Saturday, 30 July 2011

Information Security in a Borderless World

An intrinsic feature of the internet has been its organic growth through open and interoperable standards, meaning as a network it is inherently borderless. Resultantly the wealth of information it contains is extremely amenable to attacks or ‘cyber crimes’ by malicious organisations, criminal and governmental, and individuals. According to the FT, cyber crime is estimated as costing the UK 44 billion USD annually. The damage cyber attacks can cause to specific organizations is highlighted by the intrusion of hackers on the Sony Playstation Network (PSN) in May of this year. The total estimated financial costs of the attack on the company ranging from 170 million USD to 2.74 billion USD, while causing incalculable reputational damage.

From a business perspective the developments of the internet particularly Web 2.0 (e.g. social networks), cloud and mobile computing are giving people access to an increasingly global and interconnected network. The savings in efficiency offered by mobile and cloud computing and the acceptance of social media as a natural extension of everyday life, mean that these technologies are becoming more prevalent in enterprises. But in embracing these technologies, organizations have to carefully consider their associated security risks. As such and unsurprisingly, a 2010 Global Information Security Survey (GISS) by Ernst and Young, which surveyed 1,600 organizations in 56 countries, showed that 60% perceived an increased level of risk from the use of those aforementioned technologies.

In the case of mobile computing the situation is compounded by the fact that employees are utilising personal mobile devices to access sensitive information remotely. For example, research suggests half of UK businesses permit the use of employee-owned devices, with 39% of those foregoing the use of encryption to protect corporate data. A recent report by the security software firm McAfee claims the amount of malicious software designed to specifically attack mobile devices rose 46% in 2010. In light of this escalating threat, 92% of respondents in the Ernst and Young survey view employee awareness of security as a crucial challenge.

The sheer size and openness of social networks mean they can be ruthlessly exploited by criminals. Infected links direct users to destination sites containing malicious software, which can extract pertinent information such as bank details. Perhaps the most successful case of this in action was the Koobface software, which controlled 21,790 Facebook accounts with nearly 1 million friends and managed to intuitively steal over 2 million USD. Social networks have encroached into society to the extent that not only are they being accessed in people’s personal lives but also their professional. Information about specific individuals gleaned from these networks is being utilized in order to fool them into giving away sensitive corporate details, in what has been termed social engineering. Therefore it is somewhat surprising that in the GISS survey only 33% respondents saw social networking as a considerable challenge to effectively delivering information security initiatives. In light of the prevalence of social networks, particularly amongst younger generations of workers, prohibiting access in the enterprise is not thought to be the ideal solution to minimizing any associated risk. Instead a long term sustainable solution lies in educating the workforce of the pitfalls and dangers involved.

Cloud computing is still a relatively nascent industry especially with regard to business adoption. It offers a multitude of potential advantages in terms of both economic and operational efficiency in outsourcing infrastructure (e.g., storage) services, development platforms (e.g., open source, service-oriented architecture) and software (e.g., enterprise applications, office productivity, web-based email) services. However due to its infancy and focus on scalability and flexibility, there are still issues regarding the privacy and security of data in the cloud. Moreover with data centres stored in multiple countries and workload shifted as capacity management dictates, any litigation procedures are likely to be complex and expensive.

Naunidh Virk & Linda Kunecov√°
Amoo Venture Capital Advisory


What are your thoughts?