It is no great secret that businesses and home users should protect their PCs, laptops and other devices against online threats. Ever since the internet went mainstream in the mid-1990s, the industry has been at pains to point out the risks of failing to take IT security seriously enough. Security software tends to be sold alongside any new hardware purchased, and the majority of users by now recognise the value of taking precautionary action. However, the development of new technologies means new risks are emerging all the time. And it is not just the sophistication of computer devices that is increasing – the same applies to malware, viruses and other system bugs.
In a recent report, leading consultancy firm Ernst & Young (E&Y) claimed that the rapid pace of innovation is heightening the need to take all possible IT security precautions. The Big Four giant pointed to the increasingly mobile workforce, the advent of cloud computing and growing popularity of social media as significant threats to organisations' information security. The firm said that while there is a widespread commitment to protecting data, businesses are facing "advanced, persistent threats" that jeopardise their entire operations. Consequently it is vital that companies, organisations and individual employees do not take their eye off the ball.
Bernie Wedge, E&Y's information technology risk and assurance practice leader, commented that organisations now operate in a world that requires borderless security, and new approaches are required as a result. "The trend toward anywhere, anytime access to information has significantly changed today's business environment," she noted. "Information access by employees using mobile devices, or items that are maintained and accessed by customers, vendors or other business partners, are considered outside traditional borders. Therefore, companies must think about security beyond their employees, data centres and firewalls."
Where mobile working is concerned, E&Y's cross-border security survey showed that businesses are very much concerned about the potential for mobile working to lead to data breaches. Some 52 per cent of respondents said the use of personal devices, rather than those owned by the company, represented a major threat. With members of staff bringing their own smartphones and USB sticks into the office, and plugging them in to company-owned PCs, businesses are losing a degree of control over their own network security. Indeed, 53 per cent of the IT managers surveyed claimed that workforce mobility is "a considerable challenge" to delivering information security solutions effectively.
But the biggest perceived challenge to enterprise IT security was found to be employee ignorance of the various risks. An overwhelming 92 per cent of respondents highlighted staff awareness as a major challenge – potentially pointing to a need for greater investment in employee training. While human error is always a problem-in-waiting, the changing attitudes and practices encouraged by social media is also a potential issue. With so many people - especially young professionals - sharing information online as a matter of course in this culture of openness, there is a danger of some overstepping the mark. Transparency is not always a good thing – notably when sensitive company or consumer information is concerned. Even trivial, throwaway comments made in good faith have the potential to come back to haunt businesses.
In the majority of cases, businesses are taking steps to address IT security issues, despite the potential costs involved. Ms Wedge said the dangers of mobile working are generally well understood at executive level, and the precautionary measures being taken include policy adjustments, increased security awareness activities, the implementation of new encryption techniques and revision of access management controls. In total, half of the companies surveyed said they were planning to up their IT security spending in 2011 to reflect the increased risks. And cloud computing – seen in some quarters as contributing to data security problems – is seemingly being considered part of the solution. Some 85 per cent of IT managers expressed the view that hosted services will help improve – rather than weaken - security controls and increase levels of consumer trust.
But as IT security practice leader Jose Granado pointed out, the use of cloud computing requires a shift in traditional information security paradigms. He said the fact that "the outsiders are now the insiders" - referring to the process of outsourcing data management and storage functions to third-party providers - cannot be ignored. "People and organisations outside the borders of the traditional corporate environment play a role in helping to achieve information security objectives, but can also pose a risk to protecting your information," Mr Granado stated. He added that a comprehensive IT risk management program must focus on people, processes and technology to address information throughout its life cycle, whether it is being kept internally or held by an external service provider.
New technologies clearly have great potential to add value to businesses and organisations, but firms cannot afford to dive in head-first to deployments. Whenever they are planning an IT investment, or a change to established IT processes, data security considerations should be at the centre of debate. The internet is undoubtedly an invaluable resource – one of the greatest available to modern businesses – but untamed, it can be something of a wild beast. Firewalls, anti-virus software and secure data storage help companies enjoy the many benefits of the web, without a sting in the tail. IT disasters such as data leaks, hacker attacks and system corruptions bring companies to their knees – obliterating hardware, halting production and causing long-term reputational damage. Businesses need to avoid such losses at all costs, even if this means slowing things down and ensuring IT security issues are addressed proactively and effectively.