Infosec ignorance is not an option for enterprises
Reports suggest more than half of enterprises lack infosec knowledge and a third admit to not being aware of recent business cyber security epidemics. What's gone wrong? Davey Winder tries to answer that very question.
The end of a year is always a good time for statistics, not least as they get thrown in the direction of us journalist types likes coins at a football match.
Take McAfee, for example, which has revealed, with just a hint of ironic surprise, that 2012 has seen an 'explosion' in cyber crime. Detected mobile malware has almost doubled over the previous quarter's total, and the end of the year has seen an all-time high when it comes to successful database breaches. Although the news that there is more malware comes as no great knee-wobbler, the fact that certain types of malware are back on the agenda (ransom ware is on the up, as are AutoRun exploits and password-stealing Trojans) when you might think they were well protected against already should be enough to send a small shiver up the infosec spine.
Here's the thing - and it's far from rocket science - IT security is never, ever, someone else's problem.
Could the revival of old hat exploits, running alongside zero-days and socially engineered targeted and persistent attacks, be indicative of something more than just the obvious observation that there's money to be made in cyber crime and during times of recession more folk are prepared to play the risk versus reward game?
According to a survey conducted for Kaspersky Lab, 58 per cent of companies questioned admitted to a lack of resources in both staffing and improving IT security, and half lack knowledge or understanding about the potential security threats facing the enterprise. Even more alarming was the revelation that a third of key IT specialists were simply not aware of any of the most common IT security epidemics that not only targeted the corporate sector but posed a direct threat to their own business.
It seems that 'poor understanding among senior managers of the reasons why IT departments exist' was to blame for the lack of resources into staffing and improving IT security systems, reducing the organisations ability to cope with security threats, exploits and incidents. Although security problems cannot be rectified just by hiring more staff, 35 per cent of those asked had insufficient employees trained to deal with IT threats is indicative of the real problem: the lack of understanding of the real danger to the business that IT insecurity poses.
A low level of staff training, higher than acceptable levels of computer illiteracy among staff leading to social engineering opportunities for the bad guys, are obviously areas that need addressing.
Kaspersky Lab states that "teaching staff the basics of IT security should be no less important than installing the latest security software" and it's very hard to argue with that statement. Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, sums it up by saying "IT security staff are not always sufficiently trained and competent to protect businesses from the most pertinent threats. This is why our goal, as a leader in the IT security industry, is not only to produce solutions, but also to raise awareness."
Mr Kaspersky has got it bang on. And he's not the only one. Although it is easy to dismiss the news-led information sites, blogs, releases from security vendors as 'just another marketing opportunity' there is more to it than that. Most of these companies, and the researchers working for them, want to defeat the cyber criminals and that's just as big a driver as making money; perhaps more so for the white coats on the front line of the battle. Unfortunately, if only journalists and other security researchers are reading what they have to say, then at the end of the day it's a bit of a pointless obsession.
Here's the thing - and it's far from rocket science - IT security is never, ever, someone else's problem. Ultimate ownership of your data security belongs to you and nobody else. Sure, security vendors are forever introducing new defensive technologies, or at least new ways of applying old ones, and the cloud offers perhaps the most interesting and potentially effective example.
The trouble is, the bad guys are moving as fast if not faster than the good guys. New threats are being developed all the time, and worryingly old ones continue to be exploited. Until those in a position within the enterprise to do something about it get to grips with the fact that ignorance is not an option, there's a good chance that we will be reading more of the statistics that this piece started with in the years to come.