Inside the enterprise: Most data security threats are well known and can be prevented. But research shows firms fail to act.
When it comes to securing their networks and data, too many businesses are fitting expensive locks, but leaving the keys under the doormat.
There's no doubt that the information security threat has increased over the last few years, with the growth of organised crime, and state-sponsored electronic espionage and cyber warfare.
But most hacks, researchers say, take place against systems that are not properly secured, or using well-known, often simple, exploits where a fix or patch is available. Hackers today are still compromising systems using vulnerabilities from two, three or even four years ago.
What is fundamentally lacking is an incident readiness capability
One piece of research, by the US standards organization NIST, found that some 90 per cent of cyber attacks were aimed at these known vulnerabilities. Companies might be forgiven for failing to act quickly against so-called "zero day" attacks, but not against those that have been around for months, or even years.
Part of the problem is the complex nature of IT systems: it is becoming harder to keep everything up to date, and to keep on top of all patches and vulnerability alerts. But part of the problem is also an unrealistic reliance on technology and automation. CIOs might believe their networks are protected, but no defence is impenetrable.
This problem is highlighted in the recent annual Global Security Report from Trustwave, an IT security consultancy.
According to John Yeo, the company's head of ethical hacking and incident response, companies are not only failing to secure systems properly, by ensuring their defences are up to date and systems correctly configured. They are failing to detect attacks, and not responding in the right ways when they do.
The problem of failing to detect attacks is especially worrying, as hackers can do untold damage in the time it can take a company to realise they have been compromised. In these cases, the breach can lead to the loss of tens of thousands of personal records or items of intellectual property that could have been secured, had the hack been detected and the malware removed.
And it is the lack of a proper incident response that is letting companies down, says Yeo. Businesses may invest heavily in disaster recovery and business continuity plans, and can be as prepared as possible for theft, fire or flood. But the disruption caused by a cyber attack is often left out of that planning.
"What is fundamentally lacking is an incident readiness capability," he warns. "You need to start with the mindset that at some point, you will suffer a breach. So you need to have people, processes and technology in place to respond when, not if, that occurs.
That incident response plan should be kept up to date, and the people involved should take part in exercises and drills. As Yeo points out, the best response teams are cross-department, and may not be people who work together on a day to day basis: not just IT, but HR, the legal team, and even physical security.
An efficient information security response plan needs to be kept up to date, as do information security tools. As the public awareness posters used to say: "lock it, or lose it."