What's keeping IT awake at night?

Top security concerns for IT managers are mobility, cloud computing and managing the BYOD trend

“The drive towards cloud computing has also got enterprises worried about the security issues associated with the migration to the public cloud,” says Edison Yu, research manager, ICT practice at Frost & Sullivan Asia-Pacific.

“As much as enterprises are enticed by the business benefits of moving onto a cloud service model, they are also aware of the dangers posed by cyberspace, especially with cyber attacks becoming more sophisticated and sinister in intent.”

In the past, security concerns tended to be centred around threats from the external environment, but these days, organisations are equally worried about threats coming from within, particularly from their own network users, says Yu.

“Beyond the issue of ‘unclean’ devices, the issue of data loss is also becoming increasingly pertinent as employees turn to mobile devices and the web to facilitate business processes,” says Yu.

“In particular, we have seen how the recent spate of data loss incidents have led to serious reputational and monetary losses for major enterprises across the world.”

Tinsley at Opus says that the ‘threat from within’ has always been there.

“Yes, now people have mobile devices and more real-time access to information, but things like USB sticks have been around for a long time and to me, they are just as big a threat as mobile devices,” he says.

Some might say USB sticks are easier to lose, and less visible, than mobile phones or tablets, he adds.

Yu says that Frost & Sullivan’s view is that as IT becomes an integral part of a business set up, there is a greater need for enterprises to view IT security from a business-centric perspective.

“This means that enterprises have to gradually move away from a sole focus on threat management to look at tackling IT security from a risk perspective. Likewise, the dearth of expertise surrounding managing IT security from a risk management standpoint is likely to see enterprises turning more to professional services companies to resolve their security issues.”

With cloud services becoming more common, the onus will gradually shift towards the service providers to ensure security in the cloud environment is well-catered for among their enterprise clients, he says.

A word from the vendors

According to Glynn Stokes, SMB/enterprise product director, Trend Micro ANZ, the top security concerns of its New Zealand customers include:

• How to manage increasing consumerisation.

• How to do more for less: Budgets are tighter than ever, while the risks have not decreased.

• Virtualisation and cloud computing.

• Legacy systems: Legacy applications and hardware are kept going as they are simply too expensive to replace or upgrade.

• Data breach visibility: In New Zealand, there is still no formal clearing house of data breaches that occur within companies, whether this is financial data, payment card (PCI) data, student records, medical records, etc.

• Privacy issues: New Zealand has one of the weakest privacy control environments within the Commonwealth, says Stokes, but we are increasingly sharing or hosting information anywhere in the world through cloud services.

Security tips from Robin Cockayne, general manager, Revera

Don’t settle for blank assurance: Service providers have to open up and show clients what they’ve got.

Know your own risks: Conduct risk assessments to better understand your own risk profile.

The greatest risks are from within: Organisations are still accountable for how their users behave when accessing information on devices, even if the infrastructure is outsourced to a managed services provider.

Physical threats: Security is easily over-complicated. Some might argue that properly managed physical keys are just as safe as biometric security. You could build the safest datacentre in the world but no one could afford to use it.

All of these concerns are relatively new, he says.

“Of course the ‘old’ security problems have not gone away,” he adds. “IAM [identity and access management], for example, is still a big topic that many organisations continue to wrestle with. It’s just that now there are new frontiers within which identity and access management disciplines must be applied, with each of mobile, BYOD, cloud and social media presenting their own challenges.”

“I’ve heard the phrase ‘humans are the new perimeter’ a few times now and this seems very apt.”

Gartner is seeing a mix of approaches being applied to tackle these concerns, depending both on the organisation and the problem at hand.

For example in the area of mobile computing and BYOD, the approach includes a mixture of technologies such as mobile device management, security controls built specifically for mobile platforms, policy measures, and user education.

“Technology options still have a way to go, so there is a great reliance on the user in these instances,” McMillan says. “Some organisations also tailor support levels so that there is encouragement to use a device issued by the organisation rather than a personal device.”

Cloud is still an emerging field, he says.

“While some technologies for securing cloud are emerging, our client enquiries suggest that security concerns are still an inhibitor for adoption of public cloud services.”

One of the key issues here is the lack of an industry standard defining what security in the cloud really means, McMillan says.

“This time last year we were seeing a number of promising developments but some of those efforts have fallen by the wayside,” he says.

“It’s possible that in the next 12 months we may see some type of standards-based cloud assurance approach, but right now we are still at the stage where organisations must rely on their own individual efforts to decide how robust and secure a cloud service is.”

