looked at university security from a university CISO’s point of view. David Sherry, CISO at Brown University, raised a number of interesting points regarding information protection in the higher-education sector. He pointed to the decentralized nature of universities, the fact that bring-your-own-device (BYOD) has long been a factor to consider and the culture of information sharing among universities. Could enterprises learn from these bastions of academia to make themselves more secure?

The Extended Enterprise

Universities are highly decentralized. According to Neal Tilley, an IT education specialist with Alcatel-Lucent Enterprise, universities are characterized by “a complex mix of users, private and public areas, secure and open networks, and … a vast amount of personal and intellectual property information bouncing around them.” Sherry likened university security to protecting a small city, with vast numbers of disparate users and a variety of ancillary services offered, all of which require information protection.

Enterprises have recently seen their empires expand, as well. As PwC noted, today’s service economy is increasing the extent to which businesses rely on each other, including the use of specialized service providers for non-core competencies, such as data hosting and business process services, and the increased use of cloud services.

The PwC report showed that the business process outsourcing market in the U.S. alone will be 23.3 percent larger in 2017 than it was in 2012. This increases the number of third parties with access to corporate information. Businesses are also routinely extending access to corporate resources to suppliers, business partners and even customers. The economic downturn has played its part, as well, because organizations look to do more with fewer in-house resources to cut costs.

All of these factors expand the amount of and the reach of information that needs to be protected from unauthorized access. Yet data from Trustwave referenced during a presentation at RSA 2014 shows that 76 percent of breaches resulted from third parties. Enterprises should consider the stance taken by universities, ensuring that network traffic and information zones are effectively segmented.

Sherry noted that Brown University is effectively taking on the role of an Internet service provider (ISP) for some of the services that it offers, such as providing Web access in its residential accommodations and requiring the use of virtual private networks (VPNs), strong authentication and entitlements to gain access to secure areas of the network. Many enterprises focus primarily on ensuring secure access for employees, whereas many of the dangers they face originate from their extended enterprise.

Embrace Change

The consumerization of IT appears to be an unstoppable force, bringing with it the challenges of BYOD, unsupported applications and data filtering. While BYOD programs are on the rise, many businesses have been reluctant to fully embrace the opportunities enabled by the consumerization of IT. Universities, however, are ahead of the curve and have been dealing with these emerging technology trends for some time.

Sherry stated that it is not unusual for a student to own 10 or even 15 devices — computers, tablets, phones and wearables such as fitness trackers are common. Students are also keen proponents of file sharing. By catering to these trends, universities have found that modern technology is invaluable as a teaching aid in helping students and teachers succeed. It also makes for happier individuals because students can use the devices that they are familiar with and most comfortable using.

Enterprises must embrace technological change and take advantage of the benefits that it offers. The consumerization of IT offers opportunities for users to be more productive and more satisfied with their work environment, contributing to the success of the organization. At universities, increasing user awareness and enforcing acceptable use policies will do much for information protection in the new technology age, along with implementing strict access controls to ensure that all information is adequately protected.

Whether organizations know it or not, their employees will access file sharing sites, raising the potential for sensitive data to be leaked out of the organization. Data loss protection and data exfiltration controls are a must, but organizations should also consider providing their employees with a centralized, enterprise-grade service that is an acceptable alternative. For controlling who is on the network, what devices they are using and what applications are employed, network access controls and enterprise mobility management technologies have a key part to play.

Share Information for Better Security

Few industries have a culture of information sharing, even though sharing information with peers regarding security incidents or threats can provide critical, actionable information about the nature of the threat and the tactics of adversaries. Security information shared within a particular industry can be particularly useful since similar organizations often face similar threats.

Higher education is one sector in which information sharing is particularly prized. According to EDUCAUSE, this collaboration helps reduce the number of breaches, leading to fewer records being stolen and less money spent on costly remediating operations. By sharing information, universities are able to determine the best practices for defeating attacks and improving their overall security posture.

Universities are prized as places to learn. In terms of security and information protection, there are many lessons that they can teach enterprises. Organizations should look to the best practices that academia provides in order to better take advantage of the opportunities that innovative new technologies provide in a safe and secure manner.

More from Data Protection

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today