Foad Fadaghi, Telsyte
Many Australian companies continue to throw money at their existing security platforms despite the need for deeper policy change driven by an onslaught of new technologies and the threats they introduce, new survey data has revealed.
Speaking at an Agile Security breakfast in Melbourne hosted by CSO and sponsored by NetIQ, Telsyte research director Foad Fadaghi shared the results of the company’s 2012 Australian IT Security Study.
Of more than 300 IT decision-makers surveyed, 29 per cent reported that security budgets will increase in the next twelve months, with a 14 per cent average rise in spending.
Around a quarter of companies said the spate of high-profile hacking incidents during 2011 had inspired them to revisit their own security policies, with 48 per cent and 46 per cent of respondents saying the incidence of malware and spam threats had increased in the last year. By contrast, half or more of respondents said mobile, cloud and network intrusion-related threats had stayed the same and one in five felt those threats were decreasing.
Three-quarters said the incidents had prompted increased awareness amongst senior management and board members, while half reported an increased focus on operating system and 42 per cent said they had increased their focus on backups and disaster recovery.
Interestingly, amongst those affected by the 2011 incidents, 39 per cent said the high-profile events had made it easier to get approval for security spending, and 36 per cent had seen their general security budget increased.
Although this reflects a growing awareness of critical security issues, Fadaghi warned against complacency, saying that money isn’t enough by itself to protect companies for whom security has often been difficult to approach in a focused and coherent manner.
“Preparedness comes from vision and process, not just budgets and reactive spending,” he said. A better long-term strategy is for companies to adopt ‘agile’ security principles that, like the agile development processes currently revolutionising the process of building enterprise applications, are built around near-continuous review and an ever-present willingness to adapt security strategies to new threats and changing circumstances.
This had been difficult for many companies, who faced assaults on so many levels that agile security remained an elusive concept rather than an actionable strategy.
“The proliferation of these technologies has been happening very quickly,” Fadaghi explained. “It has put too much on most people’s plates, and we’re getting distracted from being agile enough to deal with them. In a couple of years, we could see cloud and mobile becoming persistent issues on their own.”
Despite the potential impact of these threats, fully 65 per cent of companies will retain existing spending levels – suggesting that many companies are still failing to recognise the long-term compounding effect of new security threats posed by technologies like Web applications, cloud computing, and mobile devices.
Only 18 per cent of respondents said cloud data security was a critical priority. Mobile security was named by 22 per cent as critical, and nearly one in six respondents reported issues around mobile threats. While advanced persistent threats were an area of strong concern, social networks were particularly worrying given the amount of data they are accumulating about individuals’ likes, histories, and daily activities.
“It’s no surprise that persistent threats are at the top of the scale, but more businesses are experiencing threats related to mobile and social engineering,” Fadaghi said, noting that 14 per cent and 15 per cent of respondents, respectively, had reported security incidents related to social engineering and mobile technologies.
Only 21 per cent of respondents said they intended to add mobile device security software in the next 12 months – despite malware being the respondents’ top security concern.
“There is an enormous amount of data that every day is being shared on social networks,” he said, “creating a pool of information that is primed for people looking to expose social engineering as a threat. The cloud is really a honeypot for information.”
As companies move to embrace cloud, mobile and other new technologies, the key was to integrate security from the ground up rather than allowing it to be an afterthought.
“Agile security means taking less reactionary tactics in the event of an incident,” he said. “Security is increasingly becoming part of the day-to-day processes we put in place. If we have good information security as part of our processes, when a technology like media tablets comes along we can be more confident in using it.”