Failing to protect confidential information can lead to identify theft and fraud. You can lose the trust of your customers and even end up defending yourself in a lawsuit. Data loss is often due to employees who are do not follow IT security policies or inadvertently expose the company network to risks.

According to the first annual ISACA IT Risk/Reward Barometer survey the top three ways employees add risks for IT and the business:

• Not protecting confidential work data appropriately (50 percent)
• Not fully understanding IT policies (33 percent)
• Using non-approved software or online services for their work (32 percent)

Many studies have shown that “Lack of End User Training is a Large and Growing Threat to IT Security”. This is why your employees play a very important role in IT security.

Tips For Protecting Your Company Data

Lock It Up

Computer and network defenses are important, but don’t forget all data is not electronic. Offices are filled with files containing sensitive or confidential information. Here are a few steps employees can take to secure data.

• Make sure every employee has a secure drawer or cabinet to lock up files.
• Centralize sensitive paperwork in a secure location and limit access to only employees who have a legitimate business use for the data.
• Remind employees to never leave documents out even if they will only be away from their desk a short time. Just open the secure drawer and lock it. It is a habit every employee needs.
• If you are shipping sensitive data off-site use a secure package and a shipping method that allows you to track the package.
• Employees with company laptops should be educated on how to secure them in their car and in their home.

Help Employees Keep Your Network Secure

It only takes a few seconds for spyware, viruses or other nasties to invade your network. IT departments use advanced tools to protect a network, but employees must understand their role in electronic security.

• Encourage employees to use strong passwords, the longer and more sophisticated the better. Teach your employees methods of remembering strong passwords so they do not write them down and enforce mandatory password changes.
• Block sites that are not work related or that are known to have risks associated with them. Educate your employees that they only have to visit the wrong website to become infected. To an employee what seems like innocent web surfing can be a huge risk to your network.
• Teach your employees to never open an email attachment from someone they do not know. Even if they know the person employees should always be wary of attachments. Give them a list of known file name extensions they should never open regardless of who it seems to be from.
• Educate your employees on the hazards of installing unauthorized software on their computer.
• A study last year found that 67% of employees use removable media such a personal USB thumb drives at work. Not only does this put your IT systems at risk from a potential virus, but with the size of removable media today gigabytes of company data can be downloaded to them. Consider blocking access to mass media devices via USB ports.

Employees And IT Policies

Nearly every company new hire will sign an IT security policy, but do they really read it? Many employees a simply not aware of IT policies that are setup to protect company data and the IT systems that support the business.

• There are some ways to make your employees more aware of IT polices.
• Educate them by using online or classroom training on IT policies
• Post IT policies on the company intranet site
• During new hire orientation don’t just get them to sign the policy, take time to go over it so they fully understand the policy and what role they play
• When changes are made to IT policies make sure all employees are made aware of them.

Education Is The Key

You can not rely on IT solutions alone to protect your IT systems and your company data. There are areas that put IT systems and the business at risk where educating your employees is they key.

Some areas to highlight:

• Educate and train employees about company expectations for protecting data
• The use of unauthorized software on company computers and company cell phones
• Include security awareness training during new-hire orientation
• Establish a security aware culture by using frequent reminders like posters and emails about IT security and company data.
• Teach employees about security considerations when on the phone and connecting to the Internet, social networking, and collaboration sites.
• Teach employees about physical security, such as only allowing employees with badges to enter buildings.

Are Your Employees Security Aware?

Protecting confidential data in all forms is critical to the business and IT has a large role in making sure the data is secure. A disgruntled employee can cause tremendous damage to a company, but the biggest risks are employees who don’t take proper care of company data.

Constantly review your IT polices and make changes if needed. Educate your employees so they understand they play a very important role in protecting your company data. Employees do not want to put your company at risk, but for most data security does not cross their mind. They think the IT staff will handle all that.

Helping your employees understand their role in protecting sensitive and confidential information as well as overall network security is a sound best practices you should put in place right away.

The SANS (SysAdmin, Audit, Network, Security) Institute offers a very good set of security guidelines called “Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines”. If you think your security policies are lacking or need updating this would be a good read.

Today’s announcement, being made at the RSA Conference in San Francisco, comes at a time when collaboration and mobility technologies are redefining how, when and where business gets done. As companies continue to extend connectivity outside their office walls, businesses must focus on new ways to protect its data and communications.

