Just like America’s ‘wild, wild, west’, when gunslingers terrorised innocent citizens, and outlaws like Jesse James and Billy the Kid ran riot, some analysts claim the Internet has now become the ‘Wild, Wild, Web’ where you can ‘trust nobody’. However, judging from our recent Asia Pacific Enterprise IT Security Study 2009, executives of major Asian enterprises don’t yet appreciate the real danger.
On the average, respondents to our study, sponsored by Oracle, indicated their security expenditure was currently between five and 10 per cent of their overall IT budget. In the past 12 months, most have increased security spending by between one and 10 per cent when, if you believe some researchers, digital threats have increased five-fold.
MISMATCH
An obvious conclusion is that, given the current unprecedented threat environment, Asia Pacific enterprises appear to be considerably ‘under spending’ on IT security.
If the percentage of IT budgets dedicated to security matched the current growth rate of cyber crime, the rise in spending on protective measures would be much higher. Interestingly, in another CIO Asia magazine research, focused on the State of the Asian CxO, for 2010, 31.5 per cent of respondents cited enterprise IT security as important, whereas for 2009, it was highlighted by 40 per cent of respondents. If the focus on security matched the prevalence and incidence of digital threats and attacks today, this priority would be much higher.
Let’s hope this contrary result means Asia’s enterprises are well-prepared for the new security environment, although some research has already indicated otherwise.
We asked what was the biggest fear about what could happen if their enterprise suffered a major data breach. The majority of our respondents ranked ‘loss of business’, ‘transactional and operational risks’, and ‘loss of reputation’ as their key concerns.
MAIN CONCERNS
For those who listed the second most important concerns, respondents ranked them as follows:Transactional and operational risk (27 per cent), loss of business (25 per cent), loss of reputation (23 per cent), loss of competitive advantage (12 per cent).
CIO Asia asked respondents about the number of security incidents they have experienced in 2009 and the majority said at least one, and some up to five—which is a consistent pattern over the past two years.
Other research indicates that 85 per cent of major enterprises have experienced one or more security attacks or incidents and the bigger the business, the more likely it is to be targeted.
Respondents to this study told us they view IT security very seriously and are concerned about the bottom line of any infrastructure breach. However, when they were asked about their database security measures, a different story emerges. Data protection is considered the foundation of IT security and should be its primary focus. The information an enterprise has accumulated is its crown jewel and should be appropriately protected.
Our data revealed that while most are alerted to breaches, the ability to delve into an investigation of the source is still new territory for many Asian companies. Our study highlighted that a significant number of enterprises still have no detection ability whatsoever—which should be a major concern. The top three countries where companies have no IT method to detect security breaches are the Philippines, Thailand, and, surprisingly, Australia.
Wise enterprises routinely check on the performance and status of their IT systems. Our survey found that more than 80 per cent of our respondents perform regular assessments of their database. Most do it on a quarterly basis or less. A worrying finding is that 13 per cent of those businesses we surveyed—that’s more than one in 10—admitted to not bothering to carry out any database security assessments or audits. They must live with their fingers permanently crossed. There is definitely room for improvement.
In our Asia Pacific Enterprise IT Security Study 2009, we also asked how senior IT executives would specifically like to improve their existing database security. It is a very close consideration among the respondents as 16 per cent want to improve access control, while 15 per cent want disaster recovery.
Auditing and encryption logged 13 per cent each, while authentication and integrity controls were highlighted by 12 per cent each. It seems that there is a broad range of database issues where enterprises know they have some work to do. In fact, name a database issue and there are concerns about it.
Our researchers went further and asked what were the most common problems that stemmed from their current database systems. More than one in five—21 per cent—listed the ‘inability to perform full audits’ as their top concern while 19 per cent listed ‘poor design in relation to applications’ as the second. ‘Weak encryption’ took third place with 15 per cent of responses.
I wonder if these reflect areas where your enterprise needs to lift its game too?
The usual and most overlooked sources of data leakage are unstructured database privileges, normal e-mail, and slipshod security policies.
However, our report indicates there are also new issues to consider.
EMERGING ISSUES
An emerging issue for CIOs is the security threat and increased risk posed through the emergence of unified communications, collaboration and social networking tools.
