Cloud computing and social networking expose businesses to attacks

Business use of technology is evolving faster now than at any point in the last decade. Internet use has moved way beyond email and websites and into the realms of social networks and cloud computing.

These changes have increased the vulnerability of UK companies and public sector organizations to new cyber attacks. Hacking and DoS attacks have doubled in the last two years. As a result, security remains high on management’s list of priorities. These are among the findings a survey by PricewaterhouseCoopers.

The rate of adoption of newer technologies has accelerated over the last two years and most respondents now say they use wireless networking, remote access and VoIP. Some 85% of smaller organizations said they were using wireless, almost double the use in 2008. The number of organizations allowing staff to have remote access to their systems has also increase with nine tenths of large companies now doing this.

As organizations have looked to cut their IT costs, they have increasingly turned to external providers who host applications on their behalf. These services, including SaaS and cloud computing, are now used by over three-quarters of the organizations polled and of these, 44% said they were entrusting critical services to third parties. All sectors are making use of the services, but government is least likely to release control of critical services.

At the same time that companies are increasing their dependence on other organizations for their IT services, there has been an explosion of new cyber attacks. 61% of large organizations have detected a significant attempt to break into their network in the last year, twice as many as two years ago.

Some 15% of large organizations have detected actual penetration by an unauthorized outsider into their network in the last year, and it is likely that many more were undetected. 25% of large organizations have suffered a denial of service attack in the last year, also more than double the proportion in 2008. Outsourcing IT services does not make the security risk go away, but few companies are taking enough steps to ensure their outsourced services are not vulnerable to attack.

Responding to the data leakage threat

The increasingly inter-connected business environment and prevalence of externally provided services is reflected by a growing data leakage threat. That threat is driving an increased demand for assurance over third parties. ISO 27001 is becoming a common standard for compliance; 40% of large organizations are being asked to demonstrate compliance with the standard.

ISO 27001 and PCI standards are also driving adoption of some specific security mechanisms. PCI, in particular, is driving more encryption of website transactions and sensitive data fields in databases. However, organizations that need to meet government requirements are more likely to encrypt data transfers and removable media.

Staff postings to social networking sites pose a new data leakage risk. Yet, at the same time, social networking is increasingly important to businesses. Organizations are reassessing their approach to controlling staff access to the Internet. The trend, established between 2006 and 2008, of allowing more staff to access the Internet has been reversed. Nearly half of large organizations now restrict which staff can access the Internet; less than a third did so in 2008.

Organizations want to allow effective use of the Internet, but reduce inappropriate use. Use of software to block access to inappropriate websites is slightly up on two years ago. Web access logging and monitoring is relatively static. However, more sophisticated use is being made of these tools than in the past. Organizations are one and a half times as likely to monitor postings to social networking sites if social networking is considered very important to their business.