While today’s business applications, social media, software-as-a-service and wireless technologies gain widespread adoption and lead to new interactive business models, those same technologies and business models are jeopardized by threats that are just as novel and agile.

Tom Gillis, vice president and general manager, Security Technology business unit, Cisco said “In today’s changing world, businesses require a security strategy that accounts for the physical, virtual, mobile and global aspects of their business.

Our vision for security is based on a balance of protection and enablement, which integrates security from the network through to the endpoint and the user. Security needs to capture the latest threat intelligence to mitigate shifting threats. This combination enables businesses to collaborate with greater confidence when engaging employees, partners and customers.”

Cisco Intrusion Prevention System (Cisco IPS)

Current network security developments and security trends will be highlighted tomorrow at the 2009 RSA Conference, where Cisco Chairman and CEO John Chambers will deliver a keynote address titled “Collaborate with Confidence.” Chambers will describe security trends and discuss his perspective on the heightened importance of network security in a collaborative world. To attend a live webcast of Chambers’ keynote address, please visit: http://www.cisco.com/offer/rsakeynote.

The Cisco security offerings announced today incorporate new threat defense products and services that will help customers protect against attacks, malware and botnets, no matter where they connect and communicate.

New Product Offerings:

• Cisco Security Cloud Services: This unique approach for delivering security as a service ties together services from multiple networks and applications, bringing together the cloud and the enterprise network for highly secure collaborative communications. The Cisco Security Cloud supports the recently announced Cisco IronPort® Hosted Email Security Services as well as Global Correlation, a powerful new technique that powers security services integrated into Cisco’s broad range of security offerings.
• Cisco IPS Sensor Software Version 7.0: Global Correlation for intrusion prevention system (IPS) harnesses the power of Cisco Security Intelligence Operations, a powerful threat-defense ecosystem, to achieve unprecedented threat-protection efficacy. Cisco turns global threat data captured from a massive footprint of security devices into dynamic updates and actionable intelligence, such as “reputation” scores, and pushes that intelligence out to a business’s network security infrastructure for protective action. By incorporating Global Correlation, Cisco IPS 7.0 is up to two times as effective in stopping malicious attacks, in a shorter amount of time, than traditional signature-only IPS technologies.
• Cisco ASA 5500 Series 8.2 Software: This offering in the Cisco Adaptive Security Appliances family is designed to enhance end-to-end security for offices of all sizes, improving threat mitigation and enabling companies to more securely connect, communicate and conduct business. With a new Botnet Traffic Filter for identifying infected clients, IPS availability for small offices, and increased clientless remote-access capabilities, Cisco now offers support for the widest range of platforms, operating systems and endpoints in the industry.
• Cisco ASA Botnet Traffic Filter: The new Botnet Traffic Filter enables Cisco ASA 5500 Series appliances to more accurately identify infected clients using information from Cisco Security Intelligence Operations: – more than 1,000 threat-collection servers that receive information from more than 700,000 sensors and 500 third-party feeds. With improved threat intelligence, customers can more accurately identify infected clients and streamline their operations so that security administrators can focus on the most challenging threats.
• Cisco Remote Access and VPN Enhancements: Cisco ASA Software Release 8.2 expands remote access capabilities with next-generation tunneling and session persistence through Cisco AnyConnect Essentials for corporate and mobile users, thus covering the widest range of platforms, operating systems, and endpoints in the industry. Support for the Cisco Virtual Office solution has also been added to the Cisco ASR 1000, allowing this wide-area network aggregation platform to also act as the head-end device for Cisco Virtual Office deployments capable of supporting several thousand remote clients. The Cisco ASR 1000 also now supports GET VPN, allowing instant provisioning of security services and delivering high-performance, highly secure any-to-any connectivity for up to 10,000 Internet Protocol Security (IPsec) tunnels at up to 7 gigabits per second of throughput, enabling customers to prioritize and deliver data flows efficiently to multiple network addresses.
• Cisco SAFE: A security reference architecture that provides prescriptive validated design guides to help organizations plan, design and deploy security solutions across the network, such as campus offices, the Internet edge, branches and data centers. These blueprints provide defense-in-depth guidance and best practices for securing data and transactions as they traverse the network.
• Cisco Information Technology Governance, Risk Management, and Compliance (IT GRC) Security Assessment Services: These services help organizations establish a single program for reducing information security risk and the cost of compliance, by aligning business and technology strategies. Businesses are better able to balance the need for collaboration and information sharing with privacy and information control and to manage disparate security and compliance programs that often lead to inefficiency, duplicated effort, coverage gaps and higher costs. With the Cisco IT GRC Security Assessment Services, organizations can establish a common control framework: a single, unified set of security controls that efficiently meet compliance obligations and protect organizations from threats. The services provide a comprehensive assessment of a business’s security policies and security architecture and map them against the requirements of the common control framework to identify gaps and make prioritized recommendations for resolving those gaps.

