Vulnerabilities / Threats

1/17/2018
02:00 PM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Living with Risk: Where Organizations Fall Short

People tasked with protecting data are too often confused about what they need to do, even with a solid awareness of the threats they face.

I am the first to admit that I possess a robust naivety about the general public's appetite for risk. How can people agree that there is a risk and then exhibit behaviors that would seem to indicate that they find the risk irrelevant or that they are immune? I eagerly consume any report or survey that might shed some light on "how" and "why" someone could justify living with (or even exacerbating) security risks.

While the news always seems to be filled with examples of companies being woefully underprepared for breaches, my discussions with the corporate security practitioners who attend IT industry conferences show me an impressively nuanced understanding of risk. This leads me to assumptions about the factors that are causing the increasingly grotesque breaches we read about. But perhaps my preconceptions need adjusting.  

The 2017 Ernst & Young Global Information Security Survey, for example, is a resource that asks a lot of questions, with answers that I find fascinating and sometimes unexpected. This survey covers many aspects of security incident preparedness, and it represents the responses of almost 1,200 C-suite leaders as well as information security and IT executives/managers. These participants come from companies of all sizes, revenue levels, and industry sectors.

Unsurprisingly (to me), the surveyors found that budget, skill, and executive support are items of concern; who among us doesn't feel we could do a better job with fancier tools and unlimited funds? But the numbers in this case are less dire than I expected. Slightly more than half of respondents expressed these woes: 59% cite budget constraints and 58% lament a lack of skilled resources. I was even more surprised by how few people feel a lack of support from higher-ups; only 29% of respondents complain about a lack of executive awareness or support.

Despite these seemingly encouraging numbers, the survey results don't translate into concrete action from a security perspective. According to respondents, 56% said either that they have made changes to their business strategies to take account of the risks posed by cyber threats, or that they are about to review strategy in this context. Only a meager 4% of organizations are confident they have fully considered the information security implications of their current business strategies and that their risk landscape incorporates all relevant risks and threats. While this may speak to the complexity of the threatscape, it also indicates how many organizations feel completely overwhelmed by the task of addressing all the risks in their environments.

Low Grades on Data Protection, Vulnerability Identification
Most organizations don't seem to know where to start in creating proactive security postures: 35% of the survey's respondents describe their data protection policies as ad hoc or nonexistent. Consequently, it