control, and governance
Flood of New Applications Exposes Leaky Data Defenses
Information security budget cutbacks during the recession may make it harder for organizations to mitigate the risks from mobile, cloud computing, and social networking applications.
In these more-with-less days, organizations worldwide face competing realities when it comes to information security. Employees, contractors, and suppliers are plugging into corporate information systems through an array of ever-changing devices and applications that make the old client-server model seem antiquated. For the most part, these technologies have greatly boosted productivity in a time of staff and resource cutbacks, but they have changed the number and nature of security risks — some radically. And although corporate boards of directors and top executives now realize the tangible threats these risks pose, many still cut security budgets during the recession.
The common denominator is that an organization’s IT security risks extend beyond its “traditional borders,” says Bernie Wedge, Americas Information Technology Risk and Assurance practice leader for Ernst & Young (E&Y) LLP. “The trend toward anywhere, anytime access to information has significantly changed today’s business environment,” Wedge explains. “Companies must think about security beyond their employees, data centers, and firewalls.”
Increasingly, most organizations recognize that data loss has become a serious threat, according to E&Y’s 2010 Global Information Security Survey (PDF). In a survey of 1,600 senior executives from 56 countries, 64 percent of respondents cite data protection as one of the top IT risks in the current environment. In the past 12 months alone, 60 percent of respondents say risks related to employee use of mobile devices, cloud computing, and social networks have risen. Mobile workers are a particular concern: 52 percent of respondents say personal devices are the main cause of data leakage.
A mobile workforce changes how organizations protect information. The upside is many organizations are working to secure their data through policies, training, technology controls, and IT auditing, the E&Y report notes. But this effort costs money.
Globally, many organizations acknowledge that security spending has declined during the recession. According to the 2011 Global State of Information Security Survey (report and presentation (PDF)) by PricewaterhouseCoopers (PwC) and CIO and CSO magazines, 47 percent of respondents’ organizations reduced capital expenditures on information security and 46 percent decreased operating expenditures in 2009 and 2010. More than 12,800 CEOs, chief financial officers, chief information officers, and chief security officers from 135 countries participated in the survey.
A more detailed look at the numbers suggests that these organizations may be deferring security investments until a later date. For example, 27 percent say their organization is deferring capital expenditures for IT security for six months or less versus 19 percent who are holding off for more than six months. Twenty-six percent are deferring operating expenditures for security for six months or less compared with 16 percent who are delaying them by more than six months. Fifty-two percent expect spending to increase next year.
Those organizations that are increasing IT security spending are driven by several factors: economic conditions, business continuity, reputational risk, internal policy compliance, and regulations. Aside from economic conditions, though, the percentage of respondents who cited these factors has trended downward in the past three years. For example, 68 percent of respondents to PwC’s 2007 survey cited business continuity as a driver of security spending; this year only 40 percent noted it — a 41 percent decline over three years. Regulatory compliance decreased by 39 percent.
THREATS AND RESPONSES
In the current economic downturn, new security risks have arisen. The fastest growing risk, PwC suggests, may be social networking, which raises multiple threats: data leakage, reputational risk, piracy, and identity theft and social engineering that compromises information systems. Most respondents to the PwC survey haven’t implemented technologies (60 percent) or policies (77 percent) to address social networks, blogs, and wikis.
But some new threats are rooted in the strategies organizations have adopted to cost-effectively secure their systems such as using managed security services, reducing the number of security specialists, and shifting security responsibilities to nonsecurity personnel. The PwC report cites the example of a company that relies on a managed service provider and questions whether it also:
Another concern PwC raises is whether the security capabilities and processes of organizations are degrading after two years of resource cuts. Fewer organizations in this year’s survey perform personnel background checks, monitor employee use of the Internet and information assets, have a centralized security information management process, and actively analyze information security intelligence. Moreover, only 58 percent of respondents have a contingency plan to address security incidents, and just 63 percent of those organizations say that plan is effective.
Boosting these capabilities to respond to mobile, cloud, social networking, and future risks will require a combination of technology and nontechnology tactics. Regardless of the downturn, even-newer technologies continue to flood the workplace, creating potential opportunities and risks alike.
To comment on this article, e-mail the author at email@example.com.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.