An IT audit and security body has released further insights from its 2012 IT Risk/Reward Barometer
The study, conducted amongst 4,500 IT people from 83 countries, many management level and above, suggests that organisations view ‘people’ as a high risk. Also, ‘bring your own device’ (BYOD) is a phenomenon that most are still grappling with. Corporate data travelling across geographical boundaries also poses a serious threat to an organisation’s security posture.
Speaking about the study, Ramsés Gallego, international vice president of ISACA and security strategist for Dell/Quest Software said: “The information world is changing at the speed of light and this study confirms that many are struggling to keep pace—especially when it comes to managing their risk. The organisation’s perimeter is blurring, as it shifts from a physical boundary to wherever an individual happens to be at any given moment, with whatever device happens to be in their hand at the time. For example, if I travel to Singapore or Chicago with a corporate-owned laptop, my smartphone and tablet, I take the organisation’s perimeter with me. Organisations must embrace BYOD, as it’s the way people want to work. And, while BYOD sounds like an invitation to bring a personal device, the truth is people are using their devices whether the organisation wants them to or not.”
The loss of a work-supplied computer or smartphone was also identified as a high risk (scoring between 56pc and 88pc), and the use of online file-sharing services for work documents also featured highly (between 60pc and 76pc). When looking at what enterprises do and do not allow, many actually prohibit the use of online file-sharing services (ranging from 56pc to 67pc); although, Oceania and Africa seem to be more tolerant of this trend, (47pc and 49pc respectively).
Many of the organisations surveyed said they limit using a work-supplied device for personal use (ranging between 45pc and 61pc), while the harder stance of actually prohibiting personal devices for work purposes fluctuated widely (between 16pc in Oceania and 40pc in the UK). There was a greater consensus among respondents that the risk outweighs the benefit from BYOD, where employees are allowed to use personal devices for work activities, scoring between 47pc and 60pc.
Where respondents confirmed that BYOD was allowed within their organisation, the most frequently cited benefits across all regions were greater efficiency, increased productivity, cost reductions, and satisfaction of and flexibility for employees.
However, security controls imposed for personal devices were worryingly low, as less than half of respondents confirmed that encryption was used to protect data stored on them (the highest score of 48pc was in Europe). While password management systems scored slightly higher (the highest being 50pc in Africa), it still averaged less than half with some regions scoring significantly lower dropping to 39pc in the UK. Perhaps a little more reassuringly, although still scoring poorly and less consistently, was the percentage of organisations that had remote wipe capability for personal devices (varying between 23pc and 46pc).
Another interesting result is the lack of controls surrounding the practice of travelling with business data on a mobile device, irrespective of ownership, across country borders (on average two thirds of the organisations surveyed do not have a policy to prohibit this). With many countries re-examining their data privacy laws—Germany being a recent example—this is set to become an issue organisations need to address, the IT body says. The use of location-based apps (eg Foursquare) may be beneficial in knowing where employees are; however, individuals may be less receptive to the prospect of being tracked. At present, the majority of organisations do not have a policy in place governing the use of these apps, with less than 12pc prohibiting their use for all staff.
While the greatest hurdle enterprises faced when addressing IT-related business risks varied across the regions—budget limits, lack of management support and insufficient resources were cited most often—all regions concurred that increasing risk awareness among employees was the most important action the enterprise can take to improve IT risk management.
Gallego added,:“In summary, the barometer results demonstrate that employees need to understand their responsibilities—what they can and cannot do and what devices are acceptable to do it with. And, organisations need to take control if they are to manage the risk posed to the enterprise from mobile devices, regardless of ownership. The bottom line is protecting data, and ultimately the ‘brand’. For many, this may mean the capability to remote wipe devices—regardless of ownership—when a serious risk is inevitable, either because the device has been misplaced, local legislation is breached, or alternative ramifications introduced as deemed appropriate. Organisations must develop the right approach, dependent on their attitude to risk, that allows them to embrace and adapt.”
About the 2012 IT Risk/Reward Barometer
The annual IT Risk/Reward Barometer helps gauge attitudes and organizational behaviours related to the risk and reward associated with the blurring boundaries between personal and work devices (BYOD), cloud computing, and increased enterprise risk related to online employee behaviour at peak seasonal times.
The study is based on September 2012 online polling of 4,512 ISACA members from 83 countries, including 159 members in the UK. A separate online survey was fielded among 1,000 UK consumers by OnePoll from 23-25 October 2012. To see the full results, visit www.isaca.org/risk-reward-barometer
