Yet as more and more critical data moves to and fro within and without “the cloud,” concerns are rising regarding the security of it all, with a solid 95% of IT managers recently polled in the U.S. admitting that they are “concerned” or “very concerned” about cloud-related security breaches.
The survey, compiled by IT security provider SailPoint and dubbed Cloud and Mobile Adoption Increases IT Security Risks, found that even as enterprises across the business spectrum are aggressively adopting cloud and mobile solutions for mission-critical applications, that self-same trend that is increasing the risk of security breaches and failed security audits.
SailPoint polled 200 business leaders and 200 IT managers in the U.S. and the United Kingdom and uncovered some worrisome trends:
- 77% of U.S. IT managers say their company’s employees use mobile devices (phones and tablet computers) to check e-mail, with 54% using them to access company intranets and 35% using them to access cloud-based company applications.
- 35% of U.S. IT managers say some data in the cloud is at high risk.
- U.S. and U.K. IT leaders believe one in three mission-critical apps are currently in the cloud; a figure that will increase to one in two by 2015.
- More than 15% of business leaders in both countries admit they have no way of knowing if sensitive data is stored in the cloud at all.
- The majority of companies surveyed do not block personal application usage at work, even though these apps are completely outside IT’s visibility. Only approximately one-third of the companies in the poll are fully locked down when it comes to personal app usage at work.
- Almost half of business leaders say they always or often use the same passwords for personal web apps as for work apps.
- Around two-thirds of companies are “very concerned” about corporate information security breaches, but almost two-thirds of IT leaders say they are not very confident in their company’s ability to prove the effectiveness of internal controls over access privileges in an IT audit.
"Cyber attacks are becoming more frequent, more organized and more costly in the damage that they inflict on government administrations, businesses, and economies," he advised. "Across all domains of operation, we must identify game changing products, services, and technologies to improve foundations of trust, increase agility and resilience, and assure and empower critical mission infrastructure."
“The lack of appropriate security has already allowed a number of destructive cyber-attacks to lay waste to some of the most high-profile companies in the oil and gas industry,” added Michela Menting, senior cyber security analyst for consulting firm ABI Research.
Many of these attacks have caused significant financial damages and yet the industry is painstakingly slow in deploying proper cyber security measures adapted to the infrastructure, Menting pointed out; a lax approach that is not only careless but can prove dangerous as well as the illegal interception and modification of commands to pipelines could cause massive environmental disasters or even life-threatening situations.
“The terrorist threat is just as real online as it is in the physical world,” Menting noted, and as a result, ABI calculates that cyber security spending in the oil & gas industry alone will reach $1.87 billion by 2018; sp[ending that covers IT networks, industrial control systems and data security, counter measures, plus policies and procedures.“When we think about the lethal daily threats from nation-states and individuals, it is imperative that chief information security officers (CISO) begin looking around corners, talk with each other and better prioritize the real threats to their firms,” noted Mike McConnell (at right), vice chairman for global consulting firm Booz Allen and a former director of U.S. national intelligence.
“Self-evaluation and industry-wide conversations are the new ‘rules of the road’ to creating successful, integrated cyber defenses,” he said during a speech late last year at Bloomberg’s Enterprise Risk Conference.
“There are many cyber trends – including the sophistication and lethality of the attacks – that industry should be aware of,” McConnell stressed. “Even though it is difficult to look into a crystal ball and predict the future, these events are happening now and could cause significant reputational, financial and infrastructure damage to any ill-prepared firm. Individual companies should not wait for legislation or a [Presidential] Executive Order to come together with their government counterparts to find dynamic solutions to these big issues.”
He pointed out that spending on new technology alone is not enough to protect a firm’s information and business.
“Firms must also invest in people and in fine-tuning processes to ensure, not only the proper use of technology, but that the processes that require interfaces between organizations are well managed and executed flawlessly,” McConnell explained. “No matter how good a technology is, if not used correctly by skilled employees who follow well-defined processes, vulnerabilities will surface that can be leveraged by both internal and external threat actors.”
Firms must begin to employ a more predictive threat intelligence capability to determine who might be trying to attack them and how, he added – focusing on understanding their own individual business risks, as well as industry risks, and combating real potential threats that could focus on such risks is much more effective than trying to create a defense that could cover any possible threat.
“Cloud, social and mobile technologies, including ‘Bring Your Own Device’ or ‘BYOD’ [policies] are simply too cost efficient and effective for institutions to ignore them,” McConnell said.
“Security and risk professionals need to better integrate these technology trends, which will require they embrace the fact that the corporate network now has extended beyond their control,” he explained. “Risk management and mitigation is evolving to better control how corporate data travels these boundless networks and ensuring the education of their employees on the responsibilities they have in securing such data.”