Report: Risk of an Uncertain Security Strategy

Sophos and the Ponemon Institute released a report, Risk of an Uncertain Security Strategy, that highlighted a number of security issues companies of all sizes face today. What's unfortunate is that quite often security is not a priority for midmarket companies. This means that they often don't have a single department that is responsible for security. They may not even know if they've suffered a security breach.

Sophos and the Ponemon Institute, surveyed more than 2,000 individuals with responsibility for managing the IT security function in their organizations. The majority of respondents have a very high or high level of involvement in the evaluation, selection and implementation of IT security products or services in their organizations. SMB organizations represented in this study employ from less than 100 to 5,000 individuals. After reading through the findings of many badly designed and implemented surveys, it was refreshing to read through a well designed, well implemented report.

Here are some of the top findings found in the report:

• One-third of respondents admit they are not certain if a cyber attack has occurred in the past 12 months. Because of this lack of knowledge about the frequency and magnitude of such attacks, actionable intelligence appears to be deficient. To remedy this deficiency, respondents say their company will be investing in big data analytics and network traffic intelligence over the next three years.
• Respondents in more senior positions have the most uncertainty about the threats to their organizations. This indicates that the more removed the individual is from dealing on a daily basis with security threats, the less informed he or she is about the seriousness of the situation and the need to make it a priority. Fifty-eight percent of respondents say management does not see the possibility of a cyber attack as a significant risk.
• Respondents estimate that the cost of disruption to normal operations is much higher than the cost of damages or theft of IT assets and infrastructure. Unlike other Ponemon Institute studies where the theft of IP is the most expensive consequence of cyber crime,1 respondents do not seem to be able to determine the cost of lost or stolen information assets.
• Mobile devices and BYOD are much more of a security concern than the use of cloud applications and IT infrastructure services. However, these concerns are not preventing extensive use and adoption of mobile devices, especially personal ones. To deal with this risk, respondents indicate that their organizations will be investing in technologies such as web application firewalls for mobile apps and endpoint management to reduce BYOD risks.
• Respondents in specific industries have more confidence in their security awareness and strategy. Uncertainty seems to be very low in financial services, which can be attributed to the numerous data protection regulations. The technology sector is also more security aware which is probably due to the IT expertise that exists in these organizations.
• CISOs and senior management are rarely involved in decisions regarding IT security priorities. While 32 percent say the CIO is responsible for setting priorities, 31 percent say no one function is responsible.

The findings of this study are both interesting and somewhat disturbing. I urge that you download the report, read it and then consider how your company is addressing the dangers of the Internet, BYOD, Cloud Computing and the like.