IRISH COMPANIES are ahead of their international counterparts in using, or considering, cloud computing, but often fail to come up to par in providing a secure enough environment for this shift to outsourced infrastructure and applications.
According to consultancy Ernst Young’s latest Global Information Security Survey, which surveys nearly 1,700 companies in 52 countries annually, twice as many Irish companies say they will be evaluating a move to cloud-based computing in the next 12 months, compared to the international average – 50 per cent, versus 25 per cent internationally – while 43 per cent are already using the cloud (versus 37 per cent internationally).
“Ireland has turned out to be quite an aggressive cloud adopter,” says Hugh Callaghan, director of advisory services, Ernst Young Ireland.
“The Irish are eager to try and gain the benefits of the cloud. For small organisations, the cloud offers hugely cost-effective management. Medium and large companies can streamline and simplify access to and delivery of applications, as well as gain general cost benefits.”
The Irish are also “well placed” to move to the cloud, with many companies, both multinationals and indigenous companies, in sectors that can benefit. “In many ways, there’s a perfect storm of factors driving people to the cloud,” Callaghan says.
But too many are just looking at the benefits and failing to look at the risks, he says. Although external security risks can increase if companies shift to cloud computing – and 79 per cent of Irish companies in the survey said that they see an increased level of risk due to external threats – “Irish companies are behind in developing security strategies; only 21 per cent say they have a strategy.”
This compares to an average of 51 per cent of organisations internationally.
Yet according to the survey, Irish companies can be quite good at prophylactic approaches to security risks, where a specific action can address a specific problem.
“In some areas, Irish companies are ahead of a number of trends,” notes Callaghan. He says they far outpace companies internationally in awareness and adoption of encryption – encoding sensitive data – probably thanks to several high-profile data breach cases in Ireland in recent years, where companies were criticised for losing devices with unencrypted client data.
In last year’s Ernst Young survey, a full 100 per cent of Irish companies were aware of or using encryption. By contrast, only 47 per cent of companies globally said they were using encryption, according to this year’s survey.
Why are Irish companies good at addressing focused problem areas like this, but poor at overall security strategy?
“It’s a maturity question to me, really,” says Callaghan. “A risk strategy is developed on the back of a vigorous IT strategy, which is developed on the back of a rigorous business strategy. Irish organisations just traditionally haven’t been good at that – we’re eager to implement specific controls but not take a holistic view.”
In other areas, Irish responses also indicate a weak general approach to security. The second greatest concern of companies was the employee trend to “BYOD” – “bring your own device”, such as personal tablets or smartphones, into the workplace.
And a large portion of Irish companies, 79 per cent (in line with 80 per cent internationally) also say they are using, or will consider using, tablet computers in the workplace. Yet only 36 per cent of Irish companies deploy any kind of mobile device management software.
“Five years ago, it was inconceivable that people would be bringing their own devices to work. But smartphones and tablets have caught up in terms of technology,” says Callaghan.
“The whole concept of ‘inside’ and ‘outside’ is fast becoming irrelevant. Yet it’s difficult for companies to understand and control those risks -–people sending themselves documents to work at home, for example.”
Irish firms also have a hardline response to perceived threats from social media – with many companies totally blocking employee access to social-media services.
Some 72 per cent of companies fear external malicious attacks that could be developed using information gleaned from social media-based phishing attacks on targeted individuals within a company. Companies also fear reputational damage from social-media use.
In response to these fears, “the Irish are more likely to block access”, says Callaghan, with 64 per cent of Irish companies saying they do so, compared to 53 per cent internationally.
Callaghan says this is a pointless approach.
“It simply doesn’t make sense to block social media, not least because it ignores the elephant in the room – that the same damage can be caused by people using their own devices to get onto social media services, and no control can be put on personal devices.”
The best approach is a clear corporate policy on social media use, to encourage appropriate behaviour, and to monitor social media sites, Callaghan says. On the security upside, half of Irish firms in the survey said they will increase spending on ITsecurity in 2012, though this is still below the international average in the survey of 59 per cent.
In many ways, there’s a perfect storm of factors driving people to the cloud . . . But too many are just looking at the benefits and failing to look at the risks
:quality(70)/s3.amazonaws.com/arc-authors/irishtimes/2a429887-bb72-4814-bd40-0cbf79fe8d51.png)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/sandbox.irishtimes/GW3FWAURWFGM7FF4RMYJLBG7ZI.png)