Websense Execs Say Web 2.0 Creates New Security Challenges
Echoing the same few themes on data security reiterated throughout the RSA Conference, Websense CEO Gene Hodges and Websense Chief Technology Officer John McCormack both stressed that businesses need to prepare for data leakage via Web-based attacks during Thursday's keynote, held at San Francisco's Moscone Center.
"It's about the data, stupid," said Hodges, during a presentation to and audience of several thousand security professionals. "They all come back to attacks or use or abuse of data."
During his part of the speech, Hodges emphasized that part of the reason for the shift to data-centric security is the result of the changing sociological paradigm. The rapid evolution of Web 2.0 has caught many businesses off guard, he said, and unlike years past, legitimate Web sites can now be compromised.
"The content changed but it didn't change at warp speed," he said. "If you went to a popular site, you'd be fairly safe."
In addition, the workforce has changed. In what he termed as Employee 2.0, Hodges said that the work environment has become more flexible and more mobile while the perimeter has collapsed and access points to data and information have become increasingly unsecure.
"Work isn't a time and space and physical device anymore. It's whenever it catches you," said Hodges.
Couple a changing work environment with emerging Web threats and it's a logical progression that data is the target of choice for cyber criminals, Websense execs said. During the shared keynote, McCormack highlighted that of the top 100 Web sites, 45 percent rely on user content, and 60 percent of those sites have hosted malicious code in the last 90 days. Plus, more Web sites contain user generated content than ever before, further increasing risk of user infection.
"This is the kind of exposure that our customers will experience," said McCormack.
Consequently, Hodges said that businesses will need to ensure that they have well-established requirements for data security in an evolving Web environment. For one, businesses will need to invest in identity access management, which includes encryption of all sensitive information. They will also need to invest in comprehensive archiving and information assurance capabilities, to prove regulatory compliance.
But more than that, preventing data leakage will require businesses to take the initiative in what Hodges termed as "proactive discovery."
"Finding out that you leaked some data in the papers is just no way of discovering that you have valuable data inside your organization," said Hodge. "Proactive discovery seems to make sense. It's not easy, but it's what's required."