BANGALORE, INDIA: New technologies are enabling us to create smarter homes, smarter cities, smarter machines and devices. However, they come with a host of security and privacy risks that people are only beginning to understand. Internet of Things (IoT) technologies have the biggest potential to disrupt IT risk management programs, followed by the cloud, Bring Your Own Device (BYOD), fintech, and blockchain, says a recent study by GRC solution provider, MetricStream.
MetricStream Research conducted a global survey to understand how enterprises are managing their IT risks. Around 44% of large-sized enterprises cited IoT, and 35% cited the cloud as having the most potential to disrupt IT risk management in 2018 and beyond.
The top four technology factors that drive the need for IT risk management programs are IT outsourcing (52%), integration with third-party systems (47%), virtualization (47%), and digital business infrastructure (45%).
Although these rapidly evolving technologies enable businesses to create significant value, but they also bring new security and privacy risks that are still not fully understood. The top 5 IT threats and risks that respondents reported facing in the last two years are malware infections, security breaches, compliance violations and regulatory actions, account phishing, and spoofs of company executives.
As new risks and regulations emerge, companies are looking to invest in better controls, as well as better risk mitigation and monitoring mechanisms. This was evident from the survey results where 46% of the respondents reported that their IT risk management spend will increase significantly in the next 18 months – by 5% or more. In comparison, only 8% of the respondents indicated that their spend will decrease by 5% or more.
Interestingly, although outsourcing and integration with third-party systems are seen as key drivers for IT risk management, third-party risk management is least likely to see new investments in the next 18 months. This gap points to a blind spot that, if unaddressed, can lead to multiple third-party related IT risk incidents, says the study.
The study found a relatively high levels of maturity (CMMI level 3 or higher) in IT risk identification and assessments, standardized documentation of processes and controls, control design and assessments, and IT risk monitoring and reporting. 75% of the respondents who have implemented IT GRC solutions reported a CMMI maturity level of 3 or higher. In comparison, only 38% of the respondents who have not implemented IT GRC solutions reported a similar level of maturity – these organizations rely on a combination of spreadsheets, point solutions, and other tools.
But, despite these risks the study found that the respondents are not investing enough in employee training programs or better information governance frameworks. When it came to IT risk management training, 51% of the respondents, and 52% of those in banking and financial services, reported a CMMI maturity of only level 1 or level 2. This lack of maturity could prove disastrous, as poorly trained employees fall prey more easily to social engineering attacks such as phishing which, in turn, open the door to larger attacks on enterprise security.
“Guarding against the next Equifax-style cyber-attack will require enterprises to have holistic, agile IT risk management programs,” said French Caldwell, Chief Evangelist, MetricStream. “An IT GRC software solution can really add value by automating workflows, and providing timely risk intelligence to guide decisions. However, it’s just one piece of the pie. Policies, training programs, and information governance frameworks are all equally important. Together, they lay the foundation for a resilient and secure enterprise.”