TechBeat: Cyber security — Maturing cyber attitudes
The cyber threat landscape has changed dramatically in recent times, with mass ransomware attacks, targeted phishing, CEO fraud and sophisticated penetrations, on top of the usual denial of service and SQL injection classics. And all of this in the context of nation state attacks and mass surveillance. High profile breaches continue to fill the headlines and the new privacy regulation preparations are still being felt in many organisations.
TechBeat, in association with DataSolutions, has again built upon earlier research in tracking Ireland’s cyber threat situation, and this year 111 Irish IT professionals and senior decision makers responded in June.
What is perhaps more interesting is that the don’t knows went from 3% in 2016, to 5% in 2017, but now in 2018 have jumped to 15%. This would suggest that a growing awareness of this insidious cyber threat means that far less organisations are confident in saying they have not been subject to such attacks. The ubiquity of these attacks is now being recognised, but that awareness, coupled with better protections has probably lead more organisations to realise that just because they have not experienced encrypted files that they have not been the target of an attack.
“This result tallies closely to our findings from last year’s survey,” commented David Keating, sales manager, DataSolutions, “where 19% stated they had been held to ransom by a hacker at some point. The results of the survey show that while ransomware remains an effective weapon for cybercriminals seeking to extract money from Irish businesses, there is no significant increase on last year’s figure. This is positive as it shows that companies are taking the necessary steps to implement security systems to secure their interests and business.
On the subject of a ransom, the vast majority (78%) of organisations maintain that they would never pay a ransom. This has fallen from 93% in 2016, and 81% in 2017. Perhaps reflecting the greater understanding of the potential impact of a ransomware attack, when combined with the don’t knows, these figures suggest a certain pragmatism among Irish organisations.
“We are still surprised by the number of businesses that wouldn’t consider paying a ransom,” Keating admits. “In reality, I think if faced with the situation organisations would consider paying a small ransom provided they felt there was a good chance they would get their data back.”
Of those who would pay a ransom, 7% would pay from €1,001 – €5,000, with 6% saying they would pay up to €1,000, and just 4% saying they would pay up to €10,000. But oddly, nearly 4% said they would pay more than €100,000.
Cyber security spend is a constantly fluctuating figure, and in 2018 21% said it would be the same as last year, while less than 3% said less than 2017. Of those whose budget will grow this year for cyber security, almost a quarter (22%) said by up to 10% more than 2017, slightly more than a quarter (26%) said from 11-25% more than last year. One in five will get a big increase of 26-50% more, while one in 10 will get an expansion of more than half over the previous year.
This broadly is reflective of the need to stay secure against an increasingly targeted, sophisticated and persistent collection of threats. While there is no wholesale multiplying of budgets reflecting panic, the modest increases more likely show that judicious investments, many of which are likely to be managed security service-based, are being made to shore up organisations.
Despite the broad range of threats, 39% of respondents said they think their organisation is equipped to deal with emerging threats, though this does leave a strong majority (61%) who do not.
“This number has more than doubled since 2017,” Keating observes, “where 27% of respondents said they didn’t think their organisation was prepared to defend against emerging threats.”
“The complex nature of modern threats remains the biggest concern with 70% of respondents citing this as the main concern for their security team. However, 93% of companies now have a cyber defence strategy in place and over half of the respondents are confident that they have an effective cyber strategy and team in place to defend their organisations.”
“While these statements might sound contradictory,” Keating argues, “it’s my opinion that what this demonstrates is a more mature attitude to IT security emerging, which recognises that there are always going to be new threats out there. Irish businesses have put a good strategy in place to defend against these emerging threats and cyber security is well and truly at the heart of their business.
The majority of respondents (57%) believe they have an effective cyber security strategy in place, though the 43% who do not believe so is still significant.
As Keating observed, a combined 93% have a cyber security strategy in place, but nearly a quarter (24%) are not or not all confident in it. More than half (53%) are confident in their strategy, with 16% being extremely confident.
Some 22% believe their security teams are completely prepared to meet today’s cyber security challenges, while more than half (54%) believe they are prepared but not completely. A full 24% believe they are not prepared.
Of those who said their teams are unprepared for today’s cyber security challenges, the principle reason (70%) was the complex nature of modern threats, followed by a lack of expertise and insufficient budget, both at 36%. A lack of training was indicated by 33%, with lack of access to tools specified by more than a quarter (29%).
“Irish companies are fully aware that they need to take proactive measures to protect their organisation, so much so that 97% are spending the same or more than 2017 on IT security, with a 31% to increase spend by more than a quarter compared to last year,” said Keating.
