With the influx of personal devices in the workplace and the unprecedented risk of data breach and malware, tightening IT security at a company can seem like a daunting task. Just how difficult of a task is it? What are the biggest security risks and what are the top minds in IT considering to combat them?
Wisegate, a crowdsourced IT research company, surveyed hundreds of its senior IT professional members to find out. Earlier this year, we shared with readers that a lack of security metrics and reporting was undermining IT security programs. Now, we'll take a look at what those top security risks are.
Data breaches and malware are at the top
In a not surprising response to a poll that asked IT professionals to name their top three security risks, 32 per cent of respondents named data breaches and malware as their top threats and risks. Over half - 51 per cent- of respondents included not only data breaches and malware, but also insider and outsider threat, BYOD management and security, and advanced persistent threats as their companies' top risks.
While data breaches and malware are not new risks to the industry, we wanted to get to the bottom of what technology and business trends are causing this concern over malware and information leaks.
Trends impacting security programs: BYOD and cloud
When asked to identify the trends that most impact their security programs, IT professionals revealed that the malware threat and its associated data breach risk is likely to get worse over the coming years specifically because of these trends:
- The continuing evolution of BYOD practices (
- Increasing adoption of cloud technology, both public and private (
What we'll see is a world where employers will actually require people to bring and use their own devices. Most companies already provide staff with equipment, and many currently tolerate BYOD. The trend will continue until eventually companies will choose to make the personal devices employees already use official.
But this leads to a tension between company and personal information held on the same device. The company will need to protect its own data, but the personal data will be in conflict with any device monitoring that the company does. In short, there is potential for a 'Big Brother' inspired kickback from the employee. However, the savvy security team will earn the user's trust by demonstrating that the company can only monitor the corporate data, and not only doesn't, but cannot monitor anything else.
Shying away from BYOD and using the cloud to defend against malware-inspired sensitive breaches is a strong argument. It is harder to infect the cloud than it is to infect an individual endpoint. But there is also a scale issue. If an attacker manages to infect the cloud, he could potentially get to impact many more customers and much larger datasets. The weakness in cloud security is less the cloud itself and more how the cloud is used. This is an aspect of something that is one of the biggest challenges to IT security: the difference between something working correctly and something working correctly and securely. This affects everything from malware prevention to proprietary apps, open source software, and websites.
The future of IT security is data security--not device security
When asked what infrastructure security controls would be prioritized over the next few years, nearly a third of respondents--32 percent--named information protection and control as their top priority. Web application firewall wasn't far behind, with 26 percent naming this as a top priority.
This suggests a shift in emphasis from protecting devices to placing a greater emphasis on protecting applications and the data itself. Firewalls are now application firewalls rather than trusted network firewalls. If IT security professionals' top security controls are designed to protect the data itself, even if there is a breach of sensitive information, that information will remain hidden from any attacker.
Faced with the impossibility of defending against malware attacks in the new cloud/BYOD paradigm, security teams are engaged in a massive shift from protecting devices to protecting data. Stay tuned for our breakdown of this new paradigm--data centric security in a future CSO article. We'll take a deeper dive into the idea that if data itself is safe, it doesn't matter if there is a breach.
Elden Nelson is Editor in Chief at Wisegate, a private, crowdsourced IT research service for senior IT professionals, including CSOs and CISOs.