Infosec ignorance is not an option for enterprises

Reports suggest more than half of enterprises lack infosec knowledge and a third admit to not being aware of recent business cyber security epidemics. What's gone wrong? Davey Winder tries to answer that very question.


The end of a year is always a good time for statistics, not least as they get thrown in the direction of us journalist types likes coins at a football match.

Take McAfee, for example, which has revealed, with just a hint of ironic surprise, that 2012 has seen an 'explosion' in cyber crime. Detected mobile malware has almost doubled over the previous quarter's total, and the end of the year has seen an all-time high when it comes to successful database breaches. Although the news that there is more malware comes as no great knee-wobbler, the fact that certain types of malware are back on the agenda (ransom ware is on the up, as are AutoRun exploits and password-stealing Trojans) when you might think they were well protected against already should be enough to send a small shiver up the infosec spine.

Advertisement - Article continues below

Here's the thing - and it's far from rocket science - IT security is never, ever, someone else's problem.

Could the revival of old hat exploits, running alongside zero-days and socially engineered targeted and persistent attacks, be indicative of something more than just the obvious observation that there's money to be made in cyber crime and during times of recession more folk are prepared to play the risk versus reward game?

Advertisement - Article continues below

According to a survey conducted for Kaspersky Lab, 58 per cent of companies questioned admitted to a lack of resources in both staffing and improving IT security, and half lack knowledge or understanding about the potential security threats facing the enterprise. Even more alarming was the revelation that a third of key IT specialists were simply not aware of any of the most common IT security epidemics that not only targeted the corporate sector but posed a direct threat to their own business.

Advertisement - Article continues below

It seems that 'poor understanding among senior managers of the reasons why IT departments exist' was to blame for the lack of resources into staffing and improving IT security systems, reducing the organisations ability to cope with security threats, exploits and incidents. Although security problems cannot be rectified just by hiring more staff, 35 per cent of those asked had insufficient employees trained to deal with IT threats is indicative of the real problem: the lack of understanding of the real danger to the business that IT insecurity poses.

A low level of staff training, higher than acceptable levels of computer illiteracy among staff leading to social engineering opportunities for the bad guys, are obviously areas that need addressing.

Kaspersky Lab states that "teaching staff the basics of IT security should be no less important than installing the latest security software" and it's very hard to argue with that statement. Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, sums it up by saying "IT security staff are not always sufficiently trained and competent to protect businesses from the most pertinent threats. This is why our goal, as a leader in the IT security industry, is not only to produce solutions, but also to raise awareness."

Advertisement - Article continues below

Mr Kaspersky has got it bang on. And he's not the only one. Although it is easy to dismiss the news-led information sites, blogs, releases from security vendors as 'just another marketing opportunity' there is more to it than that. Most of these companies, and the researchers working for them, want to defeat the cyber criminals and that's just as big a driver as making money; perhaps more so for the white coats on the front line of the battle. Unfortunately, if only journalists and other security researchers are reading what they have to say, then at the end of the day it's a bit of a pointless obsession.

Here's the thing - and it's far from rocket science - IT security is never, ever, someone else's problem. Ultimate ownership of your data security belongs to you and nobody else. Sure, security vendors are forever introducing new defensive technologies, or at least new ways of applying old ones, and the cloud offers perhaps the most interesting and potentially effective example.

Advertisement - Article continues below

The trouble is, the bad guys are moving as fast if not faster than the good guys. New threats are being developed all the time, and worryingly old ones continue to be exploited. Until those in a position within the enterprise to do something about it get to grips with the fact that ignorance is not an option, there's a good chance that we will be reading more of the statistics that this piece started with in the years to come.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular


How to find RAM speed, size and type

24 Jun 2020

Microsoft releases urgent patch for high-risk Windows 10 flaws

1 Jul 2020

The top 12 password-cracking techniques used by hackers

12 Jun 2020