Just as threats to data security have evolved, so too must the responses to them, argues Mark Murtagh, technical director of web filtering and security firm WebSense.
Where it might once have been adequate to set up a firewall and keep anti-virus software up to date, cyber-crooks are now as fast – if not faster – than the security industry.
Part of this innovation is the ‘blended threat’, says Murtagh, marked by “the convergence of web and email, and the shift from email to web as an attack vector.”
In the previous two to five years, almost every piece of attack code was embedded or attached in email. Now those emails link to the web where [the malware author] runs a scanner to check out the system and exploit a vulnerability, or takes you somewhere else on the web,” he says.
The rise of Web 2.0 and the popularity of user-generated content has complicated the security requirements of organisations. “We were setting up perimeter defences, but now [organisations] need outbound content control,” he says.
Banning Web 2.0 sites in the workplace is a popular solution, but can open more holes than it closes, he says.
One response to blended threats is to stop protecting digital assets in isolation and examine your underlying security exposure, he argues.
“You can have all your systems in place and secured and all the knobs turned up to maximum, but if you don’t monitor your systems, conduct quality assessments and vulnerability reviews, train people and remind them how conduct themselves while managing data, you won’t be secure."