Even as organizations invest millions of dollars in security mechanisms meant to defend them against potential threats, business initiatives such as outsourcing, combined with the seemingly unstoppable onslaught of cyber-crime, will continue make it hard to prevent attacks targeting electronic data in the coming year, according to a new research report.
Based on the “Security Megatrends and Emerging Threats for 2009” paper published this week by Ponemon Institute — which has established itself as a leading source of data related to the impact of data breach incidents — risks to personal and business information will continue to scale upwards during 2009 despite the best efforts of security consultants, vendors and researchers, along with industry and government regulators.
The continued expansion of productivity-related business strategies including outsourcing, mobility and so-called cloud compuiting, which depend on widely-dispersed electronic infrastructure, along with the maturation of the cybercriminal element, will challenge security protections throughout 2009, the report contends.
Of the near 600 IT professional interviewed by Ponemon researchers for the study, roughly 50 percent indicated a belief that outsourcing poses an “imminent and critical risk” to data security. Cloud-based remote computing infrastructure, the growing crossover of consumer technologies and Web 2.0 social networking tools will also have a detrimental effect on overall security standing over the next 12 months, according to the report.
Cybercrime, in its many forms, remains a “major” headache to organizations in trying to protect their electronic data, some 75 percent of participants in the survey said. The report was sponsored by Lumension, a vendor that specializes in security applications aimed at helping organizations stay up to date with vulnerability patches.
The survey also highlighted the growing marriage of operational and security efforts within many of the organizations responding to the study.
“With the emergence of consumer technology in the workplace, coupled with social networking and Web 2.0 technologies and the increased sophistication of cyber criminals, truly securing an organization’s IT environment is an uphill battle,” Larry Ponemon, chairman and founder of Ponemon Institute, said in the survey.
“In the next year or two, these challenges will increase in both the breadth and depth of threats – the companies we surveyed made this very clear,” he said. “The key for both IT operations and IT security is to find the common ground necessary to better-wage this security battle together.”
The survey isolates eight “mega trends” that survey respondents believe will factor heavily into security concerns in ’09, many of which are also considered areas ripe with cost-saving or productivity opportunities for most organizations. Those trends were:
-cloud computing -virtualization -mobility and mobile devices -cybercrime -outsourcing to third parties -data breaches
-peer-to-peer (P2P) file sharing
-Web 2.0
While half of the IT security experts interviewed for the survey cited outsourcing as a major data security risk, an even higher number (59 percent) of operational IT workers view the business strategy as a significant area of concern. Both groups referenced the inability of third party business partners to sufficiently protect data as their biggest issue related to outsourcing.
Predictably, survey respondents said that their top worry related to data loss is the potential for misappropriated information to find its way into the hands of cyber-thieves (46 percent for IT security, versus 24 percent for IT operations) allowing the bad guys to carry out identity theft and other nefarious activities at the expense of their customers.
A whopping 92 percent of the organizations participating in the study indicated that they have experienced a cyber attack of some kind over the last year.
Mobility clearly remains another area of concern for data incidents. IT security and operational respondents alike (96 percent and 91 percent, respectively) agreed that the growing adoption of laptops and handheld devices will introduce even greater levels of data risk during 2009. One major problem noted by respondents in relation to mobile users was that the inability of organizations to properly identify and authenticate those people coming onto their networks from outside their walls.
The adoption of other newer technologies, both business-oriented and consumer-based, will also opened additional “avenues for cyber thieves to steal trade secrets and confidential business information”, according to the report.
Of those technologies, cloud computing ranked as the top concern, with 61 percent of respondents ranking it as a major security issue.
While there clearly remain no shortage of security and operational-based risks to data protection, according to respondents, the growing closeness of the two areas of focus within IT departments should help improve the situation over time, experts contend.
“Given the breadth and depth of security breaches spanning the globe this year – all of which have had a long-lasting negative impact on organizations and consumers alike – IT security and IT operations professionals have an increasingly critical task at hand, to protect sensitive data wherever it lives in an organization,” Pat Clawson, CEO of Lumension, said in a summary.
“What became clear, in conducting this research, is that while these threats will only increase over time, the gap between these distinct groups is starting to close,” he said. “This is a great step forward in waging the data security battle – the less siloed and more collaborative IT security and operations groups operate, the more successful they will be in protecting their company’s most valued asset: sensitive corporate data and trade secrets.”
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.