While pressured to adopt new mobile technologies and implement access to social media, 83% of Canadian companies are concerned with heightened tech risks, says a new report from Ernst & Young. Conversely, 63% reported that they don’t have sufficient budget to appropriately secure their IT infrastructure. Clearly, this trend cannot continue indefinitely without negative consequences appearing somewhere down the road.
“The introduction of smartphones and tablets in the working environment has extended the virtual boundaries of the enterprise, blurring the lines between home and the office. Constant access to email and sensitive corporate data from anywhere, anytime may improve productivity, but also increases security risks. The concept of defence perimeter must be replaced by defence-in-depth”, explains Gaétan Houle, Associate Partner and National Leader for IT Security Advisory services at Ernst & Young.
Ernst & Young’s 2011 Global Information Security Survey shows that while 62% of Canadian respondents plan to increase their information security budgets in the next 12 months, only 37% will spend more on security monitoring. “This is a bit concerning,” says Houle. “The introduction of personal smartphones and tablets, combined with the increasing demand for access to social media has opened up several new attack vectors for advanced persistent threats (APTs), which are a well-resourced, highly capable and relentless class of hackers.”
APTs are successful because they developed the capability to bypass traditional security defences, which makes it extremely difficult for companies to discover the intrusion and develop appropriate solutions to address the threat. “This is mainly why security monitoring should be given a higher priority. Given the rapid evolution of APTs, most companies would probably be better off outsourcing the monitoring of their Internet traffic to the pros,” recommends Houle.
Executives also have social media on their radar. Most respondents (72%) said external malicious attacks were their top risk, with nearly 40% of companies rating social-media-related risks as challenging. Houle says this is not surprising as we see an increasing number of attacks that draws information from social media to use in more effective phishing emails.
To help address potential risks posed by social media, organizations seem to be adopting a hard line response. Just over half (53%) have responded by blocking access to sites rather than embracing the change and adopting enterprise-wide measures. This response, while perhaps addressing external threats, does not completely deal with the widespread global personal adoption of social media usage and benefits that their integration into business may generate. “In fact”, says Houle, “the lack of an integrated information security policy for both access to and use of social media may prevent companies from keeping pace with competitors and may be creating a sense of mistrust with employees.”
Companies should embrace the full advantages of social media and, from a prevention perspective, develop a policy that explicitly addresses external social media and educate users about the potential damage to the organization’s brand. Companies should also consider monitoring their employees’ usage of these sites (without restricting access).