Supporting Resources:

• All products are available now. For more information visit: http://www.cisco.com/go/security
• Cisco Security Center
• Visit the Cisco blog, The Platform

He addressed major forces such as the economy and emerging technologies that are driving the information security industry to evolve and adapt – and how these forces provide an opportunity for “inventive collaboration” to effectively restructure the information infrastructure. Coviello also provided examples on how RSA is working to foster inventive collaboration around key practices.

“To combat the cybercriminals requires far more purposeful collaboration on the part of the industry and a strong security ecosystem built around a common development process focused on risk,” said Coviello. “Today’s security technologies are applied as independent applications cluttering the information landscape and leaving perilous gaps of risk.”

Coviello cited three major forces driving the information security industry to evolve and adapt, including: the challenge posed by the criminal threat; the demand upon enterprises and governments to achieve unprecedented levels of productivity to restore value to the faltering economy; and the opportunity to rethink the approach to security based upon emerging technologies and trends such as virtualization, cloud computing and social networking.

He argued that these three forces have placed the industry at a critical inflection point by providing the opportunity to restructure the information infrastructure almost from the ground up – and warned that the industry must avoid repeating past mistakes.

According to Coviello, “We must embrace a common development process that allows us to create a more secure infrastructure today. Then with an eye on the future we can ensure that the new technical infrastructure is designed around that process, rather than forcing a process around a collection of technologies.”

Coviello urged the industry to foster inventive collaboration around three key practices and provided examples of how RSA is pursuing them:

• Collaborate on standards such as the Key Management Infrastructure (KMI) standard led by RSA, HP and IBM
• Practice technology sharing. The RSA Share Project, which provides the leading RSA BSAFE® encryption software developer toolkits at no cost, is a good example of this practice
• Integrate technologies and embed controls directly into the infrastructure itself. Examples of these integration points were discussed onstage between Coviello, Brett Galloway, Senior Vice President, Wireless and Security Technology at Cisco and Scott Charney, Corporate Vice President of Trustworthy Computing at Microsoft

“We must develop a stronger and healthier ecosystem than the fraudsters and ensure the fluid and frictionless exchange of information on which our global economy depends. It’s not about changing the game; it’s about winning the game,” said Coviello.

EMC’s security division has made announcements that demonstrate progress along the path of collaboration and technology advancements:

• The RSA Share Project, a new initiative designed to bring world-class security tools within reach of corporate and independent software developers and project leaders. The Share Project features the launch of a new online community designed to provide support, answers and strategies from security experts as well as no-cost access to technology from RSA. RSA’s first Share Project offering to application developers is a no-cost download of the RSA BSAFE Share encryption toolkit, encouraging built-in versus bolted-on security, using tools based on RSA BSAFE products, the world’s most trusted and widely-deployed encryption software. The goal of the RSA Share Project is not merely for the distribution of free technologies, but to promote and build a vibrant community of security-focused engineers, developers and users committed to software security assurance.
• Three new solutions for Microsoft SharePoint® from EMC and RSA provide organizations the ability to better secure critical information, identities and infrastructure while achieving enhanced security and availability of their SharePoint environment. These solutions provide validated architectures and best practices to accelerate time to deployment, deliver predictable results and achieve improved performance. For organizations to successfully leverage SharePoint it requires the ability to understand risk and how to best remediate it. The RSA Solution for Microsoft SharePoint – including the new RSA® Secure View for Microsoft SharePoint tool, RSA® DLP RiskAdvisor for Microsoft SharePoint service, and solution architectures and documentation – provide organizations with a view of their SharePoint hierarchy, the location of sensitive data across the SharePoint environment, and users with access to these data. In addition, the solution provides comprehensive support for enacting controls to better secure data within the SharePoint environment. Also, in order to understand potential risk, organizations must know where sensitive data reside across the SharePoint environment. To support this, a new EMC Proven solution – EMC Security and Compliance for Microsoft Office SharePoint Server 2007 – validates the ability of RSA DLP Datacenter to deliver these benefits at enterprise-scale. Customers leveraging SharePoint expect high availability. EMC Business Continuity for Microsoft Office SharePoint Server 2007 is an EMC Proven solution, which provides technical validation for SharePoint customers to implement high availability by achieving fast recovery from unplanned server failures, simplified restart from server failures, consistent failover and centralized management.
• Enhancements to the RSA Data Loss Prevention (DLP) Suite, an integrated, market-leading suite of data security products that are engineered to discover, monitor and protect sensitive data from loss, leakage or misuse whether in a datacenter, on the network, or out at the endpoints. With 68 new features and enhancements in the areas of policy management and classification, remediation, database scanning, reporting, administration and integration with the RSA enVision® Platform to streamline the process of understanding security risk, the RSA DLP 7.0 Suite is designed to reduce the total cost of ownership of DLP by automating the protection of sensitive data and reporting, lower risk by protecting more sensitive data in more places, and simplify security operations.

