IT security—I can’t think of another topic that prompts more contradictory beliefs and behaviors.
On the one hand, surveys show that security concerns are among the main obstacles keeping companies from migrating to the cloud or outsourcing IT structure and functions. On the flip side? Those same surveys reveal that half or more IT employee-users do not have a clue about IT security.
From my perspective, that reluctance to migrate to the cloud or outsource IT functions is one of the biggest problems caused by lack of understanding. Because, according to Maria-Martina Yalamova, a specialist in cloud computing law, “frequently, reputable cloud service providers offer much greater security (emphasis is mine) than individuals or enterprises can achieve on their own.”
Yalamova was quoted in an article by the International Organization for Standardization (ISO), an independent, non-governmental organization and the world’s largest developer of standards and specifications for international trade.
“These [outside IT] providers invest significant resources in ensuring that their systems utilize state-of-the-art security measures, and routinely stress-test and strengthen these measures,” Yalamova said.
“Many comply with international security standards and are subject to contractual and legal/regulatory obligations to keep data secure and private. And they offer customers a range of privacy controls to protect their data, depending on the type of data involved.”
In other words, reluctance to move data to the cloud because of perceived security risks is not an actual problem—it’s a perception problem.
Related Article: Things to Consider When Launching Your App in the Cloud
A survey by Verizon Enterprises of 625 IT decision makers revealed that most respondents who have migrated to the cloud experienced no impact on data security (34 percent) or had improved security levels (39 percent).
Whether the threat is real or not, executives have to face their fears about cloud security. Migration to the cloud is inevitable—the U.S. government adopted a “cloud-first” policy in 2010, and more companies are doing the same.
Spending on cloud technology will reach $131 billion by 2017, up 18.5 percent from $111 billion in 2012. Analysts at Gartner predict that 2016 will be a “defining year” for the Cloud, “as cutting-edge technology will just get more sophisticated in the next few years.”
Here’s the irony: There are indeed IT security risks—and the vast majority come from inside your own organization. Maybe even in your C-suite offices.
The two biggest IT risks are the failure to conduct an annual security assessment, and lack of employee policies (or neglecting to enforce them) governing access to and use of the internet.
What’s scary is that executives believe that, overall, the cloud isn’t secure but their own systems are fine. Verizon Enterprises’ annual survey of IT decision-makers in critical industries such as finance, energy, transport and the government found a “disconnect” in the executives’ confidence in their own security, despite the ever-increasing incidents of attack.
Eighty percent of those surveyed by McAfee for the 2015 Aspen Institute Security Forum believe cyber security is a national and economic threat. Yet almost 75 percent expressed confidence in their own organization’s ability to detect, block or mitigate attacks—despite the fact that 9 out of 10 had a security breach of some kind in 2014.
Human error due to lack of awareness, use of unauthorized online sites and use of social media at work were the top three causes of successful attacks, according to almost every survey I read. People in the financial services industry loaded CDs into their work computers despite printed warnings to check company guidelines before using.
More organizations are developing policies regarding the use of information assets, including the Internet. But enforcement of the policies is loose. According to a Channel Insider article, more than 40 percent of the worst security incidents involved inappropriate Internet access.
These security breaches are expensive. The annual British Information Security Breaches Survey on IT security issues says 90 percent of large organizations (more than 500 employees) and almost 75 percent of small organizations suffered security breaches in 2014. Costs (lost sales, recovery costs, business disruption and other elements) for both small and large organizations ranged from $1.14 million up to $4.71 million.
Yet one-third of the organizations surveyed had never done a security assessment.
That failure, wrote the authors, “raises questions whether businesses have the skills or experience to perform these to an adequate degree.”
Related Article: “Secure Cloud” is No Longer an Oxymoron
What Are You Doing to Maximize Security?
From a systems standpoint, what you should do is consider outsourcing your infrastructure and migrating to the cloud. Naturally, as CEO of an IT company that serves only small and mid-sized firms located in Chicago, I think you should choose a local firm with the highest possible reputation to guide you through this process. You may at the same time discover the economic and internal productivity benefits of partnering with an IT service provider to manage your environment both inside and outside of the cloud.
Here Are Some Other Steps Every Company Should Take:
- Establish a security policy. Setting and communicating guidelines here will mitigate your risk and help drive internal compliance.
- Involve your IT executives in developing and enforcing policies, both for outsourcing cloud services and employee use.
- Create clear limits on employee access to the Internet and e-mail for personal use, specify the consequences of misuse, and enforce the policy. Most companies that have such policies don’t enforce them.
- Conduct an IT security assessment. Select an independent firm you trust and be prepared to take action on weaknesses detected.
Finally, remember Ben Franklin’s advice: “An ounce of prevention is worth a pound of cure.”