Infosec ignorance is not an option for enterprises

Reports suggest more than half of enterprises lack infosec knowledge and a third admit to not being aware of recent business cyber security epidemics. What's gone wrong? Davey Winder tries to answer that very question.


The end of a year is always a good time for statistics, not least as they get thrown in the direction of us journalist types likes coins at a football match.

Take McAfee, for example, which has revealed, with just a hint of ironic surprise, that 2012 has seen an 'explosion' in cyber crime. Detected mobile malware has almost doubled over the previous quarter's total, and the end of the year has seen an all-time high when it comes to successful database breaches. Although the news that there is more malware comes as no great knee-wobbler, the fact that certain types of malware are back on the agenda (ransom ware is on the up, as are AutoRun exploits and password-stealing Trojans) when you might think they were well protected against already should be enough to send a small shiver up the infosec spine.

Here's the thing - and it's far from rocket science - IT security is never, ever, someone else's problem.

Could the revival of old hat exploits, running alongside zero-days and socially engineered targeted and persistent attacks, be indicative of something more than just the obvious observation that there's money to be made in cyber crime and during times of recession more folk are prepared to play the risk versus reward game?

Advertisement - Article continues below
Advertisement - Article continues below

According to a survey conducted for Kaspersky Lab, 58 per cent of companies questioned admitted to a lack of resources in both staffing and improving IT security, and half lack knowledge or understanding about the potential security threats facing the enterprise. Even more alarming was the revelation that a third of key IT specialists were simply not aware of any of the most common IT security epidemics that not only targeted the corporate sector but posed a direct threat to their own business.

It seems that 'poor understanding among senior managers of the reasons why IT departments exist' was to blame for the lack of resources into staffing and improving IT security systems, reducing the organisations ability to cope with security threats, exploits and incidents. Although security problems cannot be rectified just by hiring more staff, 35 per cent of those asked had insufficient employees trained to deal with IT threats is indicative of the real problem: the lack of understanding of the real danger to the business that IT insecurity poses.

A low level of staff training, higher than acceptable levels of computer illiteracy among staff leading to social engineering opportunities for the bad guys, are obviously areas that need addressing.

Kaspersky Lab states that "teaching staff the basics of IT security should be no less important than installing the latest security software" and it's very hard to argue with that statement. Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, sums it up by saying "IT security staff are not always sufficiently trained and competent to protect businesses from the most pertinent threats. This is why our goal, as a leader in the IT security industry, is not only to produce solutions, but also to raise awareness."

Mr Kaspersky has got it bang on. And he's not the only one. Although it is easy to dismiss the news-led information sites, blogs, releases from security vendors as 'just another marketing opportunity' there is more to it than that. Most of these companies, and the researchers working for them, want to defeat the cyber criminals and that's just as big a driver as making money; perhaps more so for the white coats on the front line of the battle. Unfortunately, if only journalists and other security researchers are reading what they have to say, then at the end of the day it's a bit of a pointless obsession.

Here's the thing - and it's far from rocket science - IT security is never, ever, someone else's problem. Ultimate ownership of your data security belongs to you and nobody else. Sure, security vendors are forever introducing new defensive technologies, or at least new ways of applying old ones, and the cloud offers perhaps the most interesting and potentially effective example.

Advertisement - Article continues below

The trouble is, the bad guys are moving as fast if not faster than the good guys. New threats are being developed all the time, and worryingly old ones continue to be exploited. Until those in a position within the enterprise to do something about it get to grips with the fact that ignorance is not an option, there's a good chance that we will be reading more of the statistics that this piece started with in the years to come.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020