The biggest security worry for any organisation is the people element, according to Eugene Kaspersky, CEO of malware protection specialist Kaspersky Lab. Speaking with CIO at the Infosec exhibition in London this week, he recounted many instances where the technology and processes set up to protect organisations from malicious attacks were side-stepped by employees not aware of potential vulnerabilities, or working around the security checks for their own convenience.
Even in one of the security expert's own events, the hotel hosting it had suffered an infection in the landing page of its guest internet service.
Kaspersky says: "The staff were protected by our products when they use the internet, so they guarantee the security of the internet on this level but not into the cloud. The employees didn't realise that the homepage was infected, because they don't need to pay for the internet at the hotel. They never see this page."
The story also illustrates Kaspersky's conclusions on cloud services, in terms of security. The biggest issue is responsibility of security of the data. Business critical data won't reside anywhere than on premise for many big organisations, he thinks, because the risk is too much.
This risk assessment about the security of data is ultimately the decision of the CIO, who will have to balance the cost of protecting the data against the damage the organisation suffers if that data is lost or stolen.
Kaspersky believes that the number of enterprise businesses that employ their own malware protection teams will continue to grow, so that the investment in these teams could run up to 2 per cent of total operational expenditure.
However, he admits that no security strategy is fool-proof, especially as cybercriminals are increasingly organised. He's also concerned that state security services also have highly developed cyberwarfare capabilities now. He recounted a number of instances over the last few years where technology failures in transport and power networks in Europe and North America have resulted in massive disruptions in these countries' infrastructures.
He says: "I'm in security, so naturally, I'm paranoid."
Kaspersky feels the next hot areas where security will be a factor is in the growth of mobile computing. Smartphones will be the next battlegrounds.
While saying this, he waved his own handset – a relatively elderly Sony Ericsson mobile. He also uses a Siemens S4 phone which is around 14 years old, but this may say more about his attitude to tried and tested, reliable technology than an unwillingness to expose himself to cyber-attack over a smartphone.
Kaspersky predicts Android phones will be more vulnerable to malware attacks, not necessarily because they are less secure than iPhones, but because it's likely that there will be more of them in use.
These aren't the only mobile devices that concern him. He's seen a number of instances where USB memory sticks are left in strategic spots, such as office car parks or lifts, for people to find. They assume someone in the office has dropped it and are inclined to look at what they carry. This is an easy way of introducing undetectable malware into a system because it plays on people's curiosity.
Kaspersky recounted one instance of a global bank suffering an attack when an employee acquired a memory stick they thought contained a screensaver. They actively bypassed security, moving from protected front-end systems when the data was blocked, to back end systems that are not connected to the outside world. The memory stick contained malware which was introduced into critical systems that had purposely been segregated into a clean environment to protect it.
Ksapersky believes that criminals are out there trying to pick up any seemingly innocuous information they can get from employees to use against them. Clearly education is the key and Kaspersky himself has been directly involved in this area within his own company. When noticing around a dozen employees having an email conversation with the rest of the company on the mailing list, he sent them all on a basic security awareness training day.
He says: "I personally signed their certificates and some of them put them up on the wall. It's my way. If you have to put a penalty on someone's behaviour, do it in a way where they walk away happy."