Announcing the new release of RSA® Adaptive Authentication platform

A new release of the RSA Adaptive Authentication Platform is now available for risk-based, transparent authentication to corporate resources such as e-mail, intranets and extranets across a broad range of enterprises. Providing enterprises with more choice in authentication based on risk, cost and user convenience, RSA Adaptive Authentication is delivered through on-premise software or via software-as-a-service with a low cost of ownership and increased end user convenience through the use of a self-learning risk analysis and assessment engine using indicators such as device identification, user behavior profiling and the RSA eFraudNetworkSM community.

The new release is designed for large, distributed enterprise environments, including RSA customers AMD, Geisinger Health System and Rapattoni Corporation, to help to positively identify users using self-learning risk indicators before accessing corporate resources. The new release of RSA Adaptive Authentication platform is integrated with leading SSL VPN solutions, RSA Access Manager and RSA Identity Verification. The RSA Adaptive Authentication platform is a proven solution with more than 8,000 customers, currently protecting over 225 million online identities.

Under the terms of the agreement datec24 will host VASCO’s IDENTIKEY® server. The IDENTIKEY server will be used to offer on-demand authentication to a number of customers. This way, customers are able to secure data on the corporate network and web-based applications with strong authentication without large investments or complicated deployments.  Both companies will be at Cebit: VASCO in Hall 17, booth E21 and datec24 in Hall 11, booth D40.

The authentication service, which VASCO also offers directly to customers and known as DIGIPASS® Plus, is ideal to protect mission critical data stored in hosted applications or Software as a Service solutions. Software as a Service (SaaS) is generally on the rise. More and more companies use hosted applications, such as CRM, accounting and payroll applications.

The decision to implement SaaS is most often taken by the business owners, not least due to cost efficiency. The IT departments generally are concerned about security: Are the outsourced data really secured? Are the confidential data only accessible by authorized users? Two-factor authentication can protect such sensitive data on the web.

To log-on to SaaS applications employees will no longer use the static password which is by default offered by the application. Employees will log-on through their DIGIPASS®. The software or hardware based DIGIPASS will provide the employees with a One-Time Password (OTP) which they will type into the logon screen. The OTP becomes obsolete after 36 seconds and therefore cannot be re-used when intercepted by hackers or shared with unauthorized co-workers.

Under the terms of this agreement, datec24 will host the server infrastructure to support the subscription based authentication service.  Subscription fees as of 3.55 EUR per month will provide companies with an authentication solution for employees, including the VASCO DIGIPASS authenticators. The service is based on VASCO’s IDENTIKEY Server.

IDENTIKEY 3.0 is VASCO’s authentication server solution, based on VACMAN technology, which offers DIGIPASS two-factor authentication for remote access to networks and for web based applications. The solution is ideal for medium and large enterprises who want to integrate user authentication or signature validation into their web applications. Its SOAP interface enables IDENTIKEY integration in virtually any web based environment.

In a first public test phase an offer has been created offering increased security through IDENTIKEY based authentication services for companies using the CRM on-demand platform Salesforce.com.

Besides the low investment, the use of authentication services has a number of other advantages: There is no need for time-consuming and costly integration. There is no additional hardware or software required on the server side of the customer, the SOAP interface of IDENTIKEY allows seamless integration. datec24 ensures a swift deployment and the high availability of the service. Thanks to the subscription fee, authentication can steadily grow with the size of the company. Furthermore the customer does not need to worry about impacting IT resources with updates, these are done automatically and part of the subscription.

