The global information systems organization ISACA is urging businesses to prepare for tough decisions in the year ahead in three areas: data privacy, cloud computing, and increasingly complex cyber-threats.
Interest in private or hybrid (public/private) cloud solutions is expected to grow because of information security concerns, according to ISACA.
Meanwhile, cybersecurity threats are expected to continue to become more sophisticated and pose threats to consumer data and international supply chains.
And consumer and employee concerns about data privacy are growing, according to ISACA.
“Privacy by design, confidentiality of location-based information, the consumerization of IT, and an increase in legislative and regulatory mandates that will drive more privacy audits are among the top 2013 trends in data privacy that ISACA anticipates will need to be addressed,” Greg Grocholski, ISACA’s international president, said in a news release.
This is the state of IT as 2013 is set to begin. Cloud computing, though associated with risks, provides an opportunity for efficiencies, and employees armed with smartphones need access to data to accommodate their flexible work schedules.
The experience of New Jersey-based CPA firm WithumSmith+Brown during Hurricane Sandy late in 2012 demonstrated the value that cloud computing can bring to a business. Business interruption was minimal because the firm had moved mission-critical applications to the cloud and employees could get access to necessary data as long as they could get to a location with power and an internet connection.
“I attribute our ability to continue as a firm, to operate without any issues, to the fact that we’ve embraced the whole cloud concept,” firm partner Jim Bourke, CPA/CITP/CFF, CGMA, said in November.
Because of such benefits, cloud use is increasing. Seventy-six percent of organizations polled in the United Kingdom that are using cloud services expect to increase their use over the coming year, according to a Cloud Industry Forum whitepaper. Among those not using cloud-based services, 26% said they plan to adopt them within the next 12 months. Overall, 59% of organizations are in or headed to the cloud, according to Ernst & Young’s 2012 Global Information Security Survey, up from 44% in 2011.
In a September survey of AICPA members in public accounting firms, 11% of respondents said that their firms exclusively use cloud-based applications, infrastructure, and platforms for their technology needs. Another 33% said that they use business-grade cloud solutions—such as accounting, bill management, or payroll applications—in certain areas of their practice. Nearly 10% of those not using cloud services are actively planning to adopt cloud technology, while 46% are planning to remain cloud free.
Asked what they saw as the biggest barriers to adopting or expanding cloud technologies, more than 60% of the AICPA survey respondents pointed to security concerns, although more than 85% said they are very or reasonably confident in their cloud vendors in the event of a data breach or security problem. The next most frequently cited cloud concerns were change management (43%) and skepticism about how much value the cloud provides (42%).
Public versus private clouds
Sixty-nine percent of North American respondents, 68% of European respondents and 63% of Asia Pacific respondents in ISACA’s 2012 IT Risk/Reward Barometer survey said the risks of using public cloud services—where resources are hosted and managed outside company firewalls—outweigh the benefits.
But the private cloud, where resources are available within the corporate firewall, was more widely accepted, with 57% of respondents in North American, Europe, and Asia saying the benefits of using the private cloud outweigh the risks.
Hybrid public/private clouds drew more mixed responses, with 45% of North American, 44% of European, and 53% of Asian respondents seeing a reasonable balance between the risks and rewards. In a hybrid cloud, an organization manages some functions internally and contracts with a vendor to provide other resources externally.
Interest in private or hybrid cloud solutions will grow over the next 12 months because of information security concerns, according to ISACA. These concerns are expected to grow, partly as a result of greater use of “personal” clouds, which allow users to manage their own data and sync data between multiple devices (such as Dropbox or iCloud).
Despite the risks, research shows that companies often are not conducting certain testing procedures with respect to cloud computing. Although 84% of CIOs said they are concerned or very concerned about risks associated with IT security breaches, and security issues are a significant concern among CIOs about using the cloud, less than 45% test cloud vendors’ security systems and procedures, according to a U.K. survey by global consulting firm Protiviti.
And 41% of cloud-using respondents in the Cloud Industry Forum survey said they had not conducted a trial use of services before contracting with a cloud service provider.
Ryan Rubin, Protiviti’s U.K. director of risk consultancy, said in a news release that CIOs are not always involved in the decision to procure cloud services, and therefore their ability to carry out effective due diligence is limited.
“Whilst companies may migrate IT towards cloud providers in an attempt to reduce costs, they cannot outsource their information security risks,” Rubin said. “Unless adequately managed, the cost of security breaches—either regulatory or legal—may outweigh the perceived benefits of moving into the cloud.”
ISACA cites viruses that send unsolicited emails and attack websites and search engine poisoning—where users are sent to fraudulent sites—among the sophisticated tactics that are causing IT challenges. Jeff Spivey, ISACA’s international vice president, said in a news release that as more devices use IP addresses, cyber-threats will increase.
ISACA recommends management confront cyber-threats through efforts in areas including awareness, prevention and detection as well as incident and crisis management.
Other JofA cybersecurity resources:
- JofA Cybersecurity Center.
- Internal audit must play more substantial role.
— Ken Tysiac ( email@example.com ) is a JofA senior editor.