Proactive approach key to securing future enterprise

Organizational security in the Asia-Pacific region has made progress in recent years but amid continued emphasis on cost reduction, enterprises must better align security strategy to business needs to future-proof their investments.

Gerry Chng, Ernst & Young's Far East area leader for information security, told ZDNet Asia in an e-mail interview that over the last decade, IT security has evolved from a "tactical and reactive" stance to one that is "more strategic and proactive".

"In recent years, we have seen organizations implementing data protection initiatives to better manage how internal employees and partners are handling information which is the lifeblood of an organization," Chng said. "This shows organizations are now cognizant of the fact that the role of information security is really to make sure key information within the organization is accurate, reliable and secured against disclosure to unauthorized parties."

Vincent Goh, managing director for Southeast Asia at RSA, the security division of EMC, noted that consumers in general have become more concerned about their personal data or identity stolen online and this highlights the need for corporate entities to be stay vigilant.

Citing findings from the RSA 2010 Global Online Consumer Security Survey, he said in an e-mail interview that 99 percent of Singapore online banking users, compared to the global average of 86 percent, were anxious about their personal information being accessed or stolen via banking Web sites.

Businesses suit up
Along with the fast-evolving threat landscape, enterprises are also beefing up their security spend.

A ZDNet Asia survey in November 2009 found that businesses in the region were looking to enhance their security posture this year. In particular, nearly four in 10 respondents said implementation of network security, as well as antivirus, antispyware and systems to manage malware, were on the cards this year.

Early this month, market analyst IDC forecasted the 2010 security software market in the Asia-Pacific region excluding Japan will grow 21 percent over 2009. Judy Wu, research manager of security software at IDC Asia-Pacific's domain research group, said in a statement that the demand for security tools "remains strong", boosted by new IT deployments as a result of the economic upturn.

Yet, in spite of the economic recovery, the "mantra of doing more with less still resonates in the minds of many business decision makers", Goh said.

"Justifying returns on investment has become increasingly difficult and companies are finding it harder to build a business case for additional technology spending," he pointed out.

Ernst & Young's Chng said businesses can optimize their security spend if they put in place a security strategy that is aligned to their business needs.

"This helps organizations plan ahead and to evaluate how their current investment may be impacted by future IT changes necessitated by changing business models or channels.

"Organizations would also benefit from measuring key performance indicators proactively so that they can prioritize their investments based on areas that need further attention," he explained.

Moving forward, enterprises in the region are exhibiting an interest in governance, risk and compliance initiatives, which Chng noted was a result of organizations needing to consolidate and correlate key strategic indicators from a heterogeneous environment in order to make relevant business decisions.

This scenario in turn reflects a more proactive approach to information security, where organizations strive to measure and respond to key indicators that are of importance to the organization, he said.

As to what threats enterprises should watch out for in the near future, security vendors pointed to dangers associated with the increasing reliance on the Internet for work and play.

Michael Sentonas, McAfee's Asia-Pacific CTO, said in an e-mail that the attacks on Web sites using sophisticated malware, which was observed in 2009, is set to continue. Another example of attacks in the Web 2.0 space is exploits on toolkits, which have been known to target services such as Facebook and Twitter.

Targeted e-mail attacks will also continue to plague the enterprise, Sentonas noted. "This trend is growing as it is still an effective tool for criminals who are trying to exploit unsuspecting users when they open seemingly legitimate e-mail messages."

Advanced persistent threats, such as the Operation Aurora attacks against a number of companies including Google, are another example of sophisticated malware designed to steal information or intellectual property from organizations.

RSA's Goh also highlighted concerns over the use of social networking sites for business purposes.

"While I do not believe there is a need to deny access to social networking sites, companies must educate their staff to err on the side of caution," he said.

"Employees should always be cautious about divulging company information on their personal sites as well as stay vigilant through simple measures, such as only accepting contacts that they are familiar with and avoiding posting details such as telephone numbers and addresses on their profile pages."

Another enterprise phenomenon that could pose risks to enterprises is cloud computing, noted Goh.

To better manage cloud implementations, he advised organizations to architect a security strategy that would enable the security of information flow between private and public clouds, and create suitable security policies around cloud infrastructures.