Managing information risk: HP security guru analyses new EIU report

Information is the pulse of the modern business and the core asset for decision makers in technology and beyond. Strategic choices, work processes, and daily tasks all hinge on timely, accurate, and complete information - whether you're an executive, employee, end user, or IT specialist. What happens if the quality of your information is undermined? Corrupt or compromised information can be deadly to the enterprise, so understanding information risk is crucial.

With this reality firmly in mind, we sat down with Andrzej Kawalec, CTO for enterprise security at HP, ahead of his forthcoming slot at the Economist Intelligence Unit information risk webinar. Kawalec heads up a global research and innovation team that focuses on cloud, consumerisation and cyber security, and has an intimate knowledge of both the macro and micro challenges facing organisations.

There are a whole host of threats and trends that are putting corporate information at risk, but what do you identify as the chief danger to enterprise data at present?

The chief danger to the enterprise is complacency. For enterprises, it is no longer a case of if they are breached, but when. How enterprises respond in the first minutes and hours following a major incident can be the difference between success and failure In a recent survey conducted by The Economist Intelligence Unit it was identified that 50 per cent of CEOs have not been trained in what to do in the event of a major data breach.

An inability to understand critical data assets and prioritise company protection sits at the heart of the cyber security conundrum. If businesses can't protect everything – where can they utilise scarce resources?

In the same survey, we saw that less than 50 per cent of enterprises have a single view of their information risk.

The sophisticated cyber-crime underworld is able to buy and sell information online, to share vulnerabilities and to hack into corporate networks at will. HP is working to disrupt the criminal marketplace at each stage of an attack, or kill chain. What's HP's strategy? Providing counter-intelligence to confuse social engineering, defending networks with next generation firewalls and detecting patterns of behaviour once the criminals are within the enterprise.

HP's secret weapon is actionable intelligence – advanced research and intelligence allows us to find and close vulnerabilities before they can be exploited. Actionable intelligence allows HP to trace attacks around the world and defend in real-time. HP's Threat Central service allows enterprises to safely share cyber information and learn from each other.

How has the growth of BYOD changed the risk management landscape?

Consumer adoption of technology has changed how businesses use data. CEOs identify technology failure as their highest rated risk. BYOD and mobile devices do have an inherently higher level of risk, due to their reduced security features, personal/professional ambiguity and increased loss/theft. BYOD – used to stand for "bring your own danger" but now there are many ways to allow user and employee choice, managed in a safe and secure way. Security must both protect and enable the enterprise.

Is the trend of consumerisation ultimately at odds with secure device management in the workplace?

Managing the device is only the tip of the iceberg. How HP develops apps, deploys them onto different platforms and manages user privacy will be the largest challenges in the mobile space. More than 20 per cent of respondents to the survey highlight consumerisation and BYOD as the trends most impacting on information risk.

With more and more organisations throwing data into the cloud, are we really in control of our sensitive records?

Enterprises must identify the appropriate governance procedures to assure that their information and that of their customers is given the appropriate protection. This increases the burden of care on the service provider. With the line between public, personal, sensitive and private data being blurred, the industry desperately needs a clear definition of what is public and what is private. Cloud is no different from outsourcing or shared services.

How should organisations go about prioritising the protection of certain data?

Enterprises can assign a monetary value to the information they hold, however this only addresses part of the problem. Over 30 per cent of organisations have not attempted to value the information assets they hold. Critical data assets may be of strategic national importance, have massive corporate value or have huge significance to an employee or citizen – be it the secret recipe to Coke or the medical records of a patient. Legal and regulatory frameworks can help organisations understand their broad obligations, but enlightened boards and CEOs understand the personal value of not only corporate information – but also that of employee and consumer data.

Can the big data explosion actually aid an organisation's security policy?

From a cyber security perspective the challenge is not only to understand the macro trends, but to also find the needle in the haystack – the single potentially catastrophic event, in real-time. HP's security big data research can replicate the human ability to intelligently recognise and understand complex patterns in data automatically. Using HP Autonomy we can see not only the macro trends that are facing us in the huge volume of information that we capture – but we can test the validity of the information gathered. That requires a global, holistic view, and relies heavily on the depth of expertise at the company's disposal. We are fortunate to have some of the best and brightest at HP for this exact purpose.

At HP, our analysts go to work, using analytic software combined with their own intuition, experience and creative thinking to assess the real risks to the enterprise. That analysis is then provided to clients to help them interpret the risks in relation to their specific sets of circumstances.

Work lives and private lives are being played out online. People live, Learn and play in a mobile world. A mobile world that is far from being the secure playground many expect it to be. Today's smartphones are the same as the desktop we used in 2000, but with better graphics, more memory and better connectivity. Security has become critical in both newsrooms and boardrooms.

So what can enterprises do to remain safe?

First – don't panic. Enterprises have been living with these vulnerabilities now for years. In many cases these vulnerabilities rely on a user action – clicking on a link or website – to unlock their potential. Always click carefully. Close applications when they aren't being used.

Cyber criminals and hackers will often use information gathered from a mobile device – contact/social media/location – to build up a profile of an individual and perform more targeted attacks aimed at the employer or corporate systems.

Second – update software, both the applications and the operating system on mobile devices. At HP we are constantly working with our partners to close security flaws in their mobile applications, which often prey on old versions of software.

Thirdly, if in any doubt – users should delay the actions they were going to take on their mobile devices, and wait until they can perform it using a laptop or desktop. The same encryption standards applied across PCs are not yet being applied to mobile devices.

HP has been at the forefront of discovering new and zero-day vulnerabilities for years now. The Bounty program alone has over 2000 independent researchers and has paid out over $8 million.

Only last week at mobile Pwn2Own competition, HP was able to identify critical vulnerabilities and awarded over $300,000. Looking at some of the fundamentals of smartphone landscape – such as WiFi, Bluetooth, NFC, SMS and even mobile web browsers.

Developers are great at being creative and adding new functionality – amazing at connecting with consumers in different and innovative ways. What they are not experts at – is building security into apps, at keeping up with new releases of software and mobile platforms and staying informed of new attacks and vulnerabilities.

Act now: Register today for the Economist Intelligence Unit information risk webinar.

All data derived from: "Information Risk in a Changing Technology Landscape," The Economist Intelligence Unit, November 2013