Protecting information in the borderless environment
(As originally appeared in FEI Canada F.A.R. member e-newsletter, December 2010)
By Tony Ritlop, Canadian Leader, IT Risk and Assurance practice, Ernst & Young LLP
The increasing popularity of mobile computing devices is changing the way we access and exchange information at an unprecedented rate. Laptops, tablet computers and multimedia-enabled smartphones aren’t just making it possible to obtain information any time, anywhere — they are contributing to our growing demand for it.
Companies that resist this trend may risk falling behind and losing their competitive advantage. As a result, many organizations are adopting new technologies, such as cloud computing and social networking, to support the increasing appetite for real-time information access.
However, while companies that embrace new technologies are more likely to meet their business objectives in a progressively borderless environment, they must also be aware of the new challenges and information technology (IT) security risks involved.
Borderless security, EY’s 2010 global information security survey, found that 60% of respondents perceived an increase in the level of risk they face as a result of adopting new technologies. As well, 46% of respondents indicated that they are increasing their annual investment in information security.
Data leakage one of top five risks in IT security
The growing use of mobile computing in enterprises could lead to the potential loss or leakage of important business information — as well as to concerns over becoming a target for computer viruses, sophisticated mobile malware and theft. In fact, 64% of survey respondents cited disclosure of sensitive data as one of their top five IT risks.
Consequently, many organizations are taking steps to address data leakage concerns. Half the respondents said they planned to spend more on data leakage and data loss prevention technologies and processes over the next year. Similarly, half the respondents planned to increase spending on business continuity and disaster recovery plans and capabilities.
Educate employees about risks of using mobile technology
Increasing expenditures in information security can certainly help boost the effectiveness of these programs. However, companies also need to understand that their security protection initiatives are largely driven by their people. Many employees have already adopted mobile technology for personal use, so it’s important to inform and educate them about important risks when such devices are used for business purposes.
To do this, enterprises are reviewing their IT policies and practices as well as making adjustments where necessary, and increasing their security awareness activities. Companies looking to better manage their IT security risks should also define any specific restrictions related to mobile computing devices, as well as deliver regular and effective security awareness training for mobile technology use.
Cloud computing a new source of IT security concern
However, IT security risks are not strictly reserved for mobile computing. Driven by the interest in computing services that require significantly less initial investment, fewer skilled internal IT resources and lower operating costs, many organizations are turning to cloud computing to manage growing technological demands.
Cloud computing refers to the on-demand provision of computing resources such as software and storage across networks like the internet rather than housed internally. One reason for its popularity is because it can deliver leading IT services, only when required, that would be too expensive for many organizations to provide in house.
But despite its benefits, cloud computing has also become another source of concern for IT security risks. In addition to data leakage — which over half the respondents say is an increasing risk — loss of visibility of what happens to company data along with unauthorized access to data are some of the top risks that organizations have identified.
Cloud service providers are focused on scalability and flexibility. As a result, their infrastructure may not be able to meet specific organizational or regulatory requirements for protecting sensitive information stored in the cloud.
To ensure they are adopting cloud computing in as secure a manner as possible, organizations should assess the legal and organizational, as well as technological and security, risks associated with placing information in the cloud. Companies should also define and establish minimum standards and security requirements for cloud service contracts. Once these requirements are defined, companies should turn their attention to auditing contracts for compliance.
Risks of exposing sensitive business information through social media
While organizations may remain wary of external IT providers handling sensitive business data, newer generations of social-media-savvy employees are also becoming a growing concern for IT security risks.
Concerns that employees may have the same attitude about sharing sensitive business information through social networking as they do about sharing personal information have prompted 45% of respondents to restrict or prohibit the use of instant messaging or email for sensitive data.
Unfortunately, doing so may make it difficult to attract or retain the best people from newer generations of employees, who increasingly expect to use social networking in the business environment.
Since social media trends cannot be ignored, organizations should focus on educating employees about security dangers or risks related to social media. This helps ensure that employees play an integral role in performing information security in enterprises.
Overall, organizations that adopt new technologies to achieve a competitive edge will likely outpace their rivals in the borderless environment — but they will need strong and effective information security in place to protect and help them stay ahead.