Sophos Cloud Optix
The world’s business leaders have high levels of confidence in their organisations’ cyber defences, but that confidence is largely out of tune with reality.
Most have inadequate structures and policies in place, and security awareness training sessions and use of key defensive tools are both declining.
Many leaders fail to understand both the risks they may face from cyber threats, and the impact past incidents may have had on their organisation’s reputation. The threat from insiders is also way underestimated.
All this comes from a worldwide study conducted by consultancy firm PricewaterhouseCoopers (PwC), in collaboration with CSO Magazine, the US Secret Service, the FBI and Carnegie Mellon University’s Software Engineering Institute CERT programme.
Over 9,300 high-ranking executives responded to the survey (PDF), including CEOs, CFOs, CISOs and IT directors from 128 countries. Two-thirds of respondents were based in the US or Europe. Data was gathered in spring 2012, so may be a little behind the latest developments, but it shows some clear trends year-on-year.
Some 42% of those questioned thought of their organisations as ‘front-runners’ in terms of information security. But when their responses elsewhere were aligned with a baseline set of requirements, including properly measuring and reviewing security measures, keeping track of incidents, and giving security leads sufficient rank within the company structure, only 8% came out as actual leaders.
While budgets are on the rise after recent cutbacks in most regions, economic conditions remain the biggest factor in deciding security spending, much higher than any actual security requirements.
There have been significant year-on-year drops in the deployment of all forms of security technology, including:
- Spyware and adware detection tools, down from 83% in 2011 to 71% in 2012;
- Device control, down from 57% to 47%;
- Vulnerability scanning, down from 59% to 46%;
- DLP, down from 48% to 39%; and
- IPS, down from 62% to 53%.
Despite a slight increase in the number of breach incidents, financial losses are reported to be down. But most seem to be ignoring important aspects of data breaches; while 52% consider direct loss of customer business after a breach, only 27% take into account the possible long-term damage to brand reputation.
A previous PwC survey on attitudes to data sharing (PII required to access the report, ironically) found that 61% of consumers would stop using a company hit by a data security breach.
With mobile device use booming, 88% reported they use personal kit for work purposes, but only 45% have BYOD security strategies in place, and 37% use mobile anti-malware.
In terms of who gets the blame for security issues, other high-level staff take less flak than previously, but are still considered a major issue, with CEOs thought a hindrance by 21% of respondents; lack of funds is not far ahead on 26%.
The only issue rising year-on-year in this area is shortage of in-house technical expertise, up slightly from 21% to 22%. This aligns with reports of a lack of skilled staff seen elsewhere.
Personnel-related security measures were down on every count over the previous year, including training, vetting and monitoring staff, and employing experts in specialist roles. This greatly increases the risk of insiders stealing or leaking data:
Twice as many respondents indicated “non-malicious insiders” cause more sensitive data loss than malicious inside actors
Clumsiness and incompetence are, it seems, much more of a risk than intentional theft and fraud.
There’s much more in the full report, including some interesting stuff on regional variations – Asia, apparently, is outpacing the rest of the world in running tight ships.
So what are the big takeaways from this hefty bundle of data? The figures certainly back up other recent reports showing top-level people are behind the curve on computer security issues.
Fines and regulation aren’t doing the job; what’s clearly needed here is better education. If even people in dedicated high-level security roles are seen to be part of the problem (perhaps not as surprising as you might think, thanks to the Peter Principle), there clearly needs to be more effort put into spreading the word.
In the UK, the government has recently announced a major awareness project, which looks set to focus on businesses as well as end-users. This could well be an important step in the right direction; for too long private security firms and a few specialist journalists and bloggers have shouldered the burden of opening people’s eyes to the dangers lurking in the murky pond of the internet.
To get this message into the right places, which clearly include those big desks in the top-corner offices, is going to take a lot of time and effort, from every level. Hopefully we’re making some progress, and we’ll see some of these rather depressing trends reversing next time around.
Image of confused business man and learn courtesy of Shutterstock.
I'm not trying to say Sophos recycles old news, but this was headline news in the 1970's, 1980's 1990's and 2000's. Seems like every generation has the same story. This leads one to the obvious conclusion that all senior executives in all generations are out of touch with IT. Maybe we should expand that thought further and say that business leaders are incapable of understanding IT. That of course leads to the simple conclusion that all business leaders have a genuine gene defect in those genes which control IT and security. I would NEVER suggest that the IT professionals are pulling the wool over their superiors eyes by fudging the real IT problems and downplaying them as "insignificant" or "Don't worry about it – we don't have that problem" leading one to suggest that the IT professionals are preserving their jobs by telling senior people only good news until they get fired because they didn't tell the bosses the bad news.
I would have to say that the above comment by John is true. I tried to bring security concerns to my executive, but they didn't understand them, then I was stabbed in the back by the head of development who went to the execs and said I was seeing conspiracies under every computer…. subsequently I was sidelined. However, just recently the company got a security review from an independent contractor and it stated that they had over 81 vulnerabilities. With over 19 and 55 high and medium severity issues. However, the executive still doesn't understand the need to progress these issues because they don't want to upset the developers or the general users.
They seem to think they will handle the issues when something hits the press….its pretty frustrating from my position. Im looking for a new job….:)
Richard… first, and I’m sure that you know this, but you have speak to these folks in the language that they understand… $$$$$! When you present your case you have to draw parallels, use metaphors and examples, show them how that back-stabbing developer doesn’t know crap about security, make him\her prove themselves… they hired him to develop. Show them how easy it is to exploit some of these vulnerabilities… there are daily occurrences that you can use to make your point. Use your competition as and example of what or what not to do. But most of all, document and save everything that you try to do and who you are talking to.
Sometimes things need to fail or be exploited before anyone will listen. My story was SQLSLAMMER (remember that…) I went an entire year raising flags and warning… nobody wanted to listen, then on Super Bowl Sunday 145 out of 150 MSSQL servers went down, HARD. The only servers to survive intact were the five that belonged to me, because I took the recommended steps to protect them… I got all kinds of money for security issues after that.
There is hope.