“Increased security without complexity,” says Jens Karjoth, managing director of datec24 Services GmbH. “We provide a secure high-availability infrastructure through which companies can use the authentication service for SaaS based on IDENTIKEY, without having the risk or cost involved in deploying an authentication solution.”

“We are happy to partner with datec24. VASCO already offers authentication services, with this partnership we expand that offering to a number of customers in Germany.”, says Jan Valcke, President and COO at VASCO Data Security.

Further information: http://www.vasco.com

As companies modernize their applications to give users a better experience online, they are moving to Web 2.0 technologies, including the Adobe Flash Platform. With Adobe Flash Player installed on more than 98 percent of Internet-connected PCs worldwide, it is imperative that web applications built with Flash technology are developed securely.

HP SWFScan allows Flash developers to deliver more secure code without becoming security experts. The tool is the first of its kind to decompile applications developed with the Flash Platform and perform static analysis to understand their behaviors. This helps identify vulnerabilities that lie under the surface of an application and are not detectable with traditional dynamic methods.

With HP SWFScan, Flash developers can:

• Check for known security vulnerabilities that are targeted by malicious hackers. This includes unprotected confidential data, cross-site scripting, cross-domain privilege escalation, and user input that does not get validated.
• Fix problems quickly by highlighting vulnerabilities in the source code and receiving solid guidance on how to fix the security issues.
• Verify conformance with best security practices and guidelines.

“The Adobe Flash Platform is being used more and more by large media companies and for business-critical applications. We are working with HP to make sure developers have tools to help secure content and keep customers safe,” said Brad Arkin, product security and privacy director, Secure Software Engineering Team, Adobe.

“We worked with HP on their SWFScan tool, which will help Flash developers find potential security issues early in the development process so they can understand and prevent problems before web applications are ever deployed.”

Find, fix and prevent security vulnerabilities

An example of the types of security vulnerabilities HP SWFScan can prevent is leaving confidential information accessible to hackers. Flash developers often create an unintentional vulnerability by encoding access information such as passwords, encryption keys or database information directly into their applications. This video demonstrates how hackers can exploit this vulnerability.

HP analyzed almost 4,000 web applications developed with Flash software and found that 35 percent violate Adobe security best practices. Hackers can exploit this situation to circumvent security measures and gain unfettered access to sensitive information. HP SWFScan helps developers find and correct these problems before they become an issue.

“Applications developed with Flash technologies are no more immune to security vulnerabilities than any other web applications,” said Joseph Feiman, vice president and fellow, Gartner. “Giving Flash developers the ability to check whether their code is secure, providing guidance on how to fix it, and offering best secure-programming practices will help to protect businesses and their customers from hackers.”

The HP Web Security Research Group, which developed SWFScan, includes many renowned experts in the security field. The group tracks web-related security threats and develops new technology to help IT professionals eliminate application security vulnerabilities. The results of the group’s research are incorporated into HP Application Security Center, a suite of products that allows customers to find, fix and prevent these vulnerabilities across the application life cycle.

HP Application Security Center includes the HP Assessment Management Platform as the foundation of the solution, and features HP DevInspect software for developers, HP QAInspect software for quality assurance teams and HP WebInspect software for operations and security experts.

“As organizations modernize their applications with Web 2.0 technology, they must be vigilant about preventing malicious hacker attacks and eliminating software defects of a security nature,” said Jonathan Rende, general manager and vice president, Products, Software and Solutions, HP. “HP continues to help make the web a safer place by turning our security research into solutions for customers to protect their applications, their websites and their sensitive information.”

A free download of HP SWFScan is available at www.hp.com/go/swfscan.

“Fueled in part by the rapid adoption of portable hardware like laptops, flash drives and smart phones, and by distributed information technologies like crowd sourcing, social networks, virtualization and cloud storage, end users are exposed to new IT security threats every day,” said Tim Herbert, vice president of research at CompTIA. “Security threats grow along with the expanding reach of IT so non-IT employees need to be continually trained on the latest IT security threats.”

