Think back ten years - had you heard of social networking sites? Thought not. More change is certain this decade, but it won't come risk-free, as Sarah Edlington reports
As technology changes in the next 10 years, so will the risks. Simon Oxley, director at Citicus says: “If you look back on the technology changes over the last 10 years, it is clear that many, if not most changes would not have been predictable. Take for example, the rise of social networking technologies and their impact on our expectations and standards for privacy.”
Dr Neil Berry, data director at Deloitte comments: "Although it is difficult to predict what technologies will have the most impact on businesses in the future, we're likely to see a maturation of existing software, devices and platforms coming to the forefront.”
One key trend is cloud computing. Berry says that since cloud computing rises to prominence, more businesses are opting to store their information in the 'cloud' or, at least, offsite, and this is something that is expected to continue in the years ahead.
Steve Fowler, CEO of the Institute of Risk Management, who was IT Director for RSA's commercial insurances division before joining the IRM, says: “'Cloud computing', where a firm effectively outsources its IT applications to a web-based provider such as Google Docs or Amazon Web Service, is the subject de jour amongst IT directors.”
Steven Babb, senior manager, IT Advisory at KPMG thinks that development of cloud computing “is a significant change with a clear impact on risk management, with common risks in the areas of data integrity, data confidentiality, data availability, legal and regulatory compliance and the ability to audit third parties.”
Fowler agrees: “Data may also be stored in jurisdictions that have different legal requirements to the firm using the service.” And these risks are at the front of many minds, as a recent report shows.
Between August and September 2009 COLT, a business communications company, surveyed 352 European CIOs about cloud computing. 68% of the CIOs in Europe said that security fears prevent them from adopting cloud computing services. But equally, nearly 65% “expect 21-60 per cent of their IT portfolio to move to cloud services within the next 12 months,” COLT reported. Companies see the benefit of cloud computing but are worried about the risks it may create.
Cloud computing isn’t the only new development, Babb says: “In addition, there are other changes we are seeing in the technology space that are driving IT related risk. These include: increasing use of mobile computing (convergence of media, communications and computing technologies) and the increasingly complex outsourcing and off shoring models, in particular with prime and sub-contractors operating in multiple locations around the world.”
Fowler says that mobile computing, especially through smart phones, is a headache for most IT departments. He continues: “Having 'locked down' the office, firms find staff breach security by accessing their desktops through cheap and easy to obtain iPhone applications.”In fact, mobile computing could be a major growth area.
Cisco released their Visual Networking Index: Global Mobile Data Traffic Forecast Update for 2009-2014 in February. They predict that there will be a compound annual growth rate of 126% between 2009 and 2014 in enterprise mobile applications. These applications are currently used for giving employees secure access to their e-mail and allow sales teams to access company databases. Whatever the technology, it is the data which is important, as Berry explains.
"Data is one of the most valuable assets an enterprise can have, but it can be one of the easiest to abuse, particularly from within an organisation. 'Insider threats' not only include people with access to an organisation's facilities, but also those individuals with the tools and motive to cause harm to a business.” Even Mother Nature could affect technology and its security.
“The global nature of IT can expose firms to flood or earthquake when their data or applications are run from sites in exposed locations,” says Fowler.
Oxley believes that it is a futile task trying to second guess how specific technologies will evolve, how these will be exploited and what new risks they will bring. But companies are not completely at the mercy of new technologies as he goes on to explain. “What organisations need to do is build structured risk management processes, ensuring that at the point new technologies are implemented, they are subject to a proportionate and timely risk assessment exercise.”
Berry agrees and gives an example. A business may wish to consider implementing a technological audit, he says. “This is an ongoing process of creating, implementing and tracking key indicators that pinpoint risks, patterns, causes and effects of misuse and or non-compliant activity including surveillance and detection. This is not a one-off initiative for businesses. Instead, the technological audit should form part of a long-term strategy that helps you to understand your workforce and, ultimately, safeguard your information assets."
Fowler suggests that companies “have an up-to-date business continuity plan, not just a facilities and IT disaster recovery plan. And do test it and do make sure you build your plan to allow for a broad range of possibilities, not just traditional ones.”
Babb sums up the future: “In the world of technology, 10 years is a lifetime; the technological changes we will see are moving faster and faster and this trend will continue. The key thing we can expect is that change will happen and this will have an impact on risk management. The key influencing factors are the steps companies take to identify these risks and the prioritised actions they then follow to mitigate them.”
Postscript
Sara Edlington is a writer and researcher specialising in technology