IT Security Is a Top Challenge for Firms around the World

A recent survey conducted by Protiviti and the Information Systems Audit and Control Association (ISACA), found that cyber security, privacy issues, infrastructure management and emerging technologies rank as the top IT challenges facing organizations today.

The annual survey—A Global Look at IT Audit Best Practices—gathered responses from over 1,000 IT audit professionals and focused on emerging technology, IT implementation, audits, risk assessments and hiring practices. Respondents were asked to name their greatest technology or business challenges.

The following were the top 10 responses:

  1. IT security, privacy and cyber security
  2. Infrastructure management
  3. Emerging technology and infrastructure changes
  4. Resource, staffing and skills challenges
  5. Regulatory compliance
  6. Budgets and controlling costs
  7. Cloud computing and virtualization
  8. Bridging IT and the business
  9. Project management and change management
  10. Third-party and vendor managementIn order to protect themselves and stay current on emerging risks, experts recommend that organizations continually review the IT risk landscape and adjust IT audit plans accordingly.

The survey also found that, while 90 per cent of large organizations conducted an IT audit risk assessment, only a little more than half of them did so on an annual basis.

© Zywave, Inc. All rights reserved

4 Things Companies Should Document to Improve IT Security and Disaster Response

IT Security word cloud conceptAn IT manager has the difficult task of overseeing people, processes and technology. And, if there isn’t a departmental emphasis on documenting pertinent information, overseeing a successful IT security program can be a difficult, sometimes impossible, task.

The following are a few items IT professionals should keep a record of in order to maintain efficient IT workflows:

  1. Incident response plans. An incident response plan not only helps companies prepare for potentially crippling IT disasters, but it can also give clients, partners and customers reassurance that an organization is committed to IT security.
  2. Key stakeholders. In the event of an emergency, it can sometimes be difficult to identify who is responsible for what. This can make responding to incidents difficult and confusing. To help ensure a quick response to incidents, identify who would be the decision-makers following a variety of scenarios.
  3. Common risks. Documenting IT information and processes not only ensures business continuity in the event of an incident, but it can help IT professionals prevent threats altogether. Experts recommend that IT departments rank their top five greatest threats and detail possible actions that the department can take if and when a threat emerges.
  4. Third-party providers. More and more IT departments are working with third-party providers, especially as data continues to move to the cloud. In the event of an incident, it is important that a company is equipped with a list of contacts if there is an issue with an off-site system.

As an added bonus to documenting key IT information and processes, other departments will be able to see how data security is handled at a high level. This not only reinforces the importance of IT infrastructure, but it can help promote company-wide buy-in as it relates to ongoing training and future security initiatives.

© Zywave, Inc. All rights reserved

Young Employees and IT Security

iStock_bus people w cell-000016828639SmallHiring young employees can bring fresh talent and innovation, giving your company an edge over your competitors. But that edge can quickly be erased, as young workers also bring additional technology risks. According to the 2011 Cisco Connected World Technology Report, a study involving almost 3,000 college students and young professionals under age 30, 70 per cent of young employees frequently ignore their company’s information technology (IT) policies.

Millennials have grown accustomed to sharing everything about their personal lives on Internet sites such as Facebook® and YouTube®. This poses a dilemma for an employer: If young employees don’t safeguard their own personal information, how can you entrust them with your company’s sensitive data? Companies with the need to be Internet-savvy must hire young talent, but are these employees worth the risk?

Eye-opening Statistics

The Cisco report says that 80 per cent of young employees either don’t know about their companies’ IT policies or they think they are outdated. Additionally, 25 per cent of those in the study had been a victim of identity theft before age 30.

Why are young employees negligent about IT security? The study found that some young employees’ attitudes and beliefs towards IT policies include the following:

  • They forget about the policies.
  • They think their bosses aren’t watching.
  • They believe the policies are inconvenient.
  • They think they don’t have time to remember the policies while they’re working.
  • They feel the need to access unauthorized programs to get their job done.
  • They believe security is the IT department’s responsibility, not their own.

Additional Risks to Consider

Young employees can compromise IT security by leaving their computers or other personal devices unattended, increasing the risk that that both the equipment and company data could be lost, stolen or misused. Sending work-related emails to personal email accounts and using computers and social networking sites for both work and personal reasons can also compromise IT security. Millennials are more apt to blur the line between using IT for both personal and work-related purposes, which can increase the risk of negligence.

Consider that not only young employees, but all employees can compromise IT security in the following ways:

  • USB flash drives. While these are convenient portable devices for storing information, they make it too easy to take sensitive information out of the office and can be misplaced easily because they are so small.
  • Wi-Fi networks. Whether it’s an employee’s personal Wi-Fi network at home or free Wi-Fi at the local coffee shop, it is important that employees use virtual private network (VPN) and take other security measures when they log in on networks outside of your company.
  • Laptop computers. Lightweight and handy for working remotely, laptops are also susceptible to viruses from improperly-secured Wi-Fi networks.
  • Smartphones. They provide information at your fingertips, but are also another portable way to take sensitive data out of the office.
  • Collaboration websites. Websites, such as a wiki or SharePoint® site, are great tools for employees working together on projects, but it’s critical that only authorized employees are logging in and accessing your company’s projects on these sites.
  • Social media tools. Sites such as Facebook and Twitter™ can benefit your business; however, negligent use, including sharing critical company information, can be a risk.
  • Other communication applications, such as peer-to-peer (P2P), Skype and instant messaging tools. These applications can be vectors for malware and a threat to information security.

Employers shouldn’t necessarily prohibit employees from using technology, as this list includes many tools they need to get the jobs done. It’s important to know the risks and educate young employees to use the technology properly.

Mitigating the Risks

Employers must find the balance between allowing young employees to use social networking websites and portable devices to do their jobs, while at the same time protecting company information. Employers should examine their exposures and consider what level of risk they are willing to accept. Other special considerations for managing young employees and mitigating the risk include:

  • Review your company’s IT policy. If it needs to be updated, ask recent graduates for advice on updating the policy to reflect current changes and trends in IT.
  • Make sure young employees (and all employees) are aware of your company’s IT policy and the consequences if the policy is not followed.
  • Create strong, trusting relationships between young employees and your IT department.
  • Create IT awareness materials so young employees are continually reminded of IT security risks and what they can to do prevent them.
  • Train new young employees on data protection and IT security risks, and provide refresher training for seasoned employees to ensure everyone is aware of the risks and the importance of safeguarding company information.

 

© Zywave, Inc. All rights reserved.