In the cloud computing services low price and flexibility to entice users at the same time, information security risks for users in advance alarm.
Not long ago, the Million network company due to management omissions, will use its cloud platform services of an E-commerce site data mistakenly deleted, resulting in the loss of registered members of the website, forced to suspend business for several days, and then affect the site's financing plan. Despite the fact that the data are being recovered through technical means, the incident has cast a shadow over the cloud service, which has claimed high safety and low investment costs.
Based on the information security considerations of the cloud computing era, the 15th annual Global Information Security Survey, published by renowned research institutes, has shown that cloud computing is one of the main drivers of business model innovation, and that the number of companies that have applied cloud computing has doubled over the past two years.
However, the Ernst survey found that 38% of respondents said their companies did not take any action to deal with the risks, for example, many companies did not carry out a relatively stricter regulatory process on the contract management of cloud computing service providers and the use of encryption technology.
Information security is everywhere
While companies are taking steps to strengthen information security management, the vast majority of them cannot keep up with the ever-changing risk environment. The survey suggests that only short-term incremental change and patch solutions are not enough, and that the only way for businesses to narrow the gap is to fundamentally realize the transformation of information security functions.
Ran, a partner at the information technology risk and audit consulting service of the Greater China region, said, "the implementation of the Information security transformation aims to narrow the widening gap between vulnerability status and security objectives, not through complex technical solutions, but by the courage of leadership, commitment, capacity and action, Not after a year or two, but now. ”
The survey report shows that the challenges that enterprises face in information security are not underestimated, and the main challenges are as follows:
Companies are deeply concerned about the increasing external threats: 77% per cent said that the external threat to their companies is growing; security precautions have failed to follow the fast pace of cloud computing: from 2010 to 2012, cloud computing has doubled its application growth, but there are still 38% Respondents said that the company did not take any measures to mitigate the security risks posed by cloud computing; mobile apps have grown dramatically, but security-protection technology deployments have lagged behind: 44% per cent of respondents allowed employees to use corporate or individual tablets in their jobs, but only 40% of them used encryption technology for mobile devices Social media are widely available, become an enterprise security risk: 31% of respondents said their companies did not take the appropriate mechanism to deal with the security risks of social media, security budget and lack of capacity, the gap continues to expand: 62% of the respondents said that budget constraints, is one of the main obstacles to information security work. In addition, 44% of companies said that the low capacity of security management and enforcement personnel seriously hindered the realization of security objectives.
The report concludes that only by fundamentally changing information security management strategies can enterprises effectively address existing security threats and new security risks arising from emerging technologies.
In addition, mobile interconnection is a high-risk area. With the development trend of mobile Internet, enterprise employees will buy and use the smartphone and data service more and more. The use of personal equipment to access enterprise applications, help enterprises reduce the overall cost of equipment procurement, and help to improve the efficiency of staff, and can inspire staff creativity. However, risk always coexists with opportunity. It is imperative for enterprises to find solutions that guide their employees to use their work equipment and personal equipment properly, and must consider the information security problem in depth.
"The BYOD (Bring Your Own Device) ratio was only 20% in 2011," said Lin Yu-min, director of the Information Technology risk and audit advisory service at the Greater China region, and the results of the survey this year showed that 44% Businesses allow employees to use a corporate or personal tablet computer at work. This has led to a surge in information interaction within and outside the enterprise, making the corresponding security controls more difficult. "However, in a rapidly evolving mobile application environment, the corresponding security technology and software usage is still low, with only 40% per cent of companies using encryption technology for their mobile devices," the survey found.
In addition, social media, while creating many opportunities, also brings a lot of new challenges, through social media, enterprises can quickly build brand and open up the market, but also can quickly create a significant negative impact on corporate image.
In addition, the ensuing challenges include data security, privacy concerns, regulatory and compliance requirements, and the impact on employee productivity. This year's survey showed that about 31% of the respondents said their companies did not devise a mechanism to deal with the risks posed by social media use, which not only caused the overall risk of the enterprise to rise, but also seriously impacted the enterprise's ability to fully utilize social media channel marketing in the future.
Information security needs to be improved
From the perspective of shareholders and investors, information security should be the focus of their attention, security management should be fully supported; However, the resources and capabilities of information security still plague the work of information security. In the survey report this year, 62% of the companies surveyed said budget constraints were one of the main obstacles to information security, and 44% said that the low capacity of security management and enforcement personnel seriously hampered the realization of security objectives.
"For some companies, security professionals, security maturity, or security budgets may play a role in the decision-making process," Lin Yu-min said. "However, these fixes or simply superimposed coping schemes seem to meet short-term information security requirements, but they also mask potentially huge security risks." ”
The survey also showed that at present, enterprises use only palliative and patching solutions to improve information security capabilities, while ignoring the overall and comprehensive response to information security threats; only about 8% per cent of respondents said there had been a decrease in the number of information security incidents in the past two years, Therefore, the establishment of a robust security system has become an urgent business.
But worryingly, about 63% per cent of respondents said their companies had not yet established an overall framework for information security, and only about 16% per cent felt that their companies ' information security functions fully met their business needs.
Looking ahead, Mr Ran concludes, "although there is a gap between the status of information security and corporate goals, the gap will widen as new government regulatory requirements arise and security threats change." If the enterprise does not take immediate measures to establish a comprehensive information security system, then the existing problems coupled with the unknown hidden dangers will only make the enterprise face the information security environment worse. The only way to deal with such a situation is to make a structural change in information security. ”
Achieving such an adjustment does not necessarily require a complex technical solution, but it requires leadership and commitment, coupled with a commitment to ability and action. "Don't always say how to do in the future, the key is the current innovation practice." Ran suggested that enterprises should take the information security strategy and enterprise strategy to link, redesign the structure, continuous implementation of transformation, in-depth understanding of new technology risks and opportunities and other important initiatives.
It is clear that only in this way can enterprises radically transform the manner in which their information security services operate, and more effectively narrow the widening information security risk gap.