TechBeat: Security — risk and cybercrime
An encouraging response was that more than half (57%) of respondents said their organisation had a data protection officer in place, against 40% that did not and just 4% that did not know.
The survey asked for the top concerns for an organisation for cyberattacks, rating five. Perhaps surprisingly, social media was the top average concern, followed by Internet of Things (IoT) devices, web applications and insider misuse. Phishing and distributed denial of service attacks were only in the middle of the range, while social engineering and attack via compromised third parties were in the lower ranges.
However, when asked to rate the most likely source of security breach in their company, respondents chose customers, followed by suppliers and then former staff in a tight grouping. A little below was insufficient security infrastructure, followed by others with malicious intent and staff. Surprisingly, criminals were rated lowest of the options.
The conclusion from these perceptions is clear, whether from customers, suppliers staff or former staff, the human element is seen as a weak point in information security.
“It’s human nature, we all make mistakes,” said Keating. “The best policy here is honesty — reporting mistakes when they happen can mitigate the damage.”
“It’s not expensive to put protections in place to safeguard the really crucial pieces of info in your business. Companies such as Check Point offer digital loss prevention (DLP) blades to look after information which has been identified as sensitive.
“This kind of system can stop people from accidentally emailing but it’s harder to cut out disgruntled or malicious staff. This requires a lot more effort and is costly, and simply isn’t a viable option for most businesses. The best thing for most businesses to do is to prevent accidental leaks.”
Despite this awareness of the human element, more than half (52%) of respondents said their company does not provide regular training to staff around emerging cyber security risks, while 46% did and 2% did not know.
Keating said this number is down on last year when 43% said they did not offer regular training.
“This is an area in which it’s a case of the more training, the better. However, again it’s a case of finding the right balance. It’s important to pick your time carefully; if the IT team is constantly streaming updates then people stop paying attention to them.”
A similar gap appears when dealing with third party suppliers. While a third said that all contracts with third party suppliers outline information security requirements, nearly half (44%) said only some contracts did, while nearly a quarter (23%) said there was no outline.
“Worryingly, this is a 12% increase from last year’s results,” Keating observed, “and highlights that many businesses are not treating their supply chain with the due diligence that it demands. This has been an issue for a long time and a question we’ve been asking over the years. It’s very worrying that people are doing it even less now.
“Make sure you’re not the weakest link in the chain,” Keating advises. “You need to make sure when you’re doing business with third party suppliers that they won’t be the cause of an attack against you. The brand damage is almost certain to fall on you — just like it did with Target. Some businesses might not be able to survive such damage.”
Looking internally for sources of risk, respondents felt that the IT department was the highest source of information security risk (31%), with operations/production next (23%), followed by sales (17%). Finance and marketing were lower at 14% and 11% respectively, with HR considered a low risk at 5%.
“This is a significant increase from last year,” said Keating, “when the measure was just 19%.”
“In general, the IT department has more access and therefore the potential to do the most damage. However, this is not where most breaches come from. It’s more likely that the risk of a breach will come from other departments which are perceived as less risky as we can see in these results.”
“Of course, a rogue IT operative could do incredible damage. Edward Snowden is probably the best known example of this. Think of the damage caused to the NSA.”
Overall, the survey shows that while awareness is high among Irish IT pros of the potential impact of cyberattack, especially cryptoattacks, it also shows that perceptions of the source and likelihood of such attacks is somewhat skewed compared with reality.
While clearly steps are being taken to mitigate such risks, as shown by those that have taken additional steps and appointed DPOs, more can be done, especially around ongoing training. Third party assurance in contracts and evaluations could be better addressed too. The survey shows that while the likes of cryptoattacks are not uncommon, they are not yet widespread and so Irish organisations perhaps have time to more finely hone their response, both from a countermeasures and process perspective, to better fend off the rising tide of threat actors.