Terry Erdle, senior vice president of skills certification for CompTIA will present the detailed results of the study including the top five security issues across the IT landscape, how costly security breaches can be to a whole organization not just IT, and insights on how to lower your risk on Tuesday, March 10 at 2:20 p.m. in Theater 1 of the Walter E. Washington Convention Center in Washington D.C. as part of FOSE, a major federal IT tradeshow.

“Unintentional security breaches by non-IT staff cost companies thousands of dollars in lost productivity and business downtime,” said Erdle. “This demonstrates a need for more employee trainings and deeper knowledge of technology functions.”

In addition to comprehensive industry research, CompTIA offers many other programs related to IT security including a new Security Trustmark accreditation that establishes security best practices for IT solution providers.

CompTIA’s 7th Annual Trends in Information Security: an Analysis of IT Security and the Workforce was fielded to a sample of 553 US IT professional via the Internet during January 2009. The international portion of the study was fielded to a sample IT professionals in key markets around the world. The complete study is available free to CompTIA member companies at www.comptia.org/research.

For more information on the study, on CompTIA’s certifications, or CompTIA’s other work on behalf of the global IT industry, visit CompTIA booth 2209A on the FOSE show floor or navigate to CompTIA.org.

About CompTIA

CompTIA is the voice of the world’s information technology (IT) industry. Its members are the companies at the forefront of innovation; and the professionals responsible for maximizing the benefits organizations receive from their investments in technology. CompTIA is dedicated to advancing industry growth through its educational programs, market research, networking events, professional certifications, and public policy advocacy. For more information, please visit www.comptia.org.

For each of the 20 controls, the experts identified specific (actual) attacks that the control stops or mitigates, illuminated best practices in automating the control (for 15 controls that can be automated)and defined tests that can determine whether each control is effectively implemented. The resulting document is called the Consensus Audit Guidelines and, once fully vetted, is expected to become the standard baseline for measuring computer security in organizations that are likely to be under attack.

Twenty critical security controls were agreed upon by knowledgeable individuals from the groups listed above. The list of controls includes fifteen that are able to be validated in an automated manner and five that must be validated manually.

Critical Controls Subject to Automated Measurement and Validation:

1. Inventory of Authorized and Unauthorized Hardware.
2. Inventory of Authorized and Unauthorized Software.
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
4. Secure Configurations of Network Devices Such as Firewalls and Routers.
5. Boundary Defense
6. Maintenance and Analysis of Complete Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based On Need to Know
10. Continuous Vulnerability Testing and Remediation
11. Dormant Account Monitoring and Control
12. Anti-Malware Defenses
13. Limitation and Control of Ports, Protocols and Services
14. Wireless Device Control
15. Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

1. Secure Network Engineering
2. Red Team Exercises
3. Incident Response Capability
4. Data Recovery Capability
5. Security Skills Assessment and Training to Fill Gaps

The full draft may be found at http://www.sans.org/cag/. The public review period runs through March 23, 2009.

Based on research conducted with more than 2,600 firms, the study reveals that 68 percent of firms are under-spending on information security relative to the financial risks and losses they are experiencing. Yet incremental increases toward the funding of best practices are responsible for financial returns that can exceed more than 200 percent for most organizations.

The new research, sponsored by the Computer Security Institute, The Institute of Internal Auditors, Protiviti, ISACA, IT Governance Institute, and Symantec Corp. (NASDAQ: SYMC) outlines a risk-based approach to budgeting for information security that rewards results; the practices responsible for managing business and financial risks from the use of IT; and the substantial reductions in spending on audit in IT.

“Like an insurance deductible, all organizations are willing to sustain some level of financial risk and loss from theft of customer data or some level of business downtime from IT disruptions,” said Jim Hurley, managing director of IT PCG and principal research manager at Symantec. “However, the research findings show that an organization’s loss-tolerance is exceedingly low, and the financial returns for small improvements are extraordinarily high.”

Top Business Risks

Firms ranked three business risks from IT well ahead of other possible risks: Confidentiality of sensitive information; Integrity of information, assets and controls in IT; and Availability of IT services. The IT PCG report leverages ongoing benchmarks to measure the performance of firms against these three risk areas. The results of the benchmark surveys can be broken up as follows:

• Worst Outcomes: 19 percent of all firms are experiencing more than 15 losses or thefts of data each year, 80 or more hours of business downtime from IT failures, and more than 15 audit-failing deficiencies.
• Normative Outcomes: 68 percent of all firms are operating at ‘normal’ levels experiencing between 3-15 losses or thefts of data each year, between 7-79 hours of business downtime from IT failures, and between 3-15 audit-failing deficiencies.
• Best Outcomes: 13 percent of all firms are achieving the best results, experiencing fewer than 3 losses or thefts of sensitive information each year, less than 7 hours of business downtime, and fewer than 3 audit-failing deficiencies. The financial returns among these organizations range from 22 percent to more than 3,000 percent annually.