An indication of spending directions could be taken from the fact that less than a third (31%) of respondents say that their cyber security technologies are fully up to date. Nearly half (49%) say they are somewhat up to date, while 11% say they are somewhat out of date, and nearly one in 10 (9%) say they are three years or more out of date.
When asked what they perceived as the greatest security threats to their organisation, the answer was not external, with 60% saying careless staff or human error. This was a little way ahead of phishing attacks (57%), malware (56%) and ransomware (52%). Distributed denial of service (DDoS) came in at just 23%, with SQL injection at just 18%.
The greatest risks were somewhat unsurprising, though it was perhaps unexpected for reputational risk (36%) to come in so far ahead of financial risk (20%), with fear of an attack (24%) also significant. Compliance requirements, fear of GDPR fines and fear of going out of business were all in single figures, with the latter at just 1%.
“The majority (56%) of survey respondents recognised that brand damage is biggest factor for investment in new security infrastructure,” said Keating. “A curious figure to emerge from the budget question was that only 7% of respondents cited GDPR and GDPR fines as a motivator for investment. These finding ties in with the survey findings that over 80% of respondents felt they weren’t fully compliant by the GDPR deadline on the 25 May, but 62% did say they have ongoing projects in place. We would anticipate this figure to have improved next year.”
Having indicated strong budget growth earlier, a slim majority (51%) still felt that there is still insufficient budget for investing in new cyber security infrastructure.
The security stance for various aspects of IT was also assessed scoring out of 10, with 10 being highly secure. Data centres (physical and virtual), cloud infrastructure (IaaS, PaaS), cloud applications (SaaS) and network perimeter/DMZ were all perceived as being the most secure, with weighted averages around the 7.5 mark. Business applications, such as ERP, CRM, HR and BI, was just below 7, as were endpoints and web applications. But the lowest scores for perceived security, all below six out of 10, were for mobile devices and social media.
There is little surprise here, in terms of ranking, what is perhaps unexpected is that there was no average score above 8 for perceived security.
On the question of trust to handle personal data, employers (53%) faired best, followed by banks (47%) and utilities providers (37%). Of those who said they did not trust groups with their personal data, a staggering 98% fingered social media providers, followed by retailers (87%), government (65%) and utilities providers (62%).
The most trusted handlers of personal data then are employers while the least trusted are social media providers. This is hardly surprising, but governments position of being trusted by just 35% and being distrusted by 65% is worrying indeed.
The shadow of the General Data Protection Regulation (GDPR) still looms large, and post the May deadline, just 23% feel they are fully compliant, with 60% saying they do not believe they are fully compliant. 14% say they know they are not compliant while a baffling 4% say they have not yet begun compliance efforts.
For Keating, there is no question of the regulations’ importance.
“The importance of the GPDR project,” Keating added, “is borne out in the last question of the survey around trust in organisations managing our personal data carefully. A whopping 98% of respondents do not trust social media providers; 65% do not trust government agencies to mind our data while respondents own employers are the most trusted.”
With regard to breach notification, less than a third (30%) say that in the event of a loss of personal data as a result of a cyber attack they would notify the relevant authorities immediately. Just 14% said they would do so within 12 hours, 30% within 24 hours, with single digits indicating up to 72 hours later. Just 3% said they would not inform authorities at all.
“In the event of businesses experiencing a loss of person data as a result of a cyber attack, people are prepared to act fast,” Keating observes. “According to the survey, the average time to notify authorities is 14 hours. Less than one in 25 would not inform authorities. This looks like a major cultural change in how seriously people take their obligations.”
Overall, the survey this year shows a pragmatic attitude to security, both in terms of threats and protection. Irish organisations are displaying greater awareness, but also greater understanding of threats. As Keating suggests, this is due to a maturing recognition that there will always be threats and new vectors emerging, but that careful planning, risk-based allocation of resources and constant review can provide good levels of protection. As the old saying goes, one does not need to be the most secure business out there, just the least attractive target among your peers.
This realisation that one cannot protect everything all the time has grown and resulted in greater application of risk analysis in security strategies. However, the increasing fluidity of infrastructure, across wireless and mobile, as well as distributed campuses and systems, means that new ways of thinking must also be employed to protect data above all, at rest and in motion, while still making it available to all who have legitimate need of it.
This year’s results are encouraging and at the same time indicative of more work to be done with constant vigilance for cyber security to remain at the heart of Irish organisations.