IDC: The ‘mobilution’ is here

The uptake of mobile devices will cause a few sleepless nights for IT managers, CIOs and CSOs (chief security officers), as the number of data loss and leakage incidents will increase exponentially, says Vern Hue, senior market analyst at IDC Australia and New Zealand.

“I think many people in the industry saw the coming of the ‘mobilution’ era a couple of years back, but the growth of mobile enterprise strategy is really taking shape and form in 2012,” he says.

Securing and managing mobile devices will become the core focus for organisations, in order to have visibility and control over these devices. The nature of the business environment today means that many employees travel frequently and work in different locations, he says. BYOD also exposes organisations to more vulnerabilities and heightens the possibility of data leakage as employees use collaborative tools, file sharing and social networking sites that transmit high volumes of potentially sensitive data.

“The problems we are seeing are not isolated to New Zealand – this pattern is very much a universal problem,” Hue says.

“However, where New Zealand differs from the rest of the region is that users are generally more savvy and sophisticated users of technology.”

He says users in New Zealand have had more exposure to non-business related technology, such as internet banking, than many other countries in Asia-Pacific, and therefore better understand the importance of IT security.

Hue says it’s “vital” that organisations develop strict corporate IT policies and educate users to adhere to them.

Frost & Sullivan: The threat from within

Frost & Sullivan’s research also indicates that the top security concerns for IT managers in New Zealand revolve around enterprise mobility and the BYOD phenomenon.

“The drive towards cloud computing has also got enterprises worried about the security issues associated with the migration to the public cloud,” says Edison Yu, research manager, ICT practice at Frost & Sullivan Asia-Pacific.

“As much as enterprises are enticed by the business benefits of moving onto a cloud service model, they are also aware of the dangers posed by cyberspace, especially with cyber attacks becoming more sophisticated and sinister in intent.”

In the past, security concerns tended to be centred around threats from the external environment, but these days, organisations are equally worried about threats coming from within, particularly from their own network users, says Yu.

“Beyond the issue of ‘unclean’ devices, the issue of data loss is also becoming increasingly pertinent as employees turn to mobile devices and the web to facilitate business processes,” says Yu.

“In particular, we have seen how the recent spate of data loss incidents have led to serious reputational and monetary losses for major enterprises across the world.”

Tinsley at Opus says that the ‘threat from within’ has always been there.

“Yes, now people have mobile devices and more real-time access to information, but things like USB sticks have been around for a long time and to me, they are just as big a threat as mobile devices,” he says.

Some might say USB sticks are easier to lose, and less visible, than mobile phones or tablets, he adds.

Yu says that Frost & Sullivan’s view is that as IT becomes an integral part of a business set up, there is a greater need for enterprises to view IT security from a business-centric perspective.

“This means that enterprises have to gradually move away from a sole focus on threat management to look at tackling IT security from a risk perspective. Likewise, the dearth of expertise surrounding managing IT security from a risk management standpoint is likely to see enterprises turning more to professional services companies to resolve their security issues.”

With cloud services becoming more common, the onus will gradually shift towards the service providers to ensure security in the cloud environment is well-catered for among their enterprise clients, he says.

A word from the vendors

According to Glynn Stokes, SMB/enterprise product director, Trend Micro ANZ, the top security concerns of its New Zealand customers include:

• How to manage increasing consumerisation.

• How to do more for less: Budgets are tighter than ever, while the risks have not decreased.

• Virtualisation and cloud computing.

• Legacy systems: Legacy applications and hardware are kept going as they are simply too expensive to replace or upgrade.

• Data breach visibility: In New Zealand, there is still no formal clearing house of data breaches that occur within companies, whether this is financial data, payment card (PCI) data, student records, medical records, etc.

• Privacy issues: New Zealand has one of the weakest privacy control environments within the Commonwealth, says Stokes, but we are increasingly sharing or hosting information anywhere in the world through cloud services.

Security tips from Robin Cockayne, general manager, Revera

Don’t settle for blank assurance: Service providers have to open up and show clients what they’ve got.

Know your own risks: Conduct risk assessments to better understand your own risk profile.

The greatest risks are from within: Organisations are still accountable for how their users behave when accessing information on devices, even if the infrastructure is outsourced to a managed services provider.

Physical threats: Security is easily over-complicated. Some might argue that properly managed physical keys are just as safe as biometric security. You could build the safest datacentre in the world but no one could afford to use it.

Join the newsletter!

Error: Please check your email address.
Show Comments

Market Place

[]