TechBeat: The way of the IT pro
25 June 2015 | 0
For many organisations currently, public cloud services, and the likes of software as a service (SaaS), mean that third party providers now make up a significant element of their IT landscape. Despite this, 38% said that they did no conduct cybersecurity evaluations of third party cloud service providers, while 23% did not know if such evaluations were conducted.
“We know from experience,” said Larkin, “that it is critical to understand the risks that key suppliers pose to your organisation and to protect your data and processes appropriately regardless of insourcing or outsourcing. This finding reflects our overall experience that organisations do not adequately assure the security of their downstream supply chain, be it cloud or non-cloud. Even though, however, some organisations in this supply chain may have access to sensitive data or business processes for that organisation. We have seen the detrimental effect of this weakness hit on a number of significant organisations in a very high profile manner over the past two years.”
Another common cybersecurity issue is targeted attacks. The respondents were asked if they thought anyone in their organisation had been the target of a well-crafted spear phishing attack, using actors or impersonators. Nearly half (48%) said they thought so, while one in five said they did not, while nearly a third (32%) did not know.
Delving further, respondents who answered in the affirmative were asked if the attack was successful. A significant 7% said they thought it was, more than half (58%) said it was not, while more than a third (35%) said they did not know.
“We’re also seeing continued targeted attacks using relatively simple but effective means such as phishing against individuals within organisations,” said Larkin. “Recent Verizon data breach reports indicate that 23% of people who receive a phishing email will open it. A further 11% will go on to click on the link or attachment. Phishing in all its guises; general, spear and whale; continues to be a very effective way for the ‘bad guys’ to cause both personal and organisational damage.”
What emerges from this survey is the extent of penetration, not only of smart connected devices, but also social media in Irish organisations, and the often blurred lines between the personal and professional use of both. What also is clear is the increasing importance, effort and spend required on cybersecurity issues and concerns. The potential impact of cybersecurity issues seems to be well understood, but the lack of third party assurance seems at odds the general level of awareness.
“This survey reveals the significant costs of information security to an organisation,” Larkin observed. “Our experience is that organisations spend between 4% and 10% of their IT budgets on information security, depending on their need or risk profile.”
This significant level of spend still needs to be better managed, it would appear, with many organisations still needing better assessment of risk and security posture. Litigation and data retrieval for the same is likely to become more pressing in the coming years, but as yet, this is a low overhead.
Confidence in public services is high, which is good news, and bodes well for further development and extension access for citizenry.