New research launched by Cyber Security EXPO (Excel, London, 8-9 October 2014) and conducted by Redshift Research, claims that despite available budgets UK organisations are vulnerable due to a lack of skills and access to the latest security technology. This is despite the fact that many predict an increase in attacks driven by increased employee use of smartphones and tablets.
The survey of 300 UK IT directors and managers identified the perceived challenges to an effective security programme, gauged reactions to recent high profile attacks and examined attitudes to improving identification and authentication within organisations.
Main perceived challenges
While only 9% of respondents cited lack of budget as the most significant challenge, 37% of respondents were most concerned about a shortage of security technology. Almost a quarter (23%) claimed the biggest challenge was the shortage of well-qualified people.
This was despite the fact that 38% of respondents predicted an increase in vulnerabilities driven directly from users 24/7 use of smartphones and tablets. This was particularly prevalent within the banking sector (47%), public sector (42%), utilities (50%) and telco (53%) sectors.
Impact on risk response
This would appear to be having a direct impact on how UK organisations can effectively respond to attacks. When asked if recent claims from Russian hackers that they have amassed 1.2 billion User ID / Password combinations had prompted any action (for example had they warned users /customers, imposed password changes, adjusted IDS and alert escalation policy), an astonishing 47% of respondents said no action had been taken.
Worst offenders included technology companies (43% of whom took no action), transport (64%) and worryingly 63% of public sector respondents.
Encouragingly, utility, engineering and banking and finance sectors performed better here with 80%, 69% and 60% respectively claiming to have taken proactive action.
Improving identification and authentication
When asked about what they would ideally implement to most improve identification and authentication in their organisation, two-factor authentication proved a firm preference with 48% claiming this would have the biggest impact. Biometrics came in at 31%, with single sign on coming in at only 19%.
55% of those asked would also immediately ban the use of USBs, with 18% claiming that they already do. The most anti-USB sectors appear to be banking and finance (33%), followed by local authorities (36%) who claim they already have a complete ban on USB devices.
A range of Cyber Security EXPO exhibitors commented on the results of this survey. This is what they had to say:
“Online security should be seen in the same light as a healthy living programme. You have to work at it continuously and you have to be able to adapt when things get tough. Many user ID and password combinations are very predictable meaning they are easily guessable for hackers, even those with minimal knowledge. In the current environment it’s critical to ensure your online security is as healthy as it can be.”
Adrian Crawley, Regional Director, UK & Ireland, Radware
“The concern about the lack of security skills puts the onus on vendors to make their technology easier to deploy, configure and manage. In particular, IT departments want better visibility so they can see what’s going on in their networks in real time without trawling through logs and respond more rapidly.”
Jon-Marc Wilkinson, Distribution Manager UK & Ireland, WatchGuard Technologies
“A constant battle of cat and mouse between vendors, their customers and attackers, the sheer rate of change in the security industry presents a colossal challenge to stretched in-house IT teams. That’s why turning to an external specialist 100% focused on security is the best option for many businesses. An external company with resources to devote themselves entirely to security is more able to keep their customers up to date, protected and closely scrutinised for potential threats, whether that be a spear phishing attack or mobile-targeted malware. Another plus – if they are cloud-based, customers also benefit from an improved speed of response because the external team is able to monitor 24 hours a day, 365 days a year, and protect against attacks across their wider customer base, not just one specific environment”.
Dan Sloshberg, Director of Product Marketing, Mimecast
“As the research findings show, with the massive weekly data breaches and increasingly destructive and sophisticated cyber attacks, existing security solutions are not stopping, or even slowing, cybercriminals’ momentum. For us, it’s not about doing security incrementally better to solve this hard problem, rather it’s time for a completely different approach to data centre security.”
Timothy Eades, CEO, vArmour
“Bringing in effective secure mobile working solutions for an organisations workforce doesn’t mean you have to compromise on the desktop security standards that have taken years to perfect”.
Mike Davies, CEO, Centrality
“An often overlooked but highly vulnerable area is document infrastructure. Today multifunctional printers can scan, fax, email, access the Internet, and more making them extremely susceptible to internal and external threats. Cloud services and BYOD are often implemented to enhance access and collaboration with regards to documents, but can prove to be a security risk if deployed incorrectly. Today the best document infrastructure uses McAfee’s whitelisting technology and Cisco TrustSec integration alongside traditional security methods like encryption and image overwrite. Additionally, one should ensure that mobile devices are only used to access data securely, and never to store data due to their propensity to get lost or stolen.
“Last but not the least, releasing prints with access cards helps to prevent the extremely low-tech but highly prevalent occurrence of someone picking up your sensitive document from the output tray of a device when you’re not looking.”
Feroze Engineer, Marketing at Xenith Document Systems
“Memset itself has made notable progress as a provider to UK government in the past year or so through G-Cloud and said: ‘The introduction of the G-Cloud framework marked a radical change in the way government departments procured ICT services. By opening the market up to SMEs like Memset we’ve been able to break up the oligopoly of incumbent suppliers and deliver substantial cost savings in the process.’”
Kate Craig-Wood, MD, Memset
“This research illustrates how today’s expanding threat landscape, increasingly targeted attacks, and complex regulatory environment, are overwhelming organisations’ current incident response capability. Organisations need to develop incident response muscle memory – the ability to instinctually respond under pressure. Doing so requires detailed plans, that have been practiced by the appropriate staff, and a platform to orchestrate the appropriate people, process, and technology”.
Ted Julian, chief marketing officer, Co3 Systems
“Network environments are growing in complexity. Today’s business users are connecting from a variety of locations and devices which introduces varying levels of risk. In tandem, data has differing levels of sensitivity meaning everyone accessing file shares will require varying degrees of privileged access.
“The problem with most identity and access management architectures is that they focus on perimeter defences, regardless of context. Once a user is authenticated they become “trusted”, which is why we are still seeing so many large-scale data breaches where user accounts have been compromised.
“If organisations want to shore up external perimeters and strengthen defences, they need to define policies that control how users see and connect to resources. More importantly, they need to look at context to determine whether or not the user is really who they say they are, and not just someone who’s managed to obtain a virtual identity card.
“It is this methodology that Cryptzone employs in its Zero-Trust security model, which incorporates five layers of security: encrypted communication, user authentication, session authorisation, policy enforcement and global audit logging. When all of these security elements are combined it creates a strong backbone that truly protects enterprise resources.”
Kurt Glazemakers, SVP Product Strategy at Cryptzone