Currently, the primary threats hover around Adobe products (Flash, Shockwave, PDF), smart phones, social networks (Twitter & Facebook), and cloud computing. In 2011, expect to see more mobile workers, more employers allowing access their corporate networks via personal computing devices, and more data stored in the cloud for a variety of purposes.

Not only have organizations steadily lost their perimeters over the past 5 or so years, but now, data is not even confined to the shell of a perimeter that remains. While there is considerable business advantage derived from all of this flexibility, there is also considerable business risk -- and it has to be managed.

The following is a formula for increased stress: Complex technology + Mobile workforce + Tighter integration with customers and partners + Anywhere/anytime access to data + Increased malware sophistication + Ubiquitous social networking + Increasing regulatory compliance requirements"

Not only must organizations try to stay ahead of the most likely threats, but they must quickly mobilize to educate users and mitigate risk concerning new threats which may spring up at any time.

We live in a very connected world, and it is this increased connectivity that facilitates much of our risk. And it must be managed by the WHOLE organization, and not just the IT or Information Security teams.

So, I'd modify your question to: "What are the biggest Information Security-based business risks that organizations need to prepare for 2011?"

And the first place I would start is the realization that compliance is not necessarily the same of security, so organizations shouldn't spend all their budget satisfying checklists at the expense of the threats mentioned earlier in this commentary...

-ASB: http://xeesm.com/AndrewBaker

Amy Babinchak

Managing Partner, Third Tier & Harbor Computer Services

Posted on Jan. 5, 2011

Recommended by:
Glen Marshall

There's a new threat in town. Predictions for the new year are that mobile devices will become a major target - they now have business data, they are always connected to the Internet, people willingly download applications to them, and the phone OS that they all run are not designed with security in mind.

Look for your favorite security companies to release protection software for these devices early this year and plan to deploy it.

Glen Marshall

Principal, Grok-A-Lot, LLC

Posted on Jan. 5, 2011

Recommended by:
Lauren Harper

Identity theft will continue to be a major concern. It is technically easy to do and has a low chance of the criminal being caught. The rapidly-growing popularity of mobile devices provides additional mechanisms for identity theft.

The solution is *not* to protect each and every entry-point mechanism, but to strengthen controls at the common point, e.g., the credit providers, banks, healthcare providers and insurers.

Barry Schrager

z/OS Information Security Leader & Architect, Barry Schrager, Inc.

Posted on Jan. 5, 2011

Organizations also must start really being concerned about the Insider Threat. We have spent a lot of time on being worried and reacting to the outsider threat, but the insider threat is real and increasing.

For example, there was a 2008 Strategic Counsel Survey which showed the percentage of internal breaches growing from 15% in 2003 to 44% in 2008. And a 2010 PacketMotion Survey of US Government Agencies which resulted in 59% of those surved felt employees were the biggest threat and only 9% felt that Hackers and Criminals were the biggest threat. And, a conclusion by the 2010 CSO Magazine Survey which said the "most costly or damaging attacks are caused by insiders."

So, we have to look at system configuration or security system controls errors that would allow insiders to access sensitive data and for Operating System and Application Delivery System vulnerabilties that would allow insiders to obtain control and circumvent the security system controls.

Barry