control, and governance
From the CAE Bulletin, Nov. 30, 2011
Adoption of New Technologies Outpacing Efforts to Control Resulting Security and Other Risks
About three-fourths of participants in a new global survey believe their organization’s IT risks increased during the past 12 months due to cloud computing and other technology initiatives, yet only one-fourth currently have an adequate documented information security strategy.
An analysis of the 14th annual Global Information Security Survey by the public accounting and business services firm Ernst & Young LLP concludes that a growing gap is developing between the technology business plans of global organizations and their ability to tackle new and complex information security risks. The report notes, for example, that although 80 percent of respondent organizations are using or considering using cutting-edge tablets, smartphones, and other mobile devices for business purposes, and 61 percent have or are considering cloud-computing service contracts, the threat of potential security breaches “has become an afterthought.” Ernst & Young surveyed 1,700 organizations in a variety of industries and in government from 52 countries.
Indeed, about three in four (72 percent) technology executives surveyed believe their organizations’ IT risks increased during the past 12 months from growing external threats, while almost half (46 percent) perceive internal threats also increased their technology risks during the last year. Yet, the report reveals that only 52 percent of the respondent organizations have a documented information security strategy. Less than half (43 percent) of those with a strategy believe it adequately addresses their current technology-related risks, principally due to budget constraints (17 percent), lack of staff skills (13 percent), or lack of executive support (9 percent), according to the report. “Information security is one of the most important issues companies face today, and strategies need to be refined to adjust to an ever-changing environment and resulting security risks,” says Ernst & Young partner Bernie Wedge. “Mobility and networking are here to stay. The best-protected companies are those that are proactive, detecting and managing minor issues before they become major incidents, and for many companies, this means the current mind-set needs to change from a focus on short-term fixes to a holistic, strategic approach.”
More specifically, the report says the vast majority of respondent organizations are widely using (23 percent), planning to use (11 percent), or evaluating the use of (46 percent) tablets and smartphones — even though safe mobile computing ranks second-highest on respondents’ list of perceived technology challenges. The controls respondent organizations are instituting to mitigate this risk include adopting or modifying acceptable use policies (57 percent), increasing security awareness activities (52 percent), and instituting data encryption (47 percent). More than one-third of respondent organizations (36 percent) currently are using at least some cloud computing-based services — up from 23 percent a year ago. An additional 9 percent presently are evaluating cloud services, and 16 percent plan to do so in 2012. However, most respondent organizations (52 percent) have not instituted any new controls to mitigate new or increased risks associated with cloud computing. Among those that have, the leading control activities are stronger oversight of the contract-management process (22 percent), increased due diligence of service providers (21 percent), stronger identity and access management controls (19 percent), and encryption (18 percent).
“Emerging social media risks include the introduction of malicious software lurking within social networks, hacked accounts that are used to solicit information, and the release of confidential or negative company information or personal data,” the report states. Related survey results suggest that a significant portion of respondents recognize those risks — nearly 40 percent rate social media-related risk issues as either challenging or significantly challenging. About three-fourths (72 percent) of respondent organizations believe external malicious attacks are their top social media risk. Controls in place at respondent organizations to mitigate this and other social media challenges include limiting or prohibiting workplace use of social media (53 percent), new or enhanced acceptable use policies (46 percent), new or enhanced user awareness programs (39 percent), and more pervasive usage monitoring by the IT staff (38 percent).
Survey respondents also identified theft or loss of sensitive data as a key risk in the current technology environment. “Holes through which data can leave — already large due to expanding technologies and platforms — are made larger by the growing use of decentralized systems and work collaboration tools. Another complicating factor . . . is the availability of increasingly inexpensive storage devices. Data can literally ‘walk’ out the door on an employee’s keychain or in a smartphone, or it can be intercepted when sent through low- and no-cost cloud service and storage providers,” the report explains. The leading actions respondent organizations are taking to control data theft and loss are developing a relevant policy and related procedures (74 percent), initiating employee awareness programs (69 percent), implementing additional security mechanisms (60 percent), locking down or restricting access to sensitive computer systems (45 percent), and tasking internal audit with relevant controls testing (45 percent).
Most respondent organizations plan to increase (59 percent) or maintain at the current level (35 percent) their information security budgets in the coming year. Respondents’ top funding priorities are business continuity and disaster recovery planning (47 percent), data loss prevention technologies and processes (28 percent), compliance monitoring (21 percent), and identity and access management technologies and processes (21 percent).
Overall, just 25 percent of respondent organizations have a formal, well-established IT risk management program in place, although 31 percent have an immature program in effect, and 28 percent plan to establish one next year. Similarly, just 12 percent of respondent organizations include information security topics on the agenda for every board meeting. “Today, information security is a board-level risk management priority, and the days of delegating cyber-security are over,” Wedge says. “The board is accountable for its information security strategy and must have confidence in what it entails and how it is executed.”
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.