Focusing on new technologies instead of security threats
In the rush to utilize new technologies and move into the increasingly borderless world of cloud computing, mobile devices and social media, a growing gap is developing between global organizations’ business needs and their ability to tackle new and complex security threats, according to Ernst & Young.
Although 72% of respondents see increasing levels of risk due to external threats, and more companies are likely to adopt mobile tablet usage, security implementation is still low. The survey also reports that only about a third of respondents have updated their information security strategies in the past 12 months.
“Information security is one of the most important issues companies face today, and strategies need to be refined to adjust to an ever-changing environment and resulting security risks,” said Bernie Wedge, Americas Information Technology Risk and Assurance leader at Ernst & Young LLP. “Mobility and networking are here to stay. The best-protected companies are those that are proactive, detecting and managing minor issues before they become major incidents, and for many companies, this means the current mind-set needs to change from a focus on short-term fixes to a holistic, strategic approach.”
In addition, the study found that while 80% of organizations currently are using or considering using mobile tablets and 61% are using or considering the use of cloud computing services within the next year, the threat of security breaches has become an after-thought as companies adapt to the rapidly changing landscape.
The survey of 1700 organizations around the world in more than 25 sectors also found that cloud computing is the top security funding priority for the next year.
It is encouraging that 59% of respondents plan on increasing their information security budgets in the coming 12 months. However, only 51% of respondents stated that they have a documented information security strategy.
Overall, for the second consecutive year, respondents have indicated that business continuity is their top funding priority.
“The advanced, persistent threat – or APT – is a game changer for companies, and as a result, cyber-security needs to be among an organization’s top three investments for 2012,” said Jose Granado, Ernst & Young LLP’s Americas Leader for Information Security Services. “In a mobile, borderless environment, the human is the new perimeter when it comes to protecting data. The approach to protecting the organization needs to combine people, processes and technology.”
Building trust in the cloud
Despite the compelling story for cloud adoption, many organizations are still unclear about the implications of the cloud and are increasing their efforts to better understand the impact and the risks. In 2011, 48% of respondents listed the implementation of cloud computing as a difficult or very difficult challenge, and more than half have not implemented any controls to mitigate the risks associated with cloud computing. The most frequently taken measure is stronger oversight of the contract management process with cloud providers, but only by 20% of respondents even do this, indicating a high and possibly misguided level of trust.
In the absence of clear guidance, many organizations seem to be making ill-informed decisions, either moving to the cloud prematurely and without appropriately considering the associated risk, or avoiding it altogether.
Almost 90% of respondents are in favor of external certification, with nearly half (45%) saying this should be based only on an agreed-upon standard.
The adoption of tablets and smartphones ranked second-highest on the list of technology challenges perceived as most significant, with more than half of respondents listing it as a difficult or very difficult challenge. Policy adjustments and awareness programs are the top two measures used to address risks posed by this new mobile technology. The adoption of security techniques and software, however, is still low. For instance, encryption techniques are used by fewer than half (47%) of the organizations.
Most respondents (72%) claimed that external malicious attacks were their top risk. These attacks may be fuelled by information obtained through the use of social media used to send targeted phishing messages to individuals.
To help address potential risks posed by social media, organizations seem to be adapting a hard-line response. More than half (53%) have responded by blocking access to sites rather than embracing the change and adopting enterprise-wide measures.
Top level priority
The survey shows that only 12% of respondents are presenting information security topics at each board meeting and less than half (49%) of survey respondents stated that their information security function is meeting the needs of the organization.
“Today, information security is a board-level priority, and the days of delegating cyber-security are over,” said Wedge. “The board is accountable for its information security strategy and must have confidence in what it entails and how it is executed.”