CIOs have apparently not been getting the message, according to a new report from Carbon Black. Among the more shocking of the report's findings are that 28 percent of CIOs are ‘not concerned' about breaches.
The report, which surveyed 200 CIOs in a range of companies with more than 1000 employees, was commissioned by Carbon Black, formerly known by the clunkier moniker of Bit 9 + Carbon Black.
“The situation is not good,” said Ben Johnson, former computer scientist at the NSA and co-founder of Carbon Black, as he presented the report's findings to the press.
The industry cliche that "there are those who've been breached and those who don't know they've been breached," has clearly not settled with the UK's CIOs. Nor, it appears, have they taken notice of the stats.
The numbers vary on how long it takes to detect a breach. Research from Trustwave released last year said that it takes, on average, 188 days to discover a breach. FireEye reported in in 2013 that the average time was 229 days. Research from the Ponemon institute put that number at 258 days and then another 100 days at least to fully remediate the threat.
Nobody told the UK's CIOs apparently. Twenty-six percent believed that they would be able to uncover a breach in less than two weeks, while 33 percent believed they could uncover a breach in less than three months. Only a handful, 14 percent, believed that it would take up to six months to discover a breach.
Still, over half believed that were a breach to happen to them, they would discover what systems and data had been affected in less that 24 hours.
The problem may lie, according to Johnson, in the fact that most companies continue to be reactive, as opposed to proactive when tackling cyber threats. He said, “Most companies do not try to figure out how the problem started. So that door that the bad guys walked through? It's still open.”
Nearly all of those surveyed use firewalls and anti-virus software and 62 percent use encryption. But fewer than half used advanced endpoint protection, leaving many in the dark about who or what is aimed at their organisation.
In some cases, these companies may feel they've done enough, said Johnson. Often, companies will write a big cheque, get a massive security system and sit behind those walls with a false sense that they're strong enough to keep anything out. They don't stop to think about who is digging under those walls.
Johnson told SCMagazineUK.com, “It is likely that some of those who aren't concerned simply think they are not yet a target, and what is more likely is that they feel like they have adequate protection in place, something that is woefully untrue. We know that everyone is a target and pretty much no organisation has the cyber resiliency to achieve anywhere near 100 percent effective defence.”
With the constantly morphing nature of threats and a massively broadening attack surface for assailants, this is no longer enough.
Johnson told SC that there are two things keeping CIOs from being proactive. First, proactivity “requires changing their posture, their processes and most likely their budget”.
Second is that CIOs and CISOs often don't understand how to be proactive about IT security. “It's a case of, ‘Oh, you've always had a firewall and a SIEM and a team that just looks at whatever issues service, so why change it?' It's the status quo combined with not enough progressive leadership that works against more effective cyber-defence change.”
Norman Shaw, CEO and founder of ExactTrak, told SC, “For any CIO not to be concerned about data breaches is just plain negligent. They are putting their heads in the sand and nothing good ever comes of that.”
This kind of negligence will soon be addressed as a matter of law, too, added Shaw: “They have a legal responsibility to fully protect data and neither AV nor firewalls are data protection. Customers also have a right to expect that their information is protected at all points and at all times.
"Under the new EU GDPR legislation, if the CIO is a main board director they can be personally fined. And if data protection is in their objectives or job description then they need to be dismissed. Ignoring potential threats is negligent and needs a P45 to sharpen their minds.”