2009: Bad times means worse security?
Businesses in Asia that are driven by the recession to strive for leaner, meaner IT, need to consider how their cost-cutting impacts security, warn industry experts.
Even as frugality is expected of IT departments this year, the move to options that support cost-cutting--including software-as-a-service (SaaS) and cloud computing--should be assessed for risk to the business, said Lawrence Ong, regional business manager for security at Datacraft Asia.
An IT risk assessment is something that businesses cannot do without this year, he added. "In IT security, risk management is dependent on the risk assessment process, which usually involves identifying threats, determining vulnerability to threats, the impact of threats and the likelihood of threats occurring."
| The increasing prevalence of netbooks certainly puts us at risk of an increase in our collective vulnerability, if only because they make it easy for us to do work in places and circumstances where we also expect to be able to relax and let our guard down. |
| Paul Ducklin, Sophos |
Judy Wu, IDC's research manager for infrastructure software in the Asia-Pacific region, added that risk management will be a "top concern" for many large enterprises in the region, and such companies will adopt a "more disciplined" approach tapping on frameworks such as Cobit (Control Objectives for Information and related Technology), ISO 27001 and ITIL (IT Infrastructure Library). A significant number will "conduct periodic vulnerability assessments to identify the risk level, security posture and ensure policy compliance", she said.
Referencing to Gartner research, Eric Hoh, Symantec's vice president for Asia South and head of global accounts in Asia Pacific and Japan, noted that cloud-based services will more than triple in many security segments and will "dramatically" impact the industry in 2009.
"Cloud computing will enable security controls and functions to be delivered in new ways and at relatively short notice in response to unanticipated security events," Hoh said in an e-mail. "However, the increase in use of cloud-based services means that many mobile IT users will be accessing business data and services without traversing the corporate network--increasing the need for security controls to be deployed between mobile users and cloud-based services."
According to Paul Ducklin, Asia-Pacific head of technology at Sophos, the emergence and fast-rising popularity of affordable netbooks, even in the enterprise market, can also be cause for concern in 2009.
"This sort of mobile platform won't get theoretically more vulnerable as a platform, since it runs a regular desktop-style operating system and can, in theory, be protected just as well as the desktop PC in your office," he explained in an e-mail interview. "But the increasing prevalence of netbooks certainly puts us at risk of an increase in our collective vulnerability, if only because they make it easy for us to do work in places and circumstances where we also expect to be able to relax and let our guard down."
Mobile threats still a focus
Industry experts told ZDNet Asia that enterprises need to guard against threats exploiting mobile phones and handhelds, in the year ahead.
The number of smartphones worldwide increased from around 300 million in 2007 to 450 million last year, and will continue growing, said Jari Heinonen, Asia-Pacific vice president at F-Secure.
"There will be an increasing number of people conducting transactions on-the-go or storing important personal and business-related information such as contacts, photos, passwords or e-mail on their smartphones," he pointed out. "Possessing such a wealth of valuable information, the mobile platform will increasingly become a more attractive target for malware authors moving forward.
"Although there has not been a significant increase in malware for mobile phones as yet, it is important to secure these devices with antitheft or security solutions in case they get lost, stolen or infected with mobile malware," added Heinonen.
IDC's Wu pointed out that over 70 percent of workers will connect to corporate networks via mobile devices, within four years. "This trend will bring data leakage and compliance issues to the mobile platform," she said, adding that the scenario would drive network access control issues to the forefront.
Stree Naidu, regional vice president for Asia-Pacific and Japan at Tumbleweed, said the mobile platform will "without doubt", become more vulnerable as more Web-based services, including e-mail communications, are accessed through it.
End-users either lack education or take it for granted that their communications are secured and remain unaware of the potential threats," he noted. "[They] become even more vulnerable to threats as they are caught off-guard by viruses that may attack Web-based mobile communications."
According to Symantec's Hoh, the number of mobile device threats reported in the wild is "relatively small". However, the types of threats that have emerged demonstrate the advanced capabilities of these devices. "As mobile computing becomes more common and mobile devices become more complex, it is likely that other avenues of attack will be discovered," he said.
In 2009, businesses will also have to deal with increased attacks relating to the global economic crisis, added Hoh. Phishing scams targeting the unemployed, for example, could contribute to greater fraudulent activity.
And, according to Daren Leong, vice president of sales for the Asia-Pacific region at Vasco Data Security, there will be "no single 'magic pill'" for enterprises to cope with the onslaught of security challenges. "Businesses will need to put together a 'cocktail' of defenses in order to effectively protect their networks," he noted.