Information has become the new currency but is under greater threat than before owing to a mobile workforce, consumerisation of IT, heterogenity of enterprise IT environments and entry of criminal elements and leveraging of new mobile devices as a vectors to steal information.
"Today's attacks are proving to be more sophisticated, well-organised and covert in nature than attacks seen in years past", according to Shantanu Ghosh, Vice President, India Product Operations, Symantec.
"..New age cyber criminals are targetting four key areas of weakness that are putting business environments at risk, namely--poorly protected infrastructure,poorly protected information, poorly enforced IT policies and poorly managed systems", he said.
The threat landscape today was evolving rapidly.Until recently, attackers were looking for the fame associated with widepread attacks that brought down large parts of the internet infrastucture and grabbed headlines. Now, theft attacks have a more insidious motivation-money, he said.
Online theft and trade in confidential information, including intellectual property, customer and employee records, financial data and other sensitive informtion is now an organised industry."In 2008, 90 percent of the attacks were driven by organised criminals," he said.
"Attackers are finding new methods of profiting from confidential data, including itnellectual property", he said .
Cybercriminals were also leveraging the multitude of devices that connect to the internet, not just desktops, but also mobile devices, such as smart phones, lapstops and PDAs.
A Symantec's survey recently said the average revenue lost by Indian enterprises due to cyber attacks was Rs 58 lakh in 2009.
Indian enterprises lost an average of Rs 94 lakh in organisation, customer and employee data in 2009 and an average of Rs 84 lakh in productivity. Sixtysix percent of the Indian enterprises said they had experienced cyber attacks.The attacks also led to loss of brand reputation, customer trust and high litigation cases.
In 2009, the top three reported losses were theft of itnellectual property, theft of customer credit card information or other financial information and theft of customer personally identifiable information, Ghosh said.
Some of the top Information Security challenges include proliferation of data, including documents, emails spreadsheets. Another challenge was a mobile workforce.
"Today with increasing number of mobile devices allowing employees to work from anywhere and with variety of devices including smartphones, USB drives, laptops being used to access company data, enterprises are currently struggling to identify where their confidential information is and and how it is being used", Ghosh said.
Consumerisation of IT was another huge challenge.
"The official use of consumer technology such as social networking, instant messaging and blogs has become prevalent in enterprises."
A Symantec survey revealed that 82 per cent of Indian enterprises use facebook while 54 per cent officially use web based consumer email and 62 per cent use blogs.Additionaly 46 per cent use microblogging tools, 69 per cent use Google Talk and 61 per cent use Yahoo Messenger.Social Media is constantly being used in business for collaboration and communication, leaving them open to threats, he said.
Data loss and data breaches caused by lost or stolen phone is also a big challenge, as mobile devices are now used to store confidential business information and access the corporate network.About 98 per cent of mobile phones reported lost or stolen in New Delhi in 2008-09 are yet to be traced.
Enterprise Security was also becoming diffiult due to number of factors. Enterprise security is understaffed.
Secondly, enterprises are embarking on new initiaties that make providing security more difficult.Initiatives that were most problematic from security view point were infrastrucuture-as-a service, platform as-a-service , server virtualization, endpoint virtulaization and software-as-a-service.
Smartphones were perceived as the biggest threat followed by windows-based laptops, 'PDAS' and 'mac-based laptops.'
Going forward, social engineering is expected to be the primary attack vector.
"More and more atackers are going directly after the end user and attempt to trick them into downloading malware or divulging sensitive information under the assumption that they are doing something perfectly innocent", Ghosh said.
As Mac and smartpone continue to increase in popularity in 2010, more attackers will devote time to creating malware to exploit these devices, he said.
"The need of the hour is a well-structured IT security strategy that enables enterprises protect their IT assets.
Moving forward, they need to develop a security strategy that is risk-based and policy driven, information-centric and operationalized across a well managed infrastructure", Ghosh said.
