TechBeat: Securing your future – preparing for the unexpected
Information security has been described as an ‘infinite game’.
It is not a project, or an end point, it is a journey, a strategy and an attitude. The many issues to be dealt with are sometimes foreseeable and describable, for which a plan can be determined. Sometimes, however, they are the classic black swan incidents—unexpected, unforeseeable and potentially disruptive to business, people and process.
TechBeat, in association with Data Solutions, set out to ask Irish IT professionals about how they handled the major issues in information security today, as well as some of the less predictable occurrences, from emerging threats to fraud, phishing and malware. By gaining an insight into how Irish organisations are meeting the expected issues, it might help in understanding how best to tackle the more opaque aspects of the ongoing task of protecting data, people and the business.
The survey was carried out in July among 112 Irish IT professionals.
The first question dealt with a common issue currently, that of ransomware. Respondents were asked if their organisation had ever been held to ransom. Almost one in five (19%) said they had, with just over three quarters (76%) saying no, and 5% saying they did not know.
“This result tallies closely with findings from last year’s survey,” said David Keating, security specialist with DataSolutions, “and highlights the fact that cybercrime still poses a serious risk to Irish organisations. Ransomware attacks are a very disruptive form of cybercrime and target all types of end users regardless of size. Having said that, businesses that don’t have good security practices in place tend to get hit more.”
The survey then asked if, in the wake of the recent WannaCry attack, organisations had taken additional security measures. Unsurprisingly, almost three quarters (73%) said yes, but more than a quarter (26%) said no additional measures were taken. One respondent said they had never heard of WannaCry.
While it is encouraging to see that so many have taken additional measures, it is not necessarily safe to conclude that those that have not taken additional measures actually have adequate protections in place.
“The response to this question highlights that there is widespread awareness of WannaCry,” said Keeting, “but an amazing number of Irish businesses are not taking the necessary steps to protect their assets. Investing in preventative architectures could go a long way towards helping organisations to protect themselves from future threats. Many companies are focused on detection-based technologies, but in order to really safeguard their interests organisations need to make it their goal to protect against the attacks that are yet to happen.”
On the topic of ransoms, respondents were asked if they would pay, and how much. Reflecting the hardening attitudes towards this kind of malware, the vast majority (81%) said they would never pay a ransom, while 8% were willing to pay up to €500, with the same proportion willing to go up to €2,500. Just 2% would pay up to €10,000, and 1% would go as far as €50,000.
“The majority of businesses say that they would never pay a ransom,” Keating observed, “but it’s interesting to note that the number who say they would pay is the same as the number who say that they have been held to ransom in the past 12 months. This reflects the reality of the situation; confronted with the reality of being held to ransom by hackers and having their data encrypted, it’s likely that the majority of people would pay the amount requested of them.”
The survey asked how organisations protect networks through secure access facilities. More than half (51%) still rely on a username/password, while almost a third (29%) use two factor authentication (TFA), such as an application on a mobile phone. Only 4% use a hardware token, with the same relying on digital certificates. Worryingly, 4% say they don’t know. Among the other options specified were proprietary VPN access via firewalls and cloud-based tools.
“It’s no surprise that more than half of Irish companies still rely on user names and passwords to secure their networks,” said Keating, “but it’s disappointing. Organisations should really be implementing more secure means of access, such as two-factor authentication.”
Of those that use two-factor authentication of some sort, almost a third used it to secure access to corporate VPNs, while 13% used it for cloud-based resources such as Office 365. Slightly less (12%) used it to secure access to internal resources, while just 8% used it to secure access to highly sensitive resources, such as payroll.
Keating noted that it was somewhat odd to see TFA used in such restrictive fashion.
“Of course, people are still focused on the security of their VPNs but things have moved on and two-factor authentication shouldn’t be restricted to securing this one area. Two-factor can be a great way of stopping the spread of ransomware around the network from the initial infected device, but it can only help if it is in wide use in an organisation.”
Security is an expensive business, and the question on budget held few surprises. While just 7% expected to have less to spend than in the previous year, more than two thirds (67%) expected the same or up to 25% more budget. A significant 18% expected to have 25-50% more to spend, while just 5% expect 50-75% more.
This tallies fairly closely with the earlier question about additional measures being taken, but as Keating observes, also supports the trend identified in last year’s results.
“Again, this is similar to the results of last year’s survey, illustrating that a significant number of Irish companies are increasing their cybersecurity budgets year on year, a move which is likely spurred on by constantly increasing cybersecurity threats.”
While not a security threat as such, the impending General Data Protection Regulation (GDPR) nonetheless has significant implications for data protection and information security in general. With the implementation deadline less than a year away, it is heartening to see so many organisations (84%) taking steps towards compliance. However, the 14% who say they have not are taking a significant risk. A worrying 3% have not heard of GDPR at all.
As observed in our features series on GDPR earlier this year, the additional resources that organisations will need to facilitate their compliance journey will became more and more scarce as the deadline looms, so laggards may find themselves in an unenviable position come January of 2018.
“GDPR will completely change how organisations handle and process the data of individuals,” Keating warns, “and achieving compliance to the regulation is a time and resource intensive process.”
