New research reveals growing security risks

The first research study, conducted by IDG Research Services, reveals a significant gap between the speed at which organisations are adopting new connectivity, collaboration and communication technologies and their readiness to deploy them securely. The second study, from RSA's Security for Business Innovation Council, outlines how companies can capitalise on the significant business advantages these new technologies represent without putting their organisations at risk.

Rob Watson, country manager of RSA, the security division of EMC South Africa, said: "Information is an organisation's single most valuable asset. It's not enough to look at the external threats; companies also need to be able to control their critical information to ensure the right person gets the right access to the right information at the right time. This can help business enablement, but also presents a significant security risk if the right controls are not in place. We therefore advise companies to look not only at external attacks on their environment, but also at the internal procedures they have in place to allow them to efficiently do business while protecting their most valuable asset."

Dissolving boundaries

Karel Rode, principal consultant of RSA, agreed: "Businesses are becoming 'hyper-extended enterprises', exchanging information with more constituencies in more ways and in more places than ever before. The rapid adoption of nascent web, social and mobile technologies combined with the rising use of outsourcing is quickly dissolving what remains of the traditional boundaries around our organisations and information assets. Security strategies must shift dramatically to ensure companies can achieve their goals to cut costs and meet revenue targets without creating dangerous new business vulnerabilities.

"The complexities of strong authentication as a defence mechanism are often negated by creative tools, such as Trojans, that are engineered to attack very specific systems. Defending solutions need to address this, not just by looking at the client authentication mechanisms and processes to the system, but by using additional controls that monitor the transactions, predict risky behaviours and proactively engage the user for credentials. This creates a strategy of 'defence in depth', which enables reliance on multiple systems throughout the user's interaction with the Web or mobile channels to become a key contributor to reducing risk and fraud."

IDG report shows many companies leaping without looking

Commissioned by RSA, the 2009 IDG Research Services survey of 100 top security executives at companies with revenues of US$1bn or more, showed that some companies are so enthusiastic about the potential of new web and mobile technologies they are deploying them without adequately securing critical processes and data.

Key findings include:
• More than 70% of survey respondents believe escalating levels of connectivity and information exchange powered by new web and communication technologies are transforming their organisations into hyper-extended enterprises.
• The majority of organisations have increased their use of virtualisation, mobility and social networking over the past 12-24 months, with more than one-third reporting an increase in cloud computing.
• However, many of the responding companies do not have adequate strategies to assess the risks involved in adopting these new technologies. In some organisations, the corporate security department is only brought in when problems occur and, in others, security is not even informed before these new technologies are used.
• Less than half of respondents have developed policies for employees to guide the use of social networking tools and sites.
• More than 30% of the responding companies already have at least some enterprise applications or business processes running in the cloud, with another 16% planning to begin migration within the next 12 months. Among these, two-thirds do not yet have a security strategy in place for cloud computing.
• More than eight out of 10 respondents are concerned that pressure to cut costs and generate revenue has increased their exposure to security risks. More than seven in 10 have experienced a security incident in the past 18 months.
• The majority of respondents agree they need to change and improve their approach to enterprise security strategy to accommodate the realities of the hyper-extended enterprise.

Hyper-extended enterprise requires new security approach

In RSA's fourth Security for Business Innovation Council report, top security leaders from around the globe explore how security strategies must transform in a world in which well-intentioned actions to drive new business value could open up disastrous risk exposures.

The report offers specific recommendations for developing an updated information security model that reflects the emerging opportunities and dangers at hand. Council members outline why today's environment is particularly treacherous and share advice on how to securely tap the hyper-extended enterprise for business advantage. Specific guidance includes:
• Rein in the protection environment: Identify ways to use resources more efficiently by taking a risk-management approach to the existing security environment.
• Get competitive: In challenging economic times, security teams must focus on the quality and efficiency of their services and be able to effectively articulate the value they provide for the price.
• Proactively embrace technology on your terms: How to move from reactive to preventive security and establish a road map for the business to adopt new technologies.
• Shift from protecting the container to protecting the data: Especially as more and more enterprise data is processed and stored in containers not controlled by the business.
• Adopt advanced security-monitoring techniques: Moving away from techniques such as signature-based anti-virus and blacklisting to more accurate techniques, such as behaviour-based monitoring and white-listing.
• Collaborate to create industry standards: Why the need for uniform standards for security professionals, third-party providers and emerging technologies has reached a critical juncture.
• Share risk intelligence: the council recommends more robust and collaborative intelligence-sharing - spanning enterprises, law enforcement and government.

For more information go to www.rsa.com and www.idgresearch.com.