Mega breaches are dominating the news; so how is IT reacting?
It seems to be with a simple shoulder shrug.
Despite thefts of data records and personal information in hacker attacks such as Anthem (78.8 million records), and the U.S. Office of Personnel Management (21 million), and shifting sands of litigation promising to put companies on the financial hot seat, IT is showing little reaction to breaches.
In its third-quarter survey on Information Security, 451 Research found that 67.8 percent of respondents said they had no change in security spending due to recent headlines on data breaches and news that government regulatory agencies are going after companies who are breached and did not close known vulnerabilities.
In September, St. Louis-based R.T. Jones Capital Equities Management, which lost the personally identifiable information (PII) of approximately 100,000 people, was charged by the SEC and fined $75,000 for violating the agency's Regulation S-P Safeguards Rule over a four-year period where it failed to establish required cybersecurity policies and procedures in advance of the breach.
In late August, a U.S. appellate court told the Federal Trade Commission (FTC), which also has a Safeguards Rule, it could go ahead and sue Wyndham Hotels over inadequately investing in computer security after it was discovered that 600,000 customer records were exposed in 2008 and 2009.
But these incidents seem to be merely headlines to IT even though companies are thinking about attacks.
In the 451 survey, the top information security concern for IT in the past 90 days was listed as "Hackers/Crackers with Malicious Intent." But the percentage of respondents with this concern has dropped from 52.1 percent in Q2 of 2015 to 41.5 percent in Q3.
When asked which "security threat do you think is inadequately covered today by your organization that worries you going forward?" the top answer was the same "Hackers/Crackers with Malicious Intent." The threat was listed by 21.5 percent of the 898 respondents. The other top threats were "Preventing/Detecting Insider Espionage" (17.9 percent) and Cyber-warfare (11.7 percent)
In the survey, only 4.7 percent of respondents said current implementation of top information security projects was in response to an attack. In all, 54.5 percent of respondents said their organization does not have a clearly defined head of information security such as a Chief Information Security Officer.
In terms of project fund allocation for security, 56.9 percent of respondents said budget dollars for information security are rolled into IT spending. And overall, 51.5 percent of respondents said over the next 90 days their organization would see no change in spending on information security.
The survey showed the top information security projects currently being implemented were approved for reasons involving risk assessment (26.6 percent), compliance requirements (26 percent) and business requirements (15 percent).