It's an unpleasant irony: The more IT advances, the more vulnerable enterprises, not to mention individuals --become to hackers, crackers and all sorts of nerve-wrackers. There's nothing new about this conundrum, other than that the situation continues to worsen.
In an industry that proclaims adherence to "Mobile First, Cloud First" strategies, the vulnerability index is likely to grow more depressing. Every communications session between your enterprise and a cloud provider, and every new mobile device that comes into contact with your network(s), creates a new potential chink in whatever security armor you've deployed.
And there's no putting these genies back in the bottle--mobile and cloud communications and transactions will only grow in the future.
On the one hand, it's easy to point fingers at the software, hardware and services vendors. When a new product or technology emerges, the vast majority of the effort goes into making it work and getting it into the market. Management and security are, too often, treated as afterthoughts.
I don't know what it'll take for that situation to change, but it'd sure help if we stopped buying products that don't demonstrate rock-hard security and effective management. To be sure, security and management tools can be costly, and in these times of ever-constricting budgets, anything that increases costs is an anathema to both buyers and sellers.
The counter-argument is that security breaches are enormously expensive. I've seen estimates that put the cost-per-record-per-breach at around $200. When you do the math, that can quickly turn into a frightening number. So, it's kind of a "pay-someone-now, pay-someone-later" situation.
Apart from insisting that sellers provide secure products, there's also a big gap between what enterprises can do vs. what they are doing. Last year, an outfit called the Ponemon Institute, which does research on privacy, data protection and information security policy, surveyed about 800 IT security professionals on how they handled "regulated data"--which Ponemon defines as "sensitive and confidential data that organizations are legally required to secure and protect. Examples include protected health information, personal financial information, credit-card details and employee and customer records." Among the survey's findings:
• 67 percent of the 798 IT security practitioners said their organizations know that they must comply with privacy laws protecting such data, but only 12% said that their organizations do comply.
• Only 18% said their organizations were aware that the laws apply to data on mobile devices.
• 59% of respondents said their organizations allow employees to use mobile devices to access regulated data, but only 26% believe their employees know it's important to protect such data.
• 19% said their organizations know how much regulated data resides on employee mobile devices.
• 78% said they believed the risk of regulated data on mobile devices is increasing, but only 45% said their organizations understand this risk.
• Only 22% said their organizations use measures that specifically address mobile device security (mobile device management, mobile digital rights management or mobile application management).
Clearly, there's a lot of work to be done on the security front. It's going to take commitment from both buyers and sellers to make the investments to harden our systems, software and services. And it's going to take a more energized approach to working with end users to protect corporate devices and data.
If we fail, there'll always be someone else that we can blame. In the aftermath of a breach, however, the words of the Bard may also be applicable: The fault lies not in our stars, but in ourselves.
