September 15, 2015 By Fran Howarth 4 min read

With the current threat landscape so complex, sophisticated and pervasive, all organizations need to pay strict attention to information protection to ensure that sensitive data is safeguarded, assets are protected and personal privacy is ensured. For many, that requires rethinking how security practices should be adapted.

Outdated Information Protection

Many enterprises have traditionally taken a fortress-like approach to security, looking to defend their perimeters and bolt down the hatches when an incident occurs. Typically, they have spent more on network security than on protecting the endpoints that connect to and interact with those networks. They are also known for being tight-lipped, keeping information regarding security incidents and approaches for defending against them to themselves, possibly in the belief that they will do a better job if other organizations don’t know what’s going on.

The perimeter approach is no longer sufficient. As the Jericho Forum, the work of which has now been morphed into the OpenGroup, has long espoused, networks have become deperimeterized. The group introduced the concept of the porous firewall, caused by more and more devices punching holes through seemingly sufficient controls. Endpoints are the new perimeter.

A recent Security Intelligence article looked at university security from a university CISO’s point of view. David Sherry, CISO at Brown University, raised a number of interesting points regarding information protection in the higher-education sector. He pointed to the decentralized nature of universities, the fact that bring-your-own-device (BYOD) has long been a factor to consider and the culture of information sharing among universities. Could enterprises learn from these bastions of academia to make themselves more secure?

The Extended Enterprise

Universities are highly decentralized. According to Neal Tilley, an IT education specialist with Alcatel-Lucent Enterprise, universities are characterized by “a complex mix of users, private and public areas, secure and open networks, and … a vast amount of personal and intellectual property information bouncing around them.” Sherry likened university security to protecting a small city, with vast numbers of disparate users and a variety of ancillary services offered, all of which require information protection.

Enterprises have recently seen their empires expand, as well. As PwC noted, today’s service economy is increasing the extent to which businesses rely on each other, including the use of specialized service providers for non-core competencies, such as data hosting and business process services, and the increased use of cloud services.

The PwC report showed that the business process outsourcing market in the U.S. alone will be 23.3 percent larger in 2017 than it was in 2012. This increases the number of third parties with access to corporate information. Businesses are also routinely extending access to corporate resources to suppliers, business partners and even customers. The economic downturn has played its part, as well, because organizations look to do more with fewer in-house resources to cut costs.

All of these factors expand the amount of and the reach of information that needs to be protected from unauthorized access. Yet data from Trustwave referenced during a presentation at RSA 2014 shows that 76 percent of breaches resulted from third parties. Enterprises should consider the stance taken by universities, ensuring that network traffic and information zones are effectively segmented.

Sherry noted that Brown University is effectively taking on the role of an Internet service provider (ISP) for some of the services that it offers, such as providing Web access in its residential accommodations and requiring the use of virtual private networks (VPNs), strong authentication and entitlements to gain access to secure areas of the network. Many enterprises focus primarily on ensuring secure access for employees, whereas many of the dangers they face originate from their extended enterprise.

Embrace Change

The consumerization of IT appears to be an unstoppable force, bringing with it the challenges of BYOD, unsupported applications and data filtering. While BYOD programs are on the rise, many businesses have been reluctant to fully embrace the opportunities enabled by the consumerization of IT. Universities, however, are ahead of the curve and have been dealing with these emerging technology trends for some time.

Sherry stated that it is not unusual for a student to own 10 or even 15 devices — computers, tablets, phones and wearables such as fitness trackers are common. Students are also keen proponents of file sharing. By catering to these trends, universities have found that modern technology is invaluable as a teaching aid in helping students and teachers succeed. It also makes for happier individuals because students can use the devices that they are familiar with and most comfortable using.

Enterprises must embrace technological change and take advantage of the benefits that it offers. The consumerization of IT offers opportunities for users to be more productive and more satisfied with their work environment, contributing to the success of the organization. At universities, increasing user awareness and enforcing acceptable use policies will do much for information protection in the new technology age, along with implementing strict access controls to ensure that all information is adequately protected.

Whether organizations know it or not, their employees will access file sharing sites, raising the potential for sensitive data to be leaked out of the organization. Data loss protection and data exfiltration controls are a must, but organizations should also consider providing their employees with a centralized, enterprise-grade service that is an acceptable alternative. For controlling who is on the network, what devices they are using and what applications are employed, network access controls and enterprise mobility management technologies have a key part to play.

Share Information for Better Security

Few industries have a culture of information sharing, even though sharing information with peers regarding security incidents or threats can provide critical, actionable information about the nature of the threat and the tactics of adversaries. Security information shared within a particular industry can be particularly useful since similar organizations often face similar threats.

Higher education is one sector in which information sharing is particularly prized. According to EDUCAUSE, this collaboration helps reduce the number of breaches, leading to fewer records being stolen and less money spent on costly remediating operations. By sharing information, universities are able to determine the best practices for defeating attacks and improving their overall security posture.

Universities are prized as places to learn. In terms of security and information protection, there are many lessons that they can teach enterprises. Organizations should look to the best practices that academia provides in order to better take advantage of the opportunities that innovative new technologies provide in a safe and secure manner.

More from Data Protection

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today