There are many organisatons with a gap in their risk management strategies that is affecting the security of sensitive and private information according to RSM Australia.
The level of diligence in organisations when it comes to risk management and security often depends on the resources allocated to it. This can become a shortfall either because of complacency, unawareness of the risks, or lack of budget.
When RSM Australia undertakes risk management reviews for organisations it is often clear from the outset that even basic elements are lacking, such as updating patches to operating and communication systems and protections from current vulnerabilities.
The question remains whether organisations are giving security sufficient attention from a holistic perspective or simply spectating from the sidelines because they don’t have sufficient resources to make it a focus.
Three key elements contributing to the security spectator sport culture
- A lack of trained professionals. It is an inevitable truth that organisations left without proper security talent remain vulnerable to the ever-present (and growing) threat of hackers. However, there aren't enough trained information security professionals to meet market demand. HR manager have listed information security as one of the most valuable skillsets for the next 12-18 months according to Greythorn's Australian IT market insights and salary guide for 2014-15.* To counter this, many organisations will turn to international markets in the effort to hire the necessary talent to secure their IT enterprise. In the meantime, organisations should consult a trusted security advisor and develop a security management plan to direct resources to this risk area or at least identify where their key risks may lie.
- Outsourcing. There is a growing trend for organisations to look at outsourcing through cloud and managed services to reduce capital outlay for hardware and infrastructure. Unfortunately, outsourcing services also means that organisations may be less involved in managing their own security risks and also are taking less directly responsibility for the security of the information they are outsourcing. Organisations should be exercising due diligence regarding the security standards delivered by their outsourcing partners, and review these on a regular basis. This ensures they are familiar and aware of the level of security being maintained by their service providers.
- Incomplete security protocols. Integrating devices and technology in new ways, such as via the Internet of Things (IoT), can deliver business benefits but it's important for organisations to consider how these connected devices will be secured. For example, in the healthcare industry, a growing number of medical devices are being connected to the enterprise network without concern for protecting both the devices and the network from unauthorised access. Similarly, manufacturing organisations are increasingly connecting industrial control systems to corporate networks, integrating previously air-gapped systems and creating potential security risks. Organisations need to consider security as part of the buying process, and stretch their policies to include every device used for any purpose throughout the network, including industrial control systems.