Firm Notes Emerging IT Security, Risk Threats in Wake of Financial Crisis

Boulder, Colo. — Enterprise Management Associates (EMA), an IT management research and consulting firm, released a new advisory note, “What the Economic Crisis Means for IT Security and Risk Management.” In the advisory note, EMA research director, Scott Crawford, highlights the impact of the current financial industry meltdown, and its implications for the management of security and risk in IT.

“Clearly, the fallout from this crisis poses serious issues for IT security and risk management,” he says. “Professionals in these fields should be thinking seriously about what they may be facing as a result, but that’s not all. They also must understand how this crisis came about in order to be prepared for what will follow, as well as what it says about the mindset of the business when it comes to managing risk in any respect.”

Crawford focuses on the increased IT security threats and risk management issues that come into play when the financial industry is unstable. EMA highlights some examples of the economy’s impact on IT security, risk management and compliance:

• Opportunistic attackers will take advantage of many aspects of the crisis. Examples range from phishing attacks that target desperate individuals seeking debt relief, to more retaliatory attacks launched in frustration and resentment against financial businesses themselves. Some, however, may use the appearance of a retaliatory attack simply to hide what is actually espionage, infiltration or attempted data theft.

• Widespread weakness among targets will increase opportunistic risk. Just as significant is the risk posed by the new weakness of financial institutions—and possibly some governments stretched to cover losses in the private sector—which are among the most common targets of attack.

• Increased M&A activity will complicate security and risk management. As former financial services competitors take over one another in a wave of mergers and acquisitions, IT as well as security teams on both sides of a deal will find it a challenge to safely integrate a formerly foreign environment.  M&A activity may further open the door to opportunistic phishers who recognize that customers may not know who owns their bank from one day to the next.

• Businesses should look to the security and risk management values of every management tool and technique in the enterprise. The need for visibility throughout the network highlights the value and importance of tools not only in security, but in network, systems and application management as well. IT management tools that can enhance security while reducing the cost or complexity of security management, as well as security solutions that improve the management of IT itself, merit closer scrutiny for these values.

• The crisis will increase the value of “security-as-a-service.” A now-dire need to move expenditures away from capex and more toward the opex side of the balance sheet presents a new opportunity for security offered as a service. Crawford notes that service-oriented approaches offer ways to keep up with the threat while getting a better-defined handle on the investment.

• Get ready for “W3D” compliance. Just as SOX emerged from the previous major downturn, Crawford advises businesses to prepare for the inevitable wave of compliance with “W3D:” “What Washington (or the World) Will Do.”

“The greatest concern the financial crisis creates for IT security and risk professionals lies in the roots of the mess itself,” says Crawford. “If the inclination of the business is always to think first about IT’s primary mission, and only incidentally about the risks that may be exposed, security and risk management may never rise to the level needed to address the truly alarming level of malicious threats in today’s environment. Just as with illusory lending, however, we now have abundant evidence of the impact of poorly managed risk that should motivate us to do better.  The question is, will we?”

Source: Enterprise Management Associates

For reprint and licensing requests for this article, click here.
Security risk Core systems Data security Policy adminstration Compliance
MORE FROM DIGITAL INSURANCE