Mobile communications, cloud computing and social networking are among the hottest topics in banking right now. As financial institutions try to figure out how they might benefit from these innovative technologies, they also need to understand their security implications. According to Ernst & Young's 13th annual Global Information Security Survey, while progress has been made on this count, in terms of increased security spending and updated corporate policies. At the same time, there's a long way to go before banks are really up to speed on the security implications of what Ernst & Young describes as a borderless business world.
"Borderless Security: Ernst & Young's 2010 Global Information Security Survey" is based on a survey of nearly 1,600 senior executives in 56 countries. Banking and capital markets executives represented by far the largest segment of the sample, accounting for 329 respondents; followed by technology (139) and insurance (137 respondents).
Sixty percent of the survey respondents said they perceived an increase in the level of risk they face due to use of social networking, cloud computing, personal devices in the enterprise; 37 percent said they perceived a relatively constant level of risk. At the same time, 46 percent of those polled indicated their annual investment in information security is increasing as a percentage of total expenditures, while 48 percent said it is relatively constant.
"IT is changing, and when IT changes, the security game changes," notes Jose Granado, Ernst & Young's Americas practice leader for Information Security Services. The most important implication of these IT changes, Granado states, is that "The outsider is the insider -- there are no more walls."
Elaborating on this observation, Granado argues that in a "borderless security" environment there is "a lack of control, a lack of standards, and a lack of understanding of true vulnerability of devices." Accordingly, he adds, there are a number of changes organizations should make in how they approach security. "Develop a plan, prioritize risk and make it real and associated with the threats," he says. "Keep the plan fresh, validate and review it [regularly] -- six months may be too long" to go between updates. And, Granado stresses,"take an information-centric view. Understand the life cycle of your data from creation to archive or destruction."
As corporations adopt a different approach to security, the biggest change, according to Granado, is that "the goal today is not to be secure but to be secure enough. There is no such thing as 100 percent secure. That's the key."
Looking specifically at the rise of mobile computing and communications, "the biggest issues relate to a lack of control," reports George (Chip) K. Tsantes, principal, financial services, at Ernst & Young. Fifty-three percent of the study respondents said that increased workforce mobility is a significant or considerable challenge to effectively delivering their information security initiatives. One of the reasons why there is so much concern is that when it comes to privacy and protecting sensitive information, he says, is that "consumers have different views about sensitive information. Do you use the old paradigm that everything is protected? Or do you change the model and assume everything is compromised?"
The struggle to answer these questions is a big reason why the Ernst & Young research shows "a big increase on data loss prevention, especially in financial services," Tsantes says. Sixty-four percent of the respondents indicated that data or disclosure of sensitive data was one of their top five areas of risk, while 50 percent said they plan to spend more over the next year on data leakage and/or data loss prevention technologies and processes.
If the security concerns relating to cloud computing do not seem quite as urgent, that probably is because for now most businesses are limiting their adoption to the private cloud. According to the Ernst & Young study, 54 percent of respondents who said they use cloud services indicated they are using private clouds, compared to 29 percent who said they are using the public cloud, and 45 percent using encapsulated/hybrid cloud. Those numbers could shift as more applications are made available in a cloud environment.
"Security folks need to wrap their heads around this," says Ernst & Young's Granado. "From a traditional security point of view, supporting cloud is counter-intuitive. How do I know at any point in time where my data is? Who are my neighbors? How do I really know my stuff is protected? This requires a mindset change in security professionals to let go." According to Tsantes, 90 percent of financial services professionals who participated in the research said they think potential data loss is the biggest potential problem with cloud computing. This is compared to the 52 percent of total respondents who identified data leakage as the top cloud risk.
At the same time, Granado emphasizes, the vendor community also needs to step up to the plate, security-wise. "Solution providers need to be more transparent about testing of their environment -- what are the known issues? Let us see the incident logs."
Standards -- or rather, lack of standards -- are another concern when it comes to security in the cloud. "Right now, there are no set standards to ascertain level of security [in the cloud]," Granado says. "Standards are going to have to play a big part."