Surprisingly, the difference in outcome between the worst performers and the best performers was not as a result of the size of security budgets. In fact, the differences in size of security budgets were negligible. What mattered was how those budgets were used.

The new report details the following five practices being leveraged by those with the best outcomes and the least financial losses:

• Leveraging a senior management team to manage risk
• Prioritizing risks, improving controls, and automating procedures
• Continuously assessing controls and risks
• Leveraging technical controls, policies, and IT change management
• Comprehensive reporting

Financial Implications

The financial ramifications of these risks were found to correspond almost entirely with the practices implemented by IT to manage the exposure to them. Not surprisingly, firms leveraging the best practices experience the least expensive and most infrequent financial losses. Firms operating at the worst levels paid the price, literally, with data loss and theft equaling 9.6 percent of annual revenue and business downtime costs equaling nearly 3 percent of annual revenue.

Among organizations with $5 billion in revenue, the combined costs from data loss or theft and business downtime ranged from $329 million for firms with the worst practices to $2.25 million for firms who had implemented the best practices – 149 times less.

“Firms can either wait until an emergency pushes them to reprioritize, or they can decide that it is in their best interests to institute these industry proven practices,” said Hurley.

The research found that firms with the best outcomes were actually spending between 35 and 52 percent less on audit fees and expenses. For these firms, adjusting the amount of money spent on practices that reduce risk, loss and audit spending can produce financial returns ranging from 1,000 to 500,000 percent more than the loss which the organizations are willing to sustain.

Quotes from ITPCG Member Organizations

“This report is a clear demonstration of the benefits that organizations can achieve from effective management of security, availability and other IT-related business risks,” said Brian Barnier, member of the IT Governance Institute’s Risk IT Task Force. “Good practices such as the freely downloadable COBIT framework can help organizations take specific actions to mitigate risk and maximize value.”

“As the IT Policy Compliance Group’s research demonstrates, companies that make improvements in managing their IT security risk will realize numerous benefits, including lower financial exposure and losses as well as savings on regulatory audit fees and expenses,” said Rocco Grillo, a managing director in Protiviti’s Information Security & Data Privacy practice. “The group’s findings quantify what has been assumed to be a best practice: organizations with a top-down approach and a clear owner who has line of authority and visibility to the business lines maintain the most cost-effective and comprehensive information security programs.”

About the Research

Topics researched by the IT Policy Compliance Group benchmarks are part of an ongoing research calendar established by input from supporting members, advisory members, and findings compiled recent research. The most recent benchmarks included in this report were conducted between September and December 2008 with 734 separate, qualifying organizations. All of the 734 participating organizations in the most recent benchmarks are from North America, with a majority of these (95 percent) from the United States. A majority of the 2,600+ participating organizations (90 percent) are from the United States. The other 10 percent come from countries in Europe, Latin America, the Middle East, Asia and the Pacific Rim.

About IT Policy Compliance Group

The IT Policy Compliance Group is dedicated to promoting the development of research and information that will help organizations to meet their policy and regulatory compliance goals. The IT Policy Compliance Group focuses on assisting member organizations to improve business, governance, risk management and compliance results based on fact-based benchmarks. It is supported by several leading organizations including: the Computer Security Institute, The Institute of Internal Auditors, Protiviti, ISACA, IT Governance Institute, and Symantec Corporation (NASDAQ: SYMC). More information is available at www.ITPolicyCompliance.com.

It is the Win32/Waledac worm in a new form being distributed via spammed web pages that prompts users to select a cute Valentine’s heart. In doing so they download the infectious worm.

Many claim that Win32/Waledac is the latest creation of the group that created the Blackberry Storm attack. The group picks holidays and popular events as a method of tricking unsuspecting victims into downloading the Trojan package.

It may come in the form of an email link to what appears to be a legitimate Valentine’s Day e-card. Users are enticed to click on the link which will then take the to a web page. The web page displays several heart shaped icons with a message such as “Guess which one is for you” to entice the user to click one of the icons. If they do it download an executable file which contains the Trojan. The file size is almost always around 390 kb.

