I recently read an article in ZDNet Asia that reported that approximately 67% of Singapore organizations had experience a cyber attack in the last 12 months. Further, 95% of those that were attacked experienced some form of financial impact from the attacks. While I cannot comment on the results of the study directly, the results are not unexpected.
Overall, IDC believes that over the coming years the number of cyber attacks will continue to increase. The main drivers for this are threefold. The first driver is value of intellectual property that can be gained through the cyber attacks has continued to grow. Over the past year IDC has seen an increase in the number of Advanced Persistent Threats (APT) attacking corporate and government ICT systems. The attack on Lockheed Martin involving the breach of RSA SecurID tokens earlier this year is an example of this type of attack. These attacks tend to be the most sophisticated of all attacks.
The second driver is financial. In many cases the goal of the attack is to gain consumers personal financial information for pure theft. These attacks tend to be less sophisticated as the targets tend to be less aware of the security threats. IDC believes that these types tend to increase during economic downturns, which is exactly the time that enterprises are looking to cut budgets. The reason for the increase is an increase in financially distressed people with IT skills who are willing to turn to nefarious ways to maintain their income.
The third and final driver is an increase in hactivism by organizations like Anonymous. These attacks are motivated by a growing population of disaffected people. They are looking to make a statement about a real or perceived injustice. These tend to be much more simple attacks such as denial or services attacks.
In order to address the rising number and in some cases the sophistication of cyber attacks, IDC believes that organizations will need to approach security in a different way. The traditional methods of isolating systems through firewalls will not be sufficient as the systems become more complex. From a traditional IT perspective the introduction of both public and private clouds create significant challenges.
Additionally, the consumerziation of IT and policies like bring your own device dramatically increase the number of threats that organizations will face in the coming years. IDC expects these threats will only grow as the number and variety of mobile devices continues to expand.
In the coming years, IDC recommends that organizations need to expand their approach to security. Security needs to become more advanced and organizations will need to take a more holistic approach to security. This will involve the deployment of a variety of products from different vendors and IT consulting and integration services required to make systems all work together. From a product perspective, the systems will need to become application device and location aware. For example, going forward it will no longer be sufficient to merely determine that I am allowed to access a certain system or data. The security system will need to know what type of device I am using, where I am, and what type of network I am using before granting access.
Finally, IDC believes that organizations will need to do a much better job of educating their employees. In many cases the employees may know that they employer has a security policy, but have no idea what that policy is. This can be a delicate process as most end users eyes tend to glaze over when IT begins to discuss the rising security threats and what steps are needed to prevent a breach. Further, most end users view security not as an essential part of their computing environment, but as a roadblock to productivity. To overcome these objections, IDC believes that IT will need to better speak the language of the end user. In many cases this is difficult for IT to do.
Poon Wei Ang contributed to this analysis
Matt Healey is the Program Director at IDC Asia/Pacific, heading the Software and Services Research teams. He is responsible for identifying growth markets, evaluating vendor market share and emerging trends across all software and services markets.