In the past year, malware has contributed to nearly one-third of data breaches and social networking sites are infested with it. This emphasises that corporations definitely need to worry about, and take action, regarding their employees accessing social websites through company computers.
So what can you do to ensure your enterprise is properly prepared for this ever-growing digital security threat? In today’s complex technology world, there is no simple answer, but, as in the times of the ‘wild, wild, west’, protecting your enterprise should be a high priority.
ABOUT THE CLOUD
Aside from our study, CIO Asia interviewed Peter O’Connor, Area Vice President, South East Asia Pacific, on the state of cloud security in Asia today. Here are excerpts of the interview.
What is the current state of security in cloud services in Asia?
Cloud computing is still relatively in its infancy in Asia. However, the sheer sprawl of IT infrastructure in traditional data centres is driving more organisations to consider cloud computing as a way to improve efficiency, while reducing complexity and costs. An IDC survey showed that a significant 41 per cent of IT executives and CIOs across Asia Pacific (excluding Japan) were either evaluating cloud solutions, or already piloting cloud solutions. An additional 11 per cent were already using cloud-based solutions.
How concerned should CIOs be that cloud services have the appropriate security?
Data security should be on every CIO’s top list of priorities. While many CIOs are drawing up a list of concerns over data security in the cloud, they should first ask themselves whether most, if not all, of these requirements are even present in their existing data centre.
If the existing data centre is unable to address these security requirements, it may be due to insufficient manpower available to manage security, or that current security solutions in the market do not meet the specific cloud needs of the organisation. By outsourcing security to a cloud service provider, the organisation can free up its IT staff to focus more on their core competencies.
What advice would you give to senior IT executives about their approach to cloud services and security? What are the key steps to take before signing up?
The early adopters will be those CIOs who see cloud computing as a way to create business value and improve performance. A good starting point is to think about where there are immediate and urgent gaps to be filled, especially where scalability and flexibility are major concerns. CIOs who decide to embark on the path to cloud computing have two choices—public clouds or private ones. Public clouds typically offer services largely for consumer-oriented applications while private clouds tend to focus on serving enterprise IT needs. Private clouds can give the organisation peace of mind that information security is centrally managed by a team of dedicated in-house staff.
How mature do you regard cloud services in Asia at the moment and how does this region compare with the US and Europe?
Although IDC notes that Asia Pacific organisations are generally adopting cloud services more slowly than the rest of the world, they are increasingly turning to such services to achieve cost savings and business improvements.
In addition, the lacklustre economic environment of recent months has made cloud computing an attractive business proposition due to its ease of deployment and relatively low cost. Consequently, CIOs in technologically savvy markets such as Singapore and Australia often consider cloud services as an option for new IT investments.
What statistics can you provide about trends in Asia on cloud computing and what is the current attitude of major enterprises to this technology?
As mentioned, IDC found that more than 40 per cent of IT executives and CIOs across Asia Pacific (excluding Japan) were either evaluating cloud solutions for use in their businesses, or already piloting cloud solutions. Achieving cost savings from cloud services is the most frequently cited benefit by Asia-based organisations.
From a global perspective, IDC expects worldwide public IT cloud services revenue to jump from US$17.4 billion in 2009 to US$44.2 billion in 2013. Whatever the economic situation, cost cutting and improving operational efficiency remain key issues for organisations, whether they are SMEs or major enterprises.
As such, companies are gaining increasing interest in the ease of scalability and cost saving opportunity afforded by cloud services. Cloud services allow the organisation to use and pay only for as much as the workload requires, and may be easily scaled up in response to increased service demand.
BOX 1:
The Asia Pacific Enterprise IT Security Study 2009 was carried out during July and August 2009 and attracted more than 300 responses.
This unique and comprehensive project was carried out over nine countries, including Australia, Hong Kong, India, Indonesia, South Korea, Malaysia, The Philippines, Singapore and Thailand.
Our aim was to determine the current State of Enterprise IT Security across the Asia Pacific. Along with Oracle, we were keen to determine the very latest strategies, trends, reporting structures, priorities and directions for enterprise executives in this vast region.
