This is the shocking result of an analysis by Check Point of 888 public and private organizations worldwide, drawing information from its Check Point ThreatCloud, its global network of threat sensors, and 3D Security Reports conducted at those organizations during 2012.
Equally shocking, however, is that many companies either have poor security policies or that they are poorly enforced and widely ignored by staff. Two examples quoted by Check Point are company use of P2P file-sharing and anonymizer services such as TOR and Ultrasurf. Both technologies have valid uses, but used from within an organization they can compromise the organization’s security.
“P2P applications essentially open a backdoor to networks,” explains the report. “They allow users to share folders that could leak sensitive data, they also could make organizations liable for users acquiring media illegally through P2P networks.” Anonymizer services, it warns, “can be used to bypass security policies which are essentially built around users’ identities and destination URLs\sites.”
It’s not as if the organizations are unaware. “86% of the organizations where Anonymizer usage was found,” says Check Point, “claimed that it was in a non- legitimate use conflicting with guidelines and security policy.” Nevertheless, in 61% of the organizations analyzed, a P2P file sharing application is in use, while anonymizers are used in 43% of the organizations.
A third concern is the growing use of third-party cloud-based file storage, sharing and synchronizing services – such as Dropbox, PutLocker, the new Mega, Drive and SkyDrive. These are sometimes tolerated by security policies but are invariably a threat, allowing staff to exfiltrate files from the security of the corporate network to sometimes undefended personal devices. Check Point found that 80% of organizations have some usage. By far the most popular is Dropbox at 69%, with Windows Live Office second at 51%.
Equally surprising, however, is that Checkpoint found the highest user of these services is Government – disturbing when certainly in the UK by far the greatest number of fines levied by the data protection regulator concern the loss of personal data by the public sector. This whole report should be read in conjunction with a separate report by Trend Micro on targeted attacks. It too concluded, “Public sector respondents were guilty of a worrying level of complacency, with over a third claiming targeted attacks are not a concern, despite 74 per cent of such organizations having been a victim of these attacks in the past.”