Mobile and Cloud Computing Widespread Despite Risks
Of greatest concern to executives and IT professionals in North America is the practice of allowing employees to use their personal mobile devices to access business information and contracting with "public cloud" service providers, an ISACA survey finds.
Albert G. Holzinger
February 01, 2013
The results of the 2012 IT Risk/Reward Barometer survey (PDF) offer North American-based organizations insights into the security and other risks that can arise from adoption of two emerging business technologies, mobile and cloud computing. Responses to the survey, conducted late last year by the Chicago-based professional association ISACA, also may spark some thoughts about how best to mitigate some of those potential threats.
Less than one in five (19 percent) of the approximately 1,800 senior executives, IT professionals, and IT consultants in the United States and Canada who participated in the survey is enthusiastic about widespread deployment of mobile computing, particularly the "bring your own device" (BYOD) practice in which employees are allowed to use their personal smartphones and tablets to access business information. Most (51 percent) say the attendant risks of this practice outweigh the potential benefits, and 30 percent perceive the risks and benefits as merely balanced.
This sentiment notwithstanding, 72 percent of respondent organizations permit unrestricted or limited employee use of personal mobile devices for business purposes. Conversely, 81 percent allow the use of work-supplied devices to some extent for personal pursuits such as online shopping (72 percent) and social networking (64 percent). Among respondent organizations that embrace BYOD, the most-often-cited justifications are increasing employee efficiency and productivity, reducing technology purchase costs, heightening employee job satisfaction, and making business information more easily accessible to staff working remotely.
More respondents say storing passwords on a personal (80 percent) or employer-supplied (52 percent) smartphone used to access company data is a higher-risk activity than any other mobile-computing practice. Other high-risk activities and events identified include losing a work-supplied smartphone or computer (77 percent); distributing business documents via online file-sharing services such as Dropbox and Google Drive (67 percent); and downloading personal documents, music, photos, or other data onto a work-supplied smartphone or computer (57 percent).
A plurality of respondents estimates that less than 20 percent of security incidents at their organization stem from employee use of personal devices for work activities (44 percent) or employer-supplied devices for personal use (29 percent). Intriguingly, 24 percent of respondents estimate the use of employer-supplied devices for personal activities is the root cause of 80 percent or more of their organization's security incidents, but just 5 percent estimate the use of personal devices for work activities results in high percentages of security incidents.
Respondent organizations are mitigating their mobile computing risks from personal devices in part by data encryption (46 percent), remote device-wiping capability (45 percent), and strong password management (42 percent). "Companies that embrace BYOD also should implement security awareness training," adds Robert Stroud, a member of ISACA's Strategic Advisory Council and vice president at CA Technologies Inc. in Islandia, N.Y., in a press release. ISACA advocates an "embrace-and-educate" approach to get "the benefits of BYOD while mitigating the associated risks." Yet, 32 percent of respondent organizations are taking none of these preemptive steps.
One-third of respondent organizations contract with "public cloud" vendors for routine (25 percent) or mission-critical (8 percent) business capabilities. Most (21 percent and 33 percent, respectively) use proprietary "private clouds" for these purposes. About one-fourth (16 percent and 10 percent, respectively) use some hybrid of these two cloud variants to facilitate these operations. Overall, 11 percent of respondent organizations spend 30 percent or more of their IT budget on cloud-related activities in an attempt to lower IT costs, improve resource scalability and accessibility, gain efficiency, keep pace with competitors, and achieve greater flexibility and convenience.
Despite its widespread adoption, however, 69 percent of respondents say public-cloud computing's risks exceed its benefits. Conversely, just 11 percent believe the benefits outweigh the risks, and 21 percent perceive the benefits and risks as relatively balanced. The corresponding risk-reward percentages for private-cloud computing are a much more favorable 10 percent, 57 percent, and 34 percent, respectively. For hybrid-cloud computing they are in the middle: 38 percent, 17 percent, and 45 percent, respectively. Respondents say their greatest overall cloud risk concerns relate to data security, uncertainty, vendor unreliability, lack of controls, and data ownership.
More than one-fourth (27 percent) of respondents perceive the most significant impediment to addressing IT-related business risks from all sources is inadequate staffing and time, followed by the unwillingness of management to fully engage in risk management (22 percent) and limited budgets (21 percent). The most important action an organization can take to improve IT risk management — identified by 36 percent of respondents — is increasing risk awareness among employees, followed by improving coordination between the IT risk management and overall risk management functions (23 percent), increasing the adoption of IT risk management best practices and control frameworks (19 percent), and providing senior management with a holistic view of risk (18 percent).
Respondent organizations generally plan to keep their information security (47 percent), IT risk management (55 percent), and IT assurance (56 percent) staffing at current levels during 2013. However, many — 39 percent, 28 percent, and 23 percent, respectively — plan to increase the staffs of these functions.