ISACA's Top Three Security Challenges for 2013 are Refreshingly Realistic
The end of the year always brings a slew of dire predictions and FUD-ridden warnings of the impending menaces IT professionals will likely be faced with over the course of the next calendar cycle. By contrast, ISACA, the not-for-profit global association of IT professionals, has managed to identify three less than dramatic areas of concern for the enterprise that are practical and worthy of examination: The private vs. public cloud debate, data privacy and governance issues, and ongoing cybercrime threats. That's it. No APTs, no cybergeddon, no devastating data-wiping malware, just a few objective operational matters.
ISACA notes that migrating aspects of an enterprise's operations to the cloud continues to raise concerns over the ability to effectively manage data, reliably deliver services to the client base, ensure secure access controls are in place, and the need to demonstrate an overall return on the investment.
In the private vs. public cloud debate, the former seems to have an edge where confidence and trust are concerned. ISACA’s annual IT Risk/Reward Barometer survey found that more than two-thirds (69%) of the 4,500 IT professionals from 83 countries surveyed believe that the risks posed by employing public cloud services - those where multiple clients access the same platform - outweigh the potential benefits. This finding starkly counters the overall opinion of the use of private clouds - proprietary systems not shared with other parties - where the majority (57%) believes the benefits of virtualization options for the workforce trump the potential risks involved.
The greatest area of concern in the use of public cloud services is related to the use of file-sharing services online by employees for collaboration or the storage of potentially sensitive proprietary company data. 67% of the survey respondents identified these types of services as posing a significant risk to enterprise security. The survey also found that for mission-critical services, only 9% of respondents indicated they use public cloud platforms, while 34% prefer to maintain private cloud systems for such operations.
Ultimately, ISACA says the decision to employ such services will be made on a cost/benefit or return on investment analysis. “In the cloud debate, the trump card will often be played by the business-line leader responsible for customer satisfaction and profitable revenue. To shape the solution, IT leaders can push aside the hype and broadly evaluate risk and return—through the eyes of the business,” said Brian Barnier, a risk advisor with ISACA.
The organization also identified growing concerns by both consumers and employees over how businesses manage personally identifiable information (PII) and the potential for compromise through a data loss event. ISACA points out that with increased awareness of the potential damage that a breach of PII can have on a company's bottom line, businesses will need to focus more on governance of such data throughout its life cycle to maintain a competitive edge.
“Privacy by design, confidentiality of location-based information, the consumerization of IT, and an increase in legislative and regulatory mandates that will drive more privacy audits are among the top 2013 trends in data privacy that ISACA anticipates will need to be addressed," said Greg Grocholski, international president of ISACA. The organization recommends consulting the COBIT5 standards in the development of data security management policies.
On the cybercrime front, ISACA warns of the continued proliferation of phishing scams and search engine poisoning used to facilitate malware attacks designed to pilfer sensitive information, and project that cybercriminals will continue to develop ever more crafty methods of snaring careless employees and consumers.
“As more devices utilize IP addresses, the attack surface will become larger and threats to cyber security will increase. Cyber criminals will dedicate themselves to finding increasingly complex methods for attacks in 2013,” said Jeff Spivey, international vice president of ISACA and director of Security Risk Management Inc. The key to defending against such attacks rests on concerted efforts at increased security awareness, vigilant detection and mitigation, and a robust incident management program.
All in all, not the sexiest list of threats for 2013, but by far the most pragmatic in the sense that they represent the most likely scenarios IT professionals and their respective organizations will be confronted with in the coming year. Refreshingly bland, no?