Survey: State of the information security nation
SC Magazine took the temperature of the security industry last year, revealing some startling facts. Blue Cube returns to see how the patient is faring.
More than a year has passed since Blue Cube and SC Magazine joined forces to survey the IT industry's attitude towards the trends and issues facing IT security in a recession (SC, April 2009). With the UK still emerging from the downturn, Blue Cube assesses the changes, negative and positive, in attitudes and technological developments, over the period since.
Information security faces constant challenges of new attacks and even fresh regulations. It is vital every firm ensures it is one step ahead when it comes to protecting its IT infrastructure and, most importantly, data.
At the start of last year, not surprisingly, 66 per cent of those surveyed believed there would be an increase in security threats in the rest of 2009, and this has certainly been borne out. Blue Cube now looks at where these have come from and how the industry has reacted.
In 2009, two-thirds of our 467 respondent organisations believed there would be increased IT security threats and 56 per cent of them felt the main threat would be ID fraud. With an individual's personal details apparently worth between 3p and 30p to the right buyer, it is a prime target for hackers.
One of the most obvious ways for hackers to gain these details is through the hacking of social networking sites, which are often far less protected than banks and financial organisations (see the opinion pieces by Nick Barron and Ken Munro this month). Most of us will use the same passwords and usernames for our social networking sites as for our online bank accounts. We often use these same passwords for our work computers, exposing our employer to harm as a result.
A recent study by the University of Bedfordshire showed that 69 per cent of data breaches in 2009 were targeted towards the retail sector, due to the potential rich pickings in terms of credit card details etc. The recent surge in online shopping is further widening the window of opportunity for hackers.
After ID fraud, the largest threat considered to be facing the industry in 2009 was viruses and malware attacks. This appears to have been positively addressed by the industry, with many organisations upgrading or enhancing their anti-malware. However, an average of 28 new viruses are being written and deployed on a daily basis and in 2009, 25 million new strains of Trojan were developed.
Although the majority of organisations have invested in anti-malware solutions, such investment can be rendered useless if not maintained and updated. Organisations should view investment in security solutions and processes as a long-term strategy in order to maximise efficiency.
A year ago, when we asked whether the main source of an attack would come from an external or internal source, only 16 per cent saw internal attack as a high-risk area. Blue Cube, however, feels that the internal threat has been largely underestimated, especially within a turbulent economic climate where job security is fragile and data a hugely valuable resource.
This internal threat is accentuated by the ever greater blurring of the boundaries of the corporate network. While it is relatively simple to install monitoring software to keep a keen eye on employees' actions in-house, organisations are often missing the less obvious options. With employees becoming ever more reliant on mobile PDAs and smart devices, as well as working from home, enhanced protection and monitoring is required.
Data loss, whether from internal or external sources, is still an overwhelming concern. The number of organisations investing in data loss prevention (DLP) solutions leapt in 2009 to 44 per cent, compared to 29 per cent in 2008. Only six out of ten organisations have an accurate inventory of the location of all their data and where and when it is collected and transmitted. Further commitment and investment in technology and education are required.
Data security is at last being taken seriously by the authorities, with the Information Commissioner now empowered to impose a fine of up to £500,000 for data breaches. This is forcing the issue of information and data security into the boardroom, pushing data protection up the agenda in 2010.
Analysing the true extent of cyber crime is problematic. The number of data breaches can only be measured if organisations report when their system has been targeted. Unsurprisingly, they are not all willing to do so. The public sector is portrayed as the main offender in data breaches, but this is skewed by the enforced reporting there; incidents within private organisations are perhaps as prevalent.
Two areas of security challenges that were vastly underestimated last year were the importance of encryption technology to further support DLP software, and the efforts organisations would take to protect devices that are lost or stolen.
Encryption has made huge advances, and the cost is coming down, making it a far more accessible option than a few years ago. It offers an added layer of security that any organisation with mobile or ‘plug-and-play' devices or sensitive data should seriously consider.
Social networking has boomed in popularity and faces organisations with a host of security considerations. In addition to ID fraud, it is estimated that billions of pounds are lost in productivity every year as a direct result of staff clocking up hundreds of hours each day visiting social networking sites. Protracted connection to the internet by individuals also has a negative impact on the level of bandwidth available for business-critical applications.
A bigger threat still is the potential loss or sharing of confidential management information when logging into external sites and uploading information without the necessary gateway filtering in place. The growing application community that encourages users to create and share their own applications also introduces potential malware and virus threats to organisations where corporate addresses are utilised by staff when communicating with social networks.
So what are businesses doing about it? PwC's 2010 Global Information Security Survey showed that 36 per cent of companies are now auditing and monitoring postings by employees on blogs and social networking sites, but only 23 per cent have a fixed security policy for use of such sites. This is an area of growing concern with readily available solutions, but more firms need to become aware of the threat, implement the software to protect themselves and educate staff to understand the implications of their actions.
The same PwC survey showed that 63 per cent of organisations expected internal IT security spending to stay the same or increase, despite the continued state of the economy. This implies the continued threat and cost implications of viruses, Trojans, malware and data breaches are being justified by organisations and resulting in expanded security spending.
Last year, Blue Cube stressed the importance of organisations' taking a proactive approach towards risk analysis, business process audits and a policy of educating staff about the role they can play in information security. These are still vital actions for organisations to adopt for 2010-11. Blue Cube feels that organisations should also consider the need to maintain investment in the long term and have a commitment to enhancing technology, to ensure they are as protected as they should be.