New tech increases enterprise risk

The majority of companies in the region realize that the adoption of new technologies will increase their business risk but few have implemented measures to address such risks, according to a new study.

Released Monday by consulting firm Ernst & Young, the information security survey found that 62 percent of respondents in Southeast Asia said increased use of external service providers and adoption of new technologies, such as cloud computing and social networking, augmented their business risk. Some 59 percent said they planned to increase their annual investment in information security.

Conducted between June and August, the survey polled almost 1,600 organizations in 56 countries including Singapore, Malaysia, Sri Lanka and the Philippines.

However, only 35 percent of respondents in Southeast Asia had an IT risk management plan to address risks associated with their adoption of new technologies, while 16 percent viewed examining new IT trends a very important activity for information security functions to perform.

Gerry Chng, IT risk and assurance partner at Ernst & Young Advisory, said in the report: "Technology advances have provided an increasingly mobile workforce with seemingly endless ways to connect and interact with colleagues, customers and clients. These advances represent a massive opportunity for IT to deliver significant benefits to the organization but new technologies also bring about new risks.

"It is vital that companies reevaluate whether their existing risk management practices are sufficient to handle the challenges arising from increased mobility and data sharing," he noted.

Chng added that the growing use of mobile tools in the workplace drives up the level of risk and organizations need to provide training and educate their employees about such risks, alongside the need to reengineer information flow.

In fact, about 50 percent of respondents in the region said the widespread use of mobile computing devices and the need to provide access to information anywhere, anytime, posed a considerable challenge to their company's effective delivery of information security efforts

Some 63 percent pointed to users' level of security awareness as a considerable challenge, the study revealed.

Data also risky
Apart from workforce mobility, 73 percent of Southeast Asian respondents highlighted the continuous availability of critical IT resources as another top IT risk, while 56 percent identified the stability of applications and databases.

Chng added that such concerns were particularly important for companies that operate a central or shared service infrastructure for their regional facilities.

The survey revealed that respondents also recognized data as a key IT risk with half noting that they would spend more to prevent data leakage and loss. To address such risks, 47 percent said they were making policy adjustments, while 46 percent would increase activities security awareness and 35 percent would look at stronger identity and access management controls.

Chang said: "Consistent with the expanding use of mobility technologies and data sharing through outsourcing arrangements, companies are increasingly concerned about the risks of data leakage, whether intentional or accidental.

"To that end, we have seen more organizations reviewing their existing data protection frameworks and implementing enabling technologies to address the gaps identified."

He added that regulatory concerns on privacy and data protection were holding back the adoption of cloud computing among companies in Southeast Asia.

Sixty percent of respondents said they had not deployed any cloud services and had no plans to do so over the next 12 months.

Chang noted: "With the exception of very large organizations, companies will also likely find it difficult to mandate that providers of shared services adhere to the companies' security policies. Until there is an internationally consistent privacy and data protection framework, adoption of public cloud computing will be limited to local or regional companies for non-core information.

"Private clouds, on the other hand, are being explored by organizations to create an internally shared infrastructure combined with server and desktop virtualization. As it is entirely within the organization, risks are relatively easier to manage and control," he said.