UK organisations are more at risk than ever from cyber-attacks according to the 2010 Information Security Breaches Survey (ISBS) from PricewaterhouseCoopers LLP.
New wireless technologies have gained a bigger footprint in organisations as has the dependence on third party service providers offering Cloud Computing and Software as a Service (SaaS). Some 85% of smaller organisations said they were using wireless, almost double the use in 2008,while 90% of large organisations allow staff to have remote access to their systems. SaaS or Cloud applications are now used by over three-quarters of the organisations polled .
Some 61% of large organisations have detected a significant attempt to break into their network in the last year, twice as many as two years ago while 15% of large organisations have detected actual penetration by an unauthorised outsider. A quarter of large organisations have suffered a denial of service attack in the last year, also more than double the proportion in 2008.
Organisations are reassessing their approach to controlling staff access to the Internet. The trend, established between 2006 and 2008, of allowing more staff to access the Internet has been reversed. Nearly half of large organisations now restrict which staff can access the Internet; less than a third did so in 2008. Organisations want to allow effective use of the Internet, but reduce inappropriate use. Use of software to block access to inappropriate websites is slightly up on two years ago although Web access logging and monitoring is relatively static.
"Very few organisations are encrypting data held on virtual storage, including the Cloud,” said Chris Potter, partner, OneSecurity, PricewaterhouseCoopers LLP. “Worryingly, only 17% of those with highly confidential data at external providers ensure that it is encrypted. Virtualisation and cloud computing seem to be set to follow the trend, established over the last decade, of controls lagging behind adoption of new technologies. Given the increased criticality and confidentiality of information held on virtual storage, organisations need to respond quickly to close this control gap."
Access all areas
Meanwhile it's alleged that Cloud Computing is making it harder than ever for CIOs to set up access controls for network resources and applications used by organisation employees. According to a survey of 728 IT practitioners - the Ponemon Institute's "2010 Access Governance Trends Survey," some 73% of respondents said adoption of Cloud-based applications is enabling business users to circumvent existing access policies because Cloud-based services "are often purchased directly by business units without consideration of access governance”.
Business rather than ICT people have increasing influence over granting user access to information resources, with 37% in 2010 saying the business units had the responsibility as opposed to just 29% saying this in 2008. Even if the ICT team tries to reassert its control over half say they just can't keep pace with information-access requests. Nearly one fifth claimed: "There's no accountability in who makes access decisions."
Organisations seem to fall into three camps:
- those who rely on more causal and often manual "ad hoc" processes for defining and implementing access controls
- those who have "well-defined processes that are controlled by the business or application owners,"
- those who have "well-defined processes centrally controlled by corporate IT."
"The sales operations and business lines are buying into the Cloud, sometimes without even calling IT security," says Brian Cleary, vice president of marketing at Aveksa which sponsored the report while Dr. Larry Ponemon added: "The frustration is on top of everything you're doing on premises, you add another element to access governance."
Post new Comment