The introduction of the cloud, mobile and social strategies in the corporate landscape has brought about a massive change in the private sector. While preventing internal and external data breaches is important, these concerns don't top the list for IT executives anymore.
According to the 2012 Strategic Security Survey by InformationWeek, the No. 1 challenge faced by IT departments is managing the complexity of data security. The study found that more than half of respondents cited this issue as the biggest problem they will face in 2012. The second biggest concern, enforcing cybersecurity policies, was cited by 39 percent of respondents.
In response to these concerns, InformationWeek recommends decision-makers determine which cyberthreats are most likely to negatively impact their business and prioritize those, rather than become overwhelmed by the growing number of dangers. In other words, IT departments should get a handle on what they can control. For example, companies should hire external auditing organizations to analyze cloud computing providers, rather than simply trusting the vendor's internal audit.
InformationWeek also revealed that respondents believe the most significant practice for enforcing data protection is the use of identity and password management solutions, as 50 percent of decision-makers said these tools are important. InformationWeek analysts agreed with this result, as access control is often one of the most important and underrated security appliances available to businesses. IT departments need to spend time mastering who is allowed to enter the corporate network.
"[Properly] configuring permissions on service accounts can prevent a non-administrative user from escalating his privileges on the workstation," the report said. "Permissions are a critical portion of identity management but too often organizations only focus on user identities. Permissions are just as important."
The study also found there are significant risks associated with cloud computing.
Cloud computing concerns
InformationWeek found that the No. 1 risk associated with the cloud in 2012 is unauthorized entry to databases with consumer information or the leakage of those records. This concern has increased since last year, despite the increased adoption of the cloud and maturity of its overall security.
However, there isn't all bad news associated with the cloud. The study revealed that fewer companies are currently concerned with cloud-based business continuity plans compared to 2011.
This data was echoed in a separate study by CA Technologies, which found 55 percent of U.S. businesses expect to increase their use of the cloud to improve disaster recovery initiatives. While the majority of companies are choosing to implement private internal clouds, there is a still a large number of firms that plan to leverage the public cloud, suggesting that worries associated with the hosted technology may be diminishing slightly with time.
InformationWeek also noted that more decision-makers are taking a stance on secure software this year than last year.
Secure software is important to mitigating risk
"Most vulnerabilities that are exploited by attackers are against web and desktop applications," InformationWeek reported. "If your organization writes such applications, you're better off finding and eliminating exploitable flaws and vulnerabilities before applications go live."
However, only 33 percent of decision-makers said they have a secure software development life cycle (SDLC) process for 2012, while 38 percent had one in 2011. The reason behind this trend is that most software developers are more concerned with delivery dates and functionality than they are about security, which doesn't directly contribute to these goals.
A separate report by the Ponemon Institute revealed that four out of five developers and nearly two-thirds security personnel don't have a process in which they incorporate protective software into applications.
"[We found a] drastic divide between the IT security and development organizations that is caused by a major skills shortage and a fundamental misunderstanding of how an application security process should be developed," Ponemon Institute CEO Larry Ponemon said. "This lack of alignment seems to hurt their business based on not prioritizing secure software, but also not understanding what to do about it."
According to InformationWeek, IT leaders should ensure training programs are initiated that teach developers how to use secure coding procedures. Decision-makers should then leverage code analysis tools that scan applications for any vulnerabilities.
This is important considering many business managers using secure SDLC processes are putting more faith in the policies, as 33 percent of respondents believe SDLC is effective at determining application weaknesses, up from 28 percent in 2011.
Vulnerabilities vary between organizations
Overall, 183 respondents experienced a data breach in the past year, with malware being the No. 1 cause of problems, InformationWeek noted.
The study found that 66 percent of respondents said firewalls were the best defensive tool to improve data privacy and protection. Sixty-four percent, however, said taking a data-centric approach to security is the best way to mitigate risk, leaving it up to decision-makers to find the best techniques and practices applicable to their industry and organization.
Security News from SimplySecurity.com by Trend Micro