x Abu Dhabi, UAETuesday 25 July 2017

Impressing the boss can put data at risk

Justin Doo, the security practice director for emerging markets at Symantec, discusses viruses, phishing and why hackers are now targeting your phone more than your computer.

Justin Doo, the security practice director for emerging markets at Symantec.
Justin Doo, the security practice director for emerging markets at Symantec.

Justin Doo, the security practice director for emerging markets at Symantec, discusses viruses, phishing and why hackers are now targeting your phone more than your computer:

 

How is this region different regarding breaches of business data?

In more mature economies data protection acts have been enforced and organisations are duty bound to make an announcement to regulatory authorities and their customers. Then we look at local regions, where there's no data protection enforcement in place and no disclosure. We've got to assume those breaches are still taking place.

How are employees a top security threat to businesses?

Essentially through ignorance, or lack of awareness. An example would be somebody who sends an Excel sheet to their private e-mail account because they want to work on that data over the weekend to impress their boss. The data is almost certainly sent unencrypted. It can now be exposed. Probably the biggest threat, which goes from C-level executives right to the junior guys, is laptops being left in airports and taxis.

And the next big threat?

Smartphones. Organisations were spending more on laptops than fixed PCs; now more smartphones are selling than laptops. The data held on these could be considered mission critical: e-mail, spreadsheets and so on. The danger with these are not around virus threats but having unencrypted data. So you have a challenge where an increasingly mobile workforce is working outside networks we've spent a lot of time investing in.

Is "phishing," where the bad guys steal customer data through subterfuge, still a problem?

Originally, it was a big threat to global players. In certain areas of the internet, you can buy attack kits for US$400 (Dh1,470) or $500 to use against specific organisations or industries. The cost base now makes it far more attractive to target geographically. And we live in areas with pockets of high net-worth individuals. That does mean those organisations will, by default, come under attack.

It seems like a cat-and-mouse chase, where the attackers always stay one step ahead.

As we increase our detection, they will step up their attacks because the financial reward is there. We've seen criminal organisations that resemble normal companies. They have [human resources], logos, front desks, family fun days. One even had a call centre making sure people were downloading applications.

How do businesses protect themselves?

Organisations now have to start looking at how they create integrity around data: who's using it, accessing it, where it's going. Businesses have to carry out a risk analysis on their own infrastructure. They need to have a strong IT security in place that can be monitored and audited.

But isn't it true that the industry's claims about security attacks often turn out to be overblown?

I'll be honest, I think some organisations do overhype. In terms of scare messages, I think you'll find that compared with a number of other organisations we are almost too conservative.

* Neil Parmar