UK IT decision makers (ITDMs) consider human error to be the biggest security threat to a business, according to a new report from NODE4.
The firm’s study examines the attitudes and precautions adopted by ITDMs regarding the cyber-threat landscape and the approaches that are currently in place to protect organizations from data loss.
The study found that whilst 97% of companies have a fundamental security policy, almost half of the 100 respondents quizzed said it is not well adhered to by staff. This suggests ITDMs rank everyday staff members fairly low in terms of security ‘savvy-ness’. This is often a result of employees viewing security as a specialist remit; something that is taken care of solely with the use of technology rather than strict adherence to secure behavior.
Speaking to Infosecurity, independent consultant Dr Jessica Barker said that dealing with the human element of information security is the biggest challenge the industry faces.
“It is a lack of awareness and insecure behaviors online which cause most data breaches,” she said.
“When we describe computer users as 'stupid' we disempower them and undermine their willingness and ability to learn and take ownership of information security. People tend to learn better and act more responsibly when they are treated with respect and encouragement.”
She argued that if companies want their staff to engage more with information security, they need to improve the ways they listen to and communicate with them.
“The way we deliver training, write policies and communicate cybersecurity messages impacts the way people do – or do not – engage with information security. To be most effective, it shouldn't just be about what you most want to tell them, but understanding how to communicate the messages so that people are more likely to take on board what you are trying to say,” she added.
Further, the report found that less than a third (30%) of ITDMs are very confident they could handle a system compromise, with just 23% very confident of dealing with an information leak. Despite this, as many as 63% believe they have adequate server level protection; a disconnect that suggests a lack of awareness about new and evolving risks.
Most businesses are not adequately equipped to handle today’s increasingly complex cyber threats and lack the higher-end tools required to quickly spot and recover from them, relying on traditional measures such as basic firewalls and email encryption. This is highlighted by the fact that three-quarters of the companies polled have no DDoS protection in place, nor do they have the ability to take a ‘topline’ view of their infrastructure.
“One of the biggest challenges that organizations face is the ever-changing nature of threats,” Ollie Hart, sales director UKI, enterprise & cyber security at Fujitsu told Infosecurity. “Large, high-profile attacks constantly show us that cyber threats are forever evolving and becoming far more targeted.”
“The fact that 75% of companies do not have any DDoS protection in place is alarming, as there is now no excuse for an unawareness of threats. You just need to take a look at the amount of companies being hit by attacks on a daily basis in the media to know that it is a very real threat, so it’s shocking that organizations are still not tackling this issue,” he said.
Stephen Love, security practice lead EMEA at Insight said businesses need to implement multi-layered security defenses to help protect against DDoS attacks.
“Through utilizing cloud-based security services which have the capability to deal with these potentially damaging threats as the first line of defense, businesses can reduce the fallout of DDoS attacks which might overpower the barriers of the initial network perimeter defense,” he added.
When asked to highlight what they considered to be the major consequences of a data breach, 49% of respondents cited professional embarrassment as the most significant, with loss of customers (44%) and loss of reputation (42%) taking the second and third spots. Interestingly, being hit with heavy fines came in sixth place; although with the General Data Protection Regulations coming into effect in 2018 it remains to be seen whether this will change over the next couple of years.
“A data breach or hack can have a huge economical impact on a company,” said CTO for IOActive Cesar Cerrudo.
“Then there is also the impact it has on the company’s reputation and brand. Customers – affected or not by the breach – will lose trust in the company. They could purchase less or even take their purchases elsewhere, which ends up having an economical impact on the company too.”
Cerrudo argued that most companies are not prepared for breaches/hacks so when they do get attacked, they don't know what to do.
“In most cases the company will hire a third party that will come onsite and help them with the investigation. However, there are other companies that are more prepared, with plans and processes in place that can identify and isolate incidents quickly, and in some cases contain breaches. These are few and far between though.”