Chng added: "With 44 percent of global organisations now allowing the use of company or privately-owned tablets—up from 20 percent in 2011—substantial levels of information are now flowing in and out of the office, making control increasingly difficult."
Chng further added that in Singapore, while some software vendors are offering mobile device or application management solutions, organisations still need to play an active role in ensuring that sensitive data remains out of the hands of unintended audience. "While it is relatively easier to protect such information from outsiders, the challenge lies in enabling authorised access, yet preventing data loss if the employee turns rogue. Some forward-thinking companies have started using modelling techniques such as attack trees to understand the residual risks arising from granting such needed access," he said.
Organisations recognise that they need to do more on mobile technology. However, in the fast-moving mobile computing market the adoption of security techniques and software is still relatively low, with just 40 percent of organisations using some form of encryption technique on mobile devices.
Money well spent?
With more risks and more technology to secure, organisations are responding by increasing budgets and adjusting their priorities. Fifty-one percent of organisations reported plans to increase their budget by more than 5 percent in the next 12 months. While 32 percent of respondents spend over US$1m on information security, the level of investment varies globally, with 48 percent of Americas' organisations allocating in excess of US$1m, compared with 35 percent and 26 percent in Asia-Pacific and EMEIA (Europe, Middle East, India and Africa) respectively. In terms of where the budget is assigned, the top investment priorities are securing new technologies (55 percent) and business continuity (47 percent).
The budget increases planned can only be effective with the right decision-makers taking responsibility. Information security continues to be IT-led within many organisations; with 63 percent of global respondents indicating that their organisations have placed the responsibility for information security in the hands of the IT function.
However, as information security begins to spread beyond traditional IT issues, decisions are now needed around selecting the right tools, processes and methods for monitoring threats, gauging performance and identifying coverage gaps, and a reappraisal of responsibilities is required.
With just 5 percent of chief risk officers currently responsible for information security, many organisations lack the formal risk assessment mechanism provided by the risk function, resulting in 52 percent of organisations having no threat intelligence program in place. The proliferation of threats—and the acceleration of the gap between vulnerability and security—requires multiple sources of assessment, such as internal audit, internal self assessments and third-party assessments, to monitor and evaluate security incidents.
Sign up for CIO Asia eNewsletters.