“Those who fail to act now to guide their organisation through the process towards achieving compliance will find themselves up against a hard deadline in May next year, and facing the prospect of being found liable to fine of up to €20 million or 4% of global turnover. As the results of question 10 make clear, it’s unlikely that many companies will be capable of paying these fines, and many could be forced to cease trading or lay off staff in order to survive.”
Perhaps surprisingly, more than a third of organisations (36%) have not allocated any budget for GDPR efforts, while slightly less (30%), don’t if they have. Just over 1 in 10 (11%) have allocated up to €5,000, 4% up to €20,000 and 7% up to €50,000. Low single digits then scale up to €1 million.
“Organisations that have earmarked specific budget to address the changes in regulatory compliance have done their homework and recognise just how significant the changes are going to be,” said Keating. “For most organisations involved in the collection and processing of the personal data of EU citizens, achieving compliance will require significant changes to their policies and process, and allocating specific budget to tackling these changes is a wise move.”
The GDPR budget results tally with its priority level for Irish organisations, with more than a quarter (26%) describing it as a top three priority, while more than half (54%) saying it is just one of a number of priorities. A worrying one in five say it not a priority, betraying more of a lack of understanding than unawareness, it could be argued.
“Those who say that achieving compliance is not a priority for their organisation are falling victim to the mindset that this leaves them with plenty of time to make any changes that the legislation requires.” Keating asserts. “What many don’t realise is that, as the replacement for the 1995 Data Protection Directive, GDPR represents the most significant development in data protection law in many years. As such, companies need to approach the regulation with the right mindset and make sure that they take all the necessary steps to protect themselves from fines that could prove insurmountable.”
The new regulations allow for hefty administrative fines, of up to €20 million or 4% of global turnover in the previous year, whichever is higher. When asked how this would impact the organisation, almost a third (35%) said they would continue trading but having to scale back growth plans. Nearly a quarter (23%) said they would be forced to cease trading immediately. Nearly one in five (18%) said they would continue trading but at a much reduced scale, while some 15% said they would pay the fines and continue without a problem, while 9% said they would continue but with layoffs.
With cloud computing an ever-present item on corporate agendas, respondents were asked if security fears were limiting their adoption of cloud technologies. More than half (60%) said they were, while almost a third (34%) said no, with 6% saying they did not know.
Keating said this was to be expected. “This is primarily due to a failure to implement the specific security tools necessary to deal with cloud, which is a fundamentally different architecture to on-premise solutions. Companies don’t need to fear the cloud, they just need use security tools that are designed to work in the cloud rather than trying to shoehorn traditional solutions into a cloud environment.”
The topic of cloud computing, as well as GDPR, highlights the issue of suppliers and their security posture. When asked about this, only 14% said they were concerned about supplier security, and audit them for their implementations. Nearly a quarter (22%) said they were concerned. And they certify their standards and practices, which left 16% that said they were not concerned about supplier’s security, and 4% who did not know.
“This is a continuation of a long-running trend,” said Keating, “and is sure to become even more of an issue in light of GDPR. As well as making sure that they’re not the weakest link in the chain, companies need to also ensure that they’re not doing business with suppliers that could be the cause of a cyber-attack against them.”
“In the event of a cyber-breach, the brand damage is almost certain to affect your business. Many companies may not be able to survive the fallout. If, on the other hand, you’re the supplier that causes the problem, this can destroy any relationship you have with affected third parties as well as your own reputation.”
Respondents were asked if they felt their organisations were equipped to deal with emerging threats, and the majority (57%) said they were, while 30% said they were not, with a 14% who did not know.
When asked about specific risks (top three) and exposure, 77% said the top risk that increased exposure over the last 12 months was careless or unaware employees, followed by outdated information security controls or architecture (46%) and social media use. (28%).
In terms of externals risks increasing exposure in the last 12 months (top three), the greatest risk was seen as malware (67%), followed by phishing (63%) and spam (33%). However, cyberattacks for financial details (25%), fraud (23%) and zero-day attacks (19%) also figured significantly.
“Cyberthreats are continuing to increase in sophistication and complexity,” stated Keating. “Last year, we found that almost half of Irish businesses do not provide regular training to staff and this result suggests that companies are still failing to provide this training. If employees know how to recognise threats it will greatly reduce their organisation’s level of risk. As well as this, it’s extremely beneficial if staff know what to do in the event of a breach, as this will enable the business to react quickly and limit the damage caused.”
“The fact that almost half of organisations say that working with outdated tools/ equipment increased their risk exposure highlights the need for companies to implement advanced solutions.”
The results this year, building on previous years, show an evolving threat landscape, as well as evolving attitudes. Irish organisations are realising that appropriate tools and resources are necessary to meet today’s challenges. However, the results show that there are still worrying pockets of either misguided confidence or lack of awareness on certain issues, GDPR compliance being one.
As the Data Protection Commissioner has observed, there will be no grace period post the May 2018 deadline, and in much the same way, when facing cyberthreats, it is a constant battle that requires vigilance, agility and attention to detail.