The ever-changing nature of today's IT security landscape and the increasing frequency of cyberattacks may have caused some companies in Asia-Pacific to put off investing in security. However, more effort, not less, should be put in to fight off threats to enterprise security, industry observers argued.
According to ZDNet Asia's IT Priorities 2011 survey, 70.1 percent of respondents indicated that improving their companies' security of information and systems as "top" or "major" considerations. While it was still a high figure, there appears to be a lower emphasis on security among companies considering there was a 12.2 percent drop from last year's survey findings.
The survey, conducted between August and October last year, was sent electronically to ZDNet Asia's Southeast Asia audience. It garnered a total of 511 respondents across 16 industry verticals, including IT and technology, education, government and manufacturing.
Responding to the findings, Myla Pilao, director of core technology at Trend Micro's TrendLabs, pointed out that many large multinational companies and organizations have fallen victims to data breaches in 2011, and suffering huge reputational and financial losses in the process.
Beyond security breaches, the highly interconnected business environment in Asia, which is dependent on various partners, vendors and service providers, mean that any tech or business process change is quickly and widely felt by the industry, she added. It is therefore more difficult for companies here to introduce and coordinate security efforts due to the complexity of infrastructure and partner relationships, the director said.
As such, with regard to keeping up to date with the latest happenings in the security field, Pilao said companies might feel that even if they have put in effort to fully understand a threat, a new one would soon appear and they would have to start over. This, she noted, could be why companies are devoting less time and effort in security investments.
Security shouldn't be neglected
McAfee Asia-Pacific CTO Michael Sentona, however, pointed out that there is now a greater increase in the amount of responsibility placed on users to raise their level of cybersecurity understanding. This is in light of how today's threats have become more sophisticated and targeted, and more information is being extracted from unsecured systems including databases, Web servers, and even companies' networks, he stated.
Citing an internal survey, he pointed out that governments and businesses are actually more aware now, with half of the respondents believing that cybersecurity is as important as border control.
Last year's high profile attacks on Japanese consumer electronics giant Sony and U.S. government Web sites have given more organizations the impetus to reevaluate their data management policies and ensure their data is not stolen or leaked on public domains, Sentona explained.
Since data is the "new currency" in today's business climate, Pilao stated that companies and service providers can no longer afford to neglect this most precious asset and should work on ensuring their offerings are well-protected.
To do so, Gerry Chng, partner at Ernst & Young, suggested companies revisit their security strategies.
"The conventional approach is to only focus on the few metric that top the chart for a given point of time," he said. "Without aggregating statistics from multiple dimensions, it is easy to miss out persistent attempts on an individual or group over long periods of time."
Jonathan Andresen, director of product marketing at Blue Coat Asia-Pacific, added that enterprises must deploy a purpose-built solution for Web security as they become more reliant on the Internet--which is the operating platform for all Internet-based applications--to run their businesses.
"Enterprise should [deploy] a layered defense architecture, that incorporates both network security--such as a firewall--along with Web security, typically provided by a secure Web gateway that is purpose-built," he said.
Additionally, Sentona advised companies to log everything, on top of adopting "basic security hygiene" such as antivirus, firewalls and intrusion prevention. By logging, this would help IT administrators review internal and external access controls, ensuring there are data inspection and loss prevention tools for exfiltration monitoring, among other benefits, he said.