Going digital: No simple solutions for information security professionals

Technology evolution is proving itself to be something of a double-edged sword

Technology evolution is proving itself to be something of a double-edged sword. Surely, technology is opening doors to a new world of opportunities for businesses. But as with all opportunities, technology comes with risks.

Predominant among those risks is the accountability that the ongoing digital transformation requires. Consumer demand is driving the need for digital transformation, a fundamental shift in customer relationships, business models and value chains.

More and more organisations use technology to introduce new products or services, improve efficiency or to collect more information about their customers than they currently need or know how to use. By using the internet, social media, mobile and real-time 360-degree analytics, organisations can enhance customer relationships, increase top-line growth, streamline operations, empower talent and use innovation to reinvent competitive solutions and business models.

While organisations that are early adaptors of leading-edge technology have been plugged into the privacy debate for some time, others that have been slow to join the digital party often know very little about the privacy risks or management this needs and do not have the necessary resources to identify or address them.

As a result, what we are witnessing is an increasing number of rookie mistakes that impact strong global brands as they take their first steps into the digital world. The learning curve for these businesses is steep and they will need to determine the requirements, establish a privacy program and become accountable for their digital transformation.

To better manage privacy risk, many organisations have implemented monitoring technology. For years, privacy programs had robust policies and average controls, but very little monitoring. Many organisations didn’t have the tools to monitor privacy given the vast amounts of data and processes involved.

At Ernst & Young, we have discussed in the past the rise in organisations’ priorities of the need to monitor how personal information is managed. We have also talked about the increasing implementation of data loss prevention (DLP) tools for tracking for sharing data, tools to track network folders and applications that monitor user patterns on databases.

Once implemented, the new privacy monitoring tools demonstrated more than accountability. They also uncovered more evidence of privacy failures. These failures reveal the importance of implementing these tools and the need for accountability. The challenge organisations now face is the significant cost for remediation.

Many of the issues cannot simply be addressed with stop-gap measures. Many organisations would have to undertake a complete IT transformation to address the privacy issues monitoring tools are flagging.

In Ernst & Young’s 2012 Global Information Security Survey, 70% of respondents indicated that they planned on spending relatively the same amount over the next year as they did in the previous year on privacy. That number may have to change to address the increased investment required to improve privacy controls.

Internally, the mobile device phenomenon is creating challenges between the need to secure the organisation’s data without compromising employee privacy. More than ever before, we are seeing a transition to a fully mobile workforce. Some organisations have closed entire brick-and-mortar offices in a shift to a fully virtual workplace model.

However, with the rise of the mobile workforce, organisations may have to shift their focus. Unable to control the data, organisations will need to determine who can be trusted with the data.

Many of the more popular mobile devices have insufficient built-in controls to meet traditional information security expectations. Furthermore, employees are able to upgrade their mobile device themselves, without having to go through the corporate IT department.

A guest network that is separate from the main network allows employees to use their personal device to gain access to the web directly, perhaps even through a work-only email account. Organisations also may want to consider using third-party services or their own coding to create “sandboxes” where company data and company-issued applications reside, effectively separating them from any interaction with personal data, applications or online services.

These options serve the dual purpose of protecting the organisation’s data from unauthorised access as well as the employee’s personal information from being monitored by the organisation.

A steep learning curve awaits, but one that will serve as a reminder to information security and privacy professionals that there are no simple solutions to the paradigm of enabling access to information to an ever increasing dynamic of people and devices.

Mark Brown is director of risk & information security at Ernst & Young

Read more on Privacy and data protection