Mobile, Cloud Computing Issues Challenge Risk Managers

"As we look at the communications firms or cloud computing firms, we spend an awful lot of time trying to understand how they manage their networks—not only the technical side but the human engineering side as well—to try and prevent [bad] things from happening and respond rapidly if things do happen," says Allred. 

Larry Collins, head of e-Solutions for Zurich Services Corporation worries the expansion of mobile computing has enabled the hackers of the world to go phishing on Web sites to collect user IDs and information or credit card information.

"There is an enormous impact from mobile computing in that genre," he says. "The APWG trade group (Anti Phishing Work Group) estimates there are about 40,000 attacks a month going on. A lot of that has been enabled by instant messaging and the collection of mobile devices we might have. The mobile computing environment provides a new venue for that kind of attack, especially since they contain so much data."

Carriers often are doing all the right things in managing risk, but as Mike Besso, e-commerce specialist for Zurich Services points out, IT departments are forced to produce content faster and faster because business users want more content for their mobile devices.

"Our customers are likely to produce content," says Besso. "Fact checking and validating numbers is one thing, but it's beginning not to happen. This is starting to play out with people making bad decisions based on the information they got from their devices."

For example, Besso points to a mistake made by Fox News in November when it ran with a story editors picked up from the satirical Web site The Onion and posted the article n the Fox News Web site before anyone from Fox realized it was a bogus story.

"This is going to become more prevalent as our customers move into the cloud," says Besso. "They are going to want to keep up with or be better than the competition and sometimes that means cutting corners in fact-checking and that increases liability."

Understanding ERM

Allred maintains there are multiple levels of sophistication around enterprise risk management. He reports conversations he's held with supposedly sophisticated risk managers who think of ERM only in terms of worker injuries, automobile driving techniques, and fire protection in the building.

"They don't go much beyond that to look at the internal risks to the business," he says. "They don't think about credit risk, political risk, or supply chain management. The science of RM has grown over the last few years. The concept often times has outrun the practical use in many cases because it is still a learning process for a lot of companies."

Collins adds there is still a disconnect between the financial person who has to assess the risk to the bottom line and the IT person who runs the nervous system of the company.

"I don't think there's a common language between those two very important camps," he says. "There's a struggle going on as to how to understand the size of the risks and understand what they mean and where to place the right sense of urgency in addressing these problems. Until that dialog improves there will be an endless disconnect between those that view RM as how many bad backs can be prevented all the way up to what the World Economic Forum called one of the five most important risks to watch in the world: cyber security."

Cloud Risks

Allred believes IT professionals are aware of issues and have concerns with cloud computing, but often the business side of the house may not be sophisticated enough to know how the cloud works.

"They simply look at the numbers and believe they can save more money and be more efficient," says Allred. "They don't have a real solid understanding of what the implications may be when they don't control everything internally in their own environment."

The issue for Collins is there are general standards available on how to address the quality of a security program, but none of those standards were designed for the scale of a cloud-computing environment.

"The good news about cloud is it concentrates computing power in key places where it is perhaps managed a little better, but I don't have a good warm and fuzzy feeling that [the industry] has adequately looked over controls of the security and privacy of that system," says Collins. "I suspect there will be a few ugly surprises early on in [cloud] implementations."

Business Worries

Allred believes it is a lack of sophistication among business users as the cause of many of the risk issues involving mobile and cloud technology.

"Up until now, people have generally had good experiences with their banks and bill paying and while we read horrendous stories of the attacks and the loss of data, the reality is a lot of people are simply never affected by [cyber attacks and if they are [victims] some don't even know they were affected," says Allred.

Business users have achieved a comfort level don't worry about consequences. Allred believes many on the business side people just don't understand how the IT happens.

"Go handle it and don't bother me and by the way, don't spend too much money is often the attitude," he says. "Some [business users] think they have a hook to save some money but they don't understand the implications of [the technology] and how their IT network is the central nervous system of the company. If the central nervous system breaks down you are paralyzed."

Allred believes there are a lot of business users engaged with the IT professionals who understand security and standards, but he maintains the missing link often is the people who sign the bills at the end of the day—the CFO and the CEO—who don't understand the implications.

Zurich recently sponsored the Cybersecurity Forum, hosted by the TechAmerica Foundation, according to Allred, to educate and create awareness of the ERM approach.

"We want them to drill down into how their company operates from all aspects, looking for vulnerabilities and at opportunities and think through how to mitigate the problems or take advantage of the opportunities so they can become more efficient," he says. "This is an area often neglected because it's the magic in the backroom that [business leaders] don't think about. We see this as a critical missing link to make sure the CEOs and CFOs understand the implications of the financial decisions they are making and how to mitigate those decisions."

Social Networking

The implications of social networking with enterprise risk management are not clear yet. Collins explains the largest computer program application in the world today is Facebook, yet it is hardly a mature technology.

"There are profound privacy questions and some profound security issues," he says. "[Social networking] will be equal if not more to the risk exposures of mobile computing with some unique exposures to companies and corporations as well."

"We've seen with Facebook the difficulty they've had managing security and data and who has access to it," says Allred. "Sometimes you wonder if there's a tipping point where people say they aren't going to give anything more, but I think we're a long way from there."

Allred feels users haven't sufficiently judged the risks that can arise from social networking.

"Everywhere we go and whatever we do somebody is watching," he says. "Ninety-nine percent of the time those are people that want to help and do good, but there's that element out there that's looking for a way to cause problems for us in some form or fashion."

The potential is there not only for loss of information, but also loss of corporate secrets, reputations, business opportunities, and potential physical harm to people or disruption of business networks or utility networks.

"It is becoming almost an incomprehensible situation to know what can be done," says Allred. "We are working with our customers and others to try and keep a lid on things. So many things, whether it is mobile computing or cloud networking, are not so much technical problem as they are human engineering problems. Phishing attacks would fail if people would use a little of what I call the world's greatest oxymoron: common sense. That is, if someone asks you for your password that's not a good thing, so don't tell them."