Information security functions are trying to adapt to the new world of mobile computing, cloud computing and social networking, but at the end of the day, it's really about data loss prevention.
Mobile computing, cloud computing and social media have taken root in today's world and they are eroding or downright eliminating the traditional boundaries of organizations. According to a recent study by Ernst & Young, information security programs are struggling to keep up.
"I think what this year's survey highlights is the fact that IT is really changing to meet business requirements," said Jose Granado, the Americas practice leader for Information Security Services at Ernst & Young.
In its 13th annual Global Information Security Survey, Ernst & Young found that 60 percent of its respondents (1,600 senior executives in 56 countries) felt that use of social networking, cloud computing and personal mobile devices at work presented their organizations with an increased risk. In conjunction with that, Ernst & Young found that 64 percent of respondents rated data protection as one of the top IT risks that has increased over the past year.
"Last year, one of the major themes dealt with brand protection along with the traditional stuff," Granado said. "I think the big difference that I see between last year and this year is that this year we see three solid IT dynamics that are really changing the landscape of how information security professionals need to think about the program."
Ernst & Young found that 53 percent of respondents felt that increased workforce mobility is a significant or considerable challenge to effective delivery of their information security initiatives.
"Organizations are operating in a world that requires borderless security," said Bernie Wedge, the Americas practice leader for Information Technology Risk and Assurance at Ernst & Young. "Information access by employees using mobile devices, or items that are maintained and accessed by customers, vendors or other business partners, are considered outside traditional borders. Therefore, companies must think about security beyond their employees, data centers and firewalls."
Data loss was the primary cause for concern about mobile devices: 52 percent of respondents said the use of personal devices was the main cause of data leakage.
"Most organizations recognize the increased risk associated with mobile computing and are taking steps to address these issues," Wedge said. "They are making policy adjustments, increasing security awareness activities and employee training, as well as implementing encryption techniques and identity and access management controls."
Into the cloud
As far as cloud computing goes, Granado said nearly one-half of organizations are weighing the potential risks associated with cloud computing against its potential benefits and are moving forward with implementations, though most are initially going with private clouds within the organization. Ernst & Young found that 45 percent of organizations are currently using, evaluating or planning to use cloud computing services within the next 12 months, despite concerns. Fifty-two percent of those surveyed cited data leakage as the largest risk associated with cloud services, and 39 percent cited the loss of visibility of company data as an increased risk.
"The progression is steady, not fast," Granado said. "But the dynamic is that people are starting to think that they may go private cloud and then public. At the end of the day, it's a risk management decision. Organizations sometimes have to weigh the business benefit as opposed to the business risk. Security shouldn't be the only thing taken into account."
While organizations are certainly keeping an eye on mobile computing and evaluating the risks and benefits of the cloud, fewer organizations are paying attention to social networking, according to the Ernst & Young study. The survey found that only one-third of respondents felt that social media presents a considerable information security challenge, and only 10 percent of respondents felt examining new and emerging IT trends was a very important information security function.
To meet these challenges, Granado said organizations need to write strong policies that take new technologies into account, educate employees and others who have access to the organization's data and networks, and enforce those policies.
"The combination of more mobility, increased social access to information and outsourcing to the cloud requires a change in traditional information security paradigms," Granado said. "The 'outsiders are now the insiders,' meaning people and organizations outside the borders of the traditional corporate environment play a role in helping to achieve information security objectives, but can also pose a risk to protecting your information. A comprehensive IT risk management program must focus on people, processes and technology to address information throughout its life cycle, wherever it resides."
"The consumerization of enterprise IT is an unstoppable force," Granado said. "Really, from a recommendation standpoint, you have to have strong user awareness and education. You need to have a policy that's enforced. The employees need to recognize that they're still employees of the company, even if they're at home using their own equipment. It's a user behavior, policy and awareness issue, not a technical issue."
"I'm not sure that organizations that are looking at this problem tend to know where to start," Granado added.
In some cases, especially those related to mobile devices and social media, information security specialists often don't know what to do, and so instead they work on problems they do know how to address so they can show progress, Granado said.
"How do you measure success in managing social networking from a security standpoint?" Granado asked. "I can measure it in blocking malware. But with social networking? No one tweeted anything bad this year? I think that will change over time. We will start to see more policies and standards around this and a mature set of guidelines on how we can best allow people the freedom to do these things."
Thor Olavsrud is a contributor to eSecurityPlanet.com and a former senior editor at InternetNews.com. He covers operating systems, standards, telecom and security, among other technologies.
Keep up-to-date with social networking security news; follow eSecurityPlanet on Twitter @eSecurityP.