CA has issued a warning on their web site about the possible Trojan attack.

Once a computer is infected with the Trojan, it can use the machine as a spam bot while gathering information about the host system and sending the data to accomplice Web servers. Currently Waledac-related Web sites distribute trojan executables with filenames such as love.exe; onlyyou.exe; you.exe; youandme.exe; and meandyou.exe, but there could be new filenames that surface at any time.

“This threat is to be expected with any card-sending type of holiday, but there often is a new twist each year on delivery,” said Brian Grayek, vice president of product management for CA’s Internet Security Business Unit. “With a combination of awareness and ensuring your security software is current, individuals can be safe. Knowing about the threat early—before you find the email in your inbox or get the alert from your IT department—helps ensure individuals don’t open the email and click on links that launch the malware.”

CA’s web site reveals that the e-card scam web sites already affiliated with the Win32/Waledac Trojan have updated their content with a Valentine theme.

Web sites are distributing the Trojan executables with the following filenames:

To stay safe online, CA researchers urge users to make sure they:

• Exercise caution when downloading and running unknown executable files, and if in doubt, don’t.
• Update their anti-virus software to the latest signatures.
• Update their Internet browser to the most current version.
• Schedule automatic Microsoft Windows updates if using the Windows operating system.

Please visit the CA Security Advisor blog for CA’s Waledac Valentine’s Day post and updates on this threat and others that are discovered.

Covering 94 pages the document frames IT risk as a business risk and goes into extensive detail on a framework for dealing with it. Packed full of charts, tables and control framework. Though not a final document it offers a great deal of insight into what the final document will look like.

The intended audience for the Risk IT Framework is vast. Boards and executive management, corporate risk managers, operational risk managers, IT management, IT service managers, business continuity managers, IT security managers, chief financial officers, enterprise governance officers, business managers, IT auditors, regulators, external auditors, insurers and rating agencies.

They categorize IT risk in three ways.

• IT Service Delivery Risk – associated with the performance and availability of IT services, and which can bring destruction or reduction of value to the enterprise.
• IT Solution Delivery/Benefit Realization Risk – associated with the contributions of IT to new or improved business solutions, usually in the form of projects and programs.
• IT Benefit Realization Risk – associated with (missed) opportunities to use technology to improve efficiency of effectiveness of business processes, or to use technology as an enabler for new business initiatives.

The document goes into great detail explaining what risk is. How to raise awareness and open communications. How to manage risk and the impact it can have on the business. Most of the document outlines the Risk IT Framework.

This IT enterprise risk management framework was designed to allow business managers to identify and assess IT-related business risks and manage them effectively. It provides the missing link between enterprise risk management (ERM) and IT risk management and control, fitting in the overall IT governance framework of ITGI, and building upon all existing risk related components within the current frameworks, i.e., COBIT and Val IT.

To download “Enterprise Risk: Identify, Govern and Manage IT Risk, The Risk IT Framework” in PDF format visit the ISACA web site download section and for more material available for download. Some material does require membership to access.

About ISACA

ISACA has over 86,000 members worldwide for information governance, control, security and audit professionals and is affiliated with the IT Governance Institute.

It provides three certifications.

• The Certified Information Systems Auditor (CISA) is ISACA’s cornerstone certification. The CISA certification has been earned by more than 60,000 professionals since inception and is for the IS audit, control, assurance and/or security professionals who wish to set themselves apart from their peers. Since 1978, the CISA certification has been renowned as the globally recognized achievement for those who control, monitor and assess an organization’s information technology and business systems.
• The Certified Information Security Manager (CISM) certification is a unique management focused certification that has been earned by over 10,000 professionals since its introduction in 2003. Unlike other security certifications, CISM is for the individual who manages, designs, oversees and assesses an enterprise’s information security program. CISM defines the core competencies and international performance standards that those who have information security management responsibilities must master.
• The IT Governance certification (CGEIT) is intended to recognize a wide range of professionals for their knowledge and application of IT governance principles and practices. Many CGEIT certificates have been awarded. It is designed for professionals who have management, advisory, or assurance responsibilities as defined by a “job practice” consisting of IT governance related tasks and knowledge. Earning this designation will enable professionals to respond to the growing business demand for a comprehensive IT governance program that defines responsibility and accountability across the entire enterprise.

For more information visit the ISACA web site.