Most information technology managers have already devoted long hours to shoring up their companies' security -- and they can expect more of the same in 2006. Attacks will likely come faster and with less warning, and experts predict that there will be attempts against a new range of applications and devices.
"You've got to be prepared for attacks coming from any direction," particularly because of the emergence of spyware, says Patrick Spampinato, IT director at a manufacturer of medical equipment in North Carolina that he asked not be named. "I think there are so many more ways that [intrusions] can affect you."
Bolstering security will clearly be a top job for CIOs and business executives. In fact, in an exclusive Computerworld survey of more than 300 IT executives, security initiatives ranked above all other project priorities for 2006.
Some experts predict that security threats will multiply in the coming year, as more hackers become proficient at breaking into systems and networks, and as viruses and worms spread more rapidly over the Internet.
In the past, security managers had three or four weeks from the time a vulnerability was first discovered until the first attacks exploiting that vulnerability would occur. But with more sophisticated hacking and virus writing, the time has shrunk to less than a week, Spampinato says.
The increasing threat isn't going unnoticed. A survey of 133 North American organizations conducted in 2005 by research firm Gartner Inc. showed that organizations are more concerned about viruses and worms than they are about any other security threat.
Next on the list of concerns was outside hacking or cracking, followed by identity theft and phishing. Half of the survey participants said they increased IT security spending for 2005 and expected to do so again in 2006.
The New Breed
Paul Stamp, an analyst at Forrester Research Inc. in Cambridge, Mass., says he expects to see the emergence of viruses aimed at instant messaging applications and mobile devices, as well as "cross-platform" viruses that can affect a wide range of systems. He also predicts that there will be more attacks aimed at service-oriented architectures as they become more commonplace.
Some attacks will involve a complex combination of social engineering, a breakdown in processes, technical vulnerabilities and insider abuse, Stamp says. The best bets for thwarting those attacks include efforts to better monitor employees' activity and enforce security policies more stringently.
"Users aren't always aware of the threats they are subject to," Stamp says, so education will still be the most effective defense. Spampinato agrees, noting that education at the user level is a huge deterrent to security breaches.
From a technology standpoint, Stamp says many organizations will begin focusing more on secure designs -- making sure their infrastructures are secure from the ground up through stronger authentication, encryption and other technologies. To date, many companies have emphasized threat-protection technologies rather than secure design, Stamp says.
Spampinato says his company will work to complement its perimeter defenses -- such as network firewalls -- by strengthening desktop security. To that end, the company will look into deploying products such as desktop firewalls and zone alarms and beefing up its desktop monitoring tools, he says.
As organizations allow more remote workers and outside users such as business partners and consultants to access corporate networks via laptops and other portable devices, monitoring systems within the corporate firewall will become even more important.
There will be a greater need for products that scan devices and help inhibit the spread of viruses and other malicious content when devices are plugged into enterprise networks, says Roberto Cavalcanti, senior vice president and CIO at Conservation International, a nonprofit environmental group in Washington.
Conservation International has offices, employees and partners around the world, and it faces a challenge that will be common to many organizations in 2006 and beyond: striking a balance between the need to keep networks and systems secure and the desire to deliver information and applications to people who need those resources.
"Every big institution has more and more need to open its data resources to partners," Cavalcanti says. "We need to rethink the way we deal with security" in order to protect against information getting into the wrong hands.
Among the technologies that Conservation International is exploring or using are automated patch management systems that scan devices on enterprise networks to look for places that need to be patched and deploy the necessary patches when they become available from software vendors.
Conservation International is investigating Cisco Systems Inc.'s Network Admission Control products to ensure that computers plugged into its network have the proper level of antivirus and security patches installed, says Brian Freed, enterprise network director. The organization is also looking at hardware products from Symantec Corp. that offer intrusion-detection, antivirus and spyware-detection and -prevention technologies, Freed says.
Conservation International is currently using the Microsoft Windows Server Update Services to help it keep computers up to date with Microsoft Corp. updates.
Compliance Challenges
While organizations will be exploring security technologies in the coming year, many will continue their efforts to comply with federal regulations such as the Health Insurance Portability and Accountability Act, which is designed to secure individuals' medical records, and the Sarbanes-Oxley Act, which is intended to protect investors by improving the reliability of financial disclosures.
Some managers expect regulatory burdens to increase as government officials weigh legislation on privacy and the confidentiality of personal data. Before 2006 draws to a close, there will likely be new state and federal laws regarding the protection of personal information, and organizations will have to figure out what they need to do to be compliant, says Phil Offield, information assurance officer at Liberty University in Lynchburg, Va.
Because some data-protection laws might leave room for interpretation, "I expect we'll go through a year or so of being confused on what we have to do to be compliant," Offield says.
Liberty University is developing a comprehensive information security framework that covers a broad number of IT processes and will include documentation of how processes are handled, and audits to ensure that people are complying with internal standards. Offield says the framework will help the university prepare for any future regulations on data confidentiality and other security-related issues.
Security and IT managers should prepare for what will surely be a hectic year of hardening their enterprise defenses. The stakes are high, and indications are that the challenges could be greater than they ever have been.
Violino is a freelance writer in Massapequa Park, N.Y. Contact him at bviolino@optonline.net.
See more security predictions for '06 in Jaikumar Vijayan's Reporter's Notebook.
What else is on tap this year in IT? See the complete Forecast 2006 special report.
Bold Predictions for 2006
Stories in this report:
- Bold Predictions for 2006
- Reporter's Notebook: Security
- Reporter's Notebook: Wireless
- Reporter's Notebook: Business Intelligence
- 10 Predictions for 2006
- Not Happenin'
- Sound-off On Thin Clients: Wave of the Future
- Sound-off On Thin Clients: Dead in the Water
- What to Do: 2006
- Shark Tank: Doing the Best They Can
- What's Next in 2006: Project Management
- Security: Fast and Furious
- Wireless: Evolution, Not Revolution
- Business Intelligence: Power to the Poeple
- Skills Scope
- Forecast 2006: RFID
- Forecast 2006: Wireless
- Forecast 2006: VoIP
- 2006 IT Agenda