Top executives and company directors are making cyber and informational security a top priority now more than ever, according to two Ernst and Young consultants introducing the findings of E&Y’s 2011 Global Information Security Survey at a media lunch this week.
According to the survey, 72% of the more than 1,700 information security and IT professionals in 52 countries report increasing levels of risk due to external threats.
Attacks are growing in sophistication and complexity where now they target specific people and behavior in a company—like top executives or individuals who travel in foreign countries—rather than its systems, said Jose Granado, principal and Americas’ practice leader for Information Security Services. He was joined by Chip Tsantes, principal in the financial services office where he leads the information security practice.
Raising the stakes are advanced persistent threat (APT) attacks that usually require user interaction, focus on a single target, collect and funnel out information over an extended period of time and operate under the radar. APT attacks, which could be the work of nation states, seek to steal intellectual property, classified information and corporate secrets to gain competitive advantage in negotiating contracts or buying terms. Typically, companies remain unaware until a government agency like the FBI or the Secret Service comes calling six months later, said Tsantes.
Signature based anti-virus software, which identifies viral patterns, is useless against the new malware that changes dynamically. Combating APTs requires a different mindset. IT must constantly monitor the entire network looking for anomalies, behavior that is out of the ordinary, and then root out the cause, said Granado.
CEOs and boards are looking to assemble security operations centers or threat response teams to be very pro-active, he said. The survey shows 59% of respondents expect their security budgets to increase next year.
Meanwhile, tablets, mobile devices and social media are seeping into the enterprise and bringing risk with them. One in five respondents said their companies do not permit tablets for business use and do not plan to allow it, a policy likened to sticking their heads in the sand. A better plan would be to provide a guest network for employee devices so companies can monitor the traffic.
In financial services, “companies should assume that every device a consumer has has been compromised and should secure financial transactions in a way that recognizes that,” said Tsantes.
And then there is the cloud, which is fueling the growth of mobile computing. About 60% of survey respondents are using the cloud or moving toward it, while 52% say their company is doing next to nothing to mitigate cloud risks. The Cloud Security Alliance is leading the way to a best practices framework, Granado said.