Emerging technology trends – risk or opportunity?
(As originally published in the Financial Post, December 2012)
By Nitin Bedi, Manager, IT Security, Ernst & Young LLP
The velocity of change in information technology has blurred the lines between business and personal activities. Many people expect far more than what their employers are able to offer, and many companies have to catch up to keep the workforce engaged.
Cloud computing, social media and “bring your own device” (BYOD) are such trends that just a few years ago sounded absurd to most information security executives, but are quickly becoming mainstream initiatives. These technologies can create tremendous opportunity — and yet also introduce additional risk to the business.
In a recent Ernst & Young survey of 700 leading companies (Turn risks and opportunities into results, available at ey.com/top10challenges), emerging technologies risk was identified as number five in a list of top 10 risks businesses will face in the coming years.
Following are some highlights from our 2012 Global Information Security Survey (GISS), Fighting to close the gap, highlighting some of the risks of these new technologies:
Cloud: Cloud computing continues to be one of the main drivers of business model innovation and IT service delivery. Canada is a heavy adopter of cloud computing, and 86% of Canadian respondents say they are currently using cloud computing services. However, 21% of Canadian respondents say they have not taken any measures to mitigate the risks of using cloud computing services. Many admit that their efforts to address cloud-related risk is minimal or non-existent.
Social media: Social media can quickly build an organization’s brand, and just as quickly crush it. Canadian businesses rely on policy adjustments and monitoring rather than blocking access to social media sites, and 43% of Canadian respondents do not have a coordinated approach to address social media. One of the most common tactics management uses is to limit access to social media sites, but this has proven to be ineffective, as employees can access the sites with their own devices.
BYOD: As the mobility of today’s workforce continues to grow, the phrase “out of the office” becomes less relevant. Tablet computer use for business has doubled over the last year, and 31% of Canadian respondents now allow the use of company or privately owned tablets in their organization. Canada’s rate of adoption for BYOD was 8%, with 62% of respondents currently evaluating alternatives to enable mobile technology in the workplace. Analysts predict that there will be 10 billion internet-enabled mobile devices, smartphones and tablets globally by 2016.
New technologies introduce new entry points into the organization, opening new opportunities for hackers to penetrate the system. Emerging threats range from opportunistic attacks to targeted attacks, and even state-sponsored attacks. Traditional technologies are no longer sufficient to protect against sophisticated threats — and threats can often remain unnoticed in the environment for a long time.
Most respondents to our survey feel that they are not adequately protected from threats that could result in a breach or data loss. Despite the risks introduced by the adoption of cloud-based services, social media and BYOD, organizations are moving full steam ahead to take advantage of the business opportunities.
Before implementing any new technology, companies should do appropriate due diligence. We’ve identified the following six practical steps you should consider as part of the due diligence.
- Develop an information security framework: Rely on a known security framework such as ISO 27001/2 to assess each type of technology, its role in the organization and the business opportunities and threats.
- Understand your risk appetite: Identify the organization’s risk appetite using a risk management model that reduces risk to an acceptable level.
- Review your third-party agreements: If there are third parties who will be involved in the management or usage of the new processes, services or technologies, you need to agree on allocation of responsibilities.
- Update security policies and prioritize awareness: Adjust your existing security policies and educate your staff on the appropriate use of emerging technologies so that risk is managed.
- Monitor regulations and compliance: Stay on top of specific regulatory and compliance requirements.
- Monitor risk in the environment: With the deployment of any technology, monitoring processes and procedures are required. This includes monitoring the use of the technologies by the employees and determining inappropriate use, and closely managing the risks introduced by the implementation.
Social media, cloud and mobile technologies are here to stay, and you need to be prepared. You must minimize the gap between your current security level and what you’ll need to do to maintain a competitive advantage and minimize your risk exposure.