Those are the main conclusions in a new report from the Information Security Forum, an independent group harnessing expertise from a pool of companies, including some Fortune 100 businesses. The forum asked 200 of its corporate members, all major organisations, to list what they thought would be the biggest threats facing them in 2011.
The top five threats (see sidebar) range from the increased threat of Internet attacks from organised crime groups, to the loss of control resulting from outsourcing and cloud computing.
The recession is also pushing companies to increase the amount of offshoring and outsourcing they do, and Frost said this was often done with little regard for security. "Outsourcing is quite mature now, and companies are looking to outsource more critical business processes. But information security is often only considered at the last moment when these decisions are made," he said.
ISF members also noted a tendency for user-developed applications and files, such as Excel spreadsheets, to be implemented without consulting security people. "They don't really want it to go on security's radar for fear they will try to delay it," he said. Frost added that even with quite large application developments, security would often be brought in near the implementation stage to "try to bolt on some security controls."
ISF members also predicted that mobile malware will become more prevalent as more applications go on to smartphones and the devices' processing power and storage capacity increase.
Respondents also noted their struggles with an increasing number of regulatory requirements, as well as with an IT infrastructure that is becoming more and more integrated and reliant on third parties.
William Beer, director of assurance at PriceWaterhouseCoopers (PWC), said many of the mentioned threats could be turned into an advantage, but security people need to adopt the language of business to get their voices heard. "There is an opportunity to get across our key messages. For instance, Sarbanes Oxley was once viewed as a big cost, but it is now seen as having reduced costs and improved the way companies operate," he said. "If by increasing security, we can leverage confidence and trust during a recession, then we can turn a negative into a positive."