Last year, advanced persistent threats or APTs gained recognition as a new form of attack. This year, the figures indicated that external threats are increasing. "The whole concept about persistent threats is that once the malware has infiltrated the system, it stays in, lies low and attacks surreptitiously," Chng said. "These kinds of threats are more sophisticated and numerous; signature-based recognition is no longer effective in the days we are in now. Today, we are into analysing behaviours: if you're a user of say, online banking, [one should observe] what click-throughs, and the sequence of steps have been taken for a banking transaction. It's a new area: keeping your eyes on recognising abnormal behavioural patterns to deal with such new threats."
Information security strategies
Business continuity, risk management and—most importantly—fundamental redesign rank among the highest information security priorities. But stubborn issues—obstacles like budget constraints, organisational issues and lack of the right resources—prevent companies from closing the critical information security gap. Said Chng: "More importantly is about spending wisely."
Lack of information security strategy is another major concern. While many organisations recognised the importance of information security and had put resources towards improvement, others were not. Significant numbers of respondents didn't have information security strategies, no threat intelligence programs, and no assurance that their security vendors were doing what they were supposed to be doing. "Without strategies in place, there will just be firefighting all the time," he said.
Vulnerabilities were also on the rise. A patchwork of non-integrated, complex and frequently fragile defences could create significant gaps in security. Organisations seemed increasingly inclined to use bolt-on or work-around solutions. These processes were inconsistent, hard to test, not easy to understand, use, update or monitor, Chng said. Nearly a third of respondents claimed that the threat or vulnerability of their information security architecture had increased in the past year, mostly because of outdated controls.
Cloud & social media
From the survey, organisations seemed keen to adopt cloud services but were generally uneasy about related security issues. In 2010, only 30 percent of organisations indicated they were currently using or planned to use cloud computing services. That number rose to 44 percent in 2011, and again this year to 59 percent. But many also admitted that their efforts to address cloud-related risk was minimal or non-existent.
Social media is changing how companies do business. But 38 percent of organisations do not have a coordinated approach to address social media usage, resulting in lost opportunity, or potential security breaches that could destroy a brand overnight. The most-chosen tactic to address this risk was to simply limit access to social media sites—likely to be ineffective as most employees now have their own device and can access company networks almost anytime from anywhere.
Sign up for CIO Asia eNewsletters.