Vulnerabilities / Threats

1/17/2018
02:00 PM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Living with Risk: Where Organizations Fall Short

People tasked with protecting data are too often confused about what they need to do, even with a solid awareness of the threats they face.

I am the first to admit that I possess a robust naivety about the general public's appetite for risk. How can people agree that there is a risk and then exhibit behaviors that would seem to indicate that they find the risk irrelevant or that they are immune? I eagerly consume any report or survey that might shed some light on "how" and "why" someone could justify living with (or even exacerbating) security risks.

While the news always seems to be filled with examples of companies being woefully underprepared for breaches, my discussions with the corporate security practitioners who attend IT industry conferences show me an impressively nuanced understanding of risk. This leads me to assumptions about the factors that are causing the increasingly grotesque breaches we read about. But perhaps my preconceptions need adjusting.  

The 2017 Ernst & Young Global Information Security Survey, for example, is a resource that asks a lot of questions, with answers that I find fascinating and sometimes unexpected. This survey covers many aspects of security incident preparedness, and it represents the responses of almost 1,200 C-suite leaders as well as information security and IT executives/managers. These participants come from companies of all sizes, revenue levels, and industry sectors.

Unsurprisingly (to me), the surveyors found that budget, skill, and executive support are items of concern; who among us doesn't feel we could do a better job with fancier tools and unlimited funds? But the numbers in this case are less dire than I expected. Slightly more than half of respondents expressed these woes: 59% cite budget constraints and 58% lament a lack of skilled resources. I was even more surprised by how few people feel a lack of support from higher-ups; only 29% of respondents complain about a lack of executive awareness or support.

Despite these seemingly encouraging numbers, the survey results don't translate into concrete action from a security perspective. According to respondents, 56% said either that they have made changes to their business strategies to take account of the risks posed by cyber threats, or that they are about to review strategy in this context. Only a meager 4% of organizations are confident they have fully considered the information security implications of their current business strategies and that their risk landscape incorporates all relevant risks and threats. While this may speak to the complexity of the threatscape, it also indicates how many organizations feel completely overwhelmed by the task of addressing all the risks in their environments.

Low Grades on Data Protection, Vulnerability Identification
Most organizations don't seem to know where to start in creating proactive security postures: 35% of the survey's respondents describe their data protection policies as ad hoc or nonexistent. Consequently, it's understandable that 75% of respondents rate the maturity of their vulnerability identification as very low to moderate. 

Most organizations do at least have reactive processes in place for determining whether they've been attacked; only 12% have no breach detection program in place. But the most worrying finding of the Ernst & Young survey is that some organizations may be confused about their legal responsibilities: 17% of respondents say they would notnotify allcustomers, even if a breach affected customer information, and 10% would not even notify customers knownto be affected.

What I take from all this is that the people who are tasked with protecting data within organizations are often deeply confused or misinformed about what they need to be doing, even when there's adequate awareness of risk and support for correcting it. Rather than preparing in advance, most organizations are reacting to alarm bells only after the damage has been done. This bodes poorly for the industry when a diverse range of organizations are one unlucky day away from serious disruption.

Given the increasing complexity of technology, the persistent obscurity of digital security regulation, and the growing sophistication of threats, this problem is sure to increase. Rather than focusing on helping businesses assemble a collection of the fanciest widgets in all the land, we as security educators and professionals should instead focus on the everyday processes of security that are as banal and crucial as regular janitorial service. While counting machines and planning network structure may be less exciting than the blinky lights of advanced gadgetry, it would seem that this is precisely what would most benefit many organizations.

Related Content:

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1659
PUBLISHED: 2019-02-21
A vulnerability in the Identity Services Engine (ISE) integration feature of Cisco Prime Infrastructure (PI) could allow an unauthenticated, remote attacker to perform a man-in-the-middle attack against the Secure Sockets Layer (SSL) tunnel established between ISE and PI. The vulnerability is due to...
CVE-2019-8983
PUBLISHED: 2019-02-21
MDaemon Webmail 14.x through 18.x before 18.5.2 has XSS (issue 1 of 2).
CVE-2019-8984
PUBLISHED: 2019-02-21
MDaemon Webmail 14.x through 18.x before 18.5.2 has XSS (issue 2 of 2).
CVE-2018-20122
PUBLISHED: 2019-02-21
The web interface on FASTGate Fastweb devices with firmware through 0.00.47_FW_200_Askey 2017-05-17 (software through 1.0.1b) exposed a CGI binary that is vulnerable to a command injection vulnerability that can be exploited to achieve remote code execution with root privileges. No authentication is...
CVE-2018-6687
PUBLISHED: 2019-02-21
Loop with Unreachable Exit Condition ('Infinite Loop') in McAfee GetSusp (GetSusp) 3.0.0.461 and earlier allows attackers to DoS a manual GetSusp scan via while scanning a specifically crafted file . GetSusp is a free standalone McAfee tool that runs on several versions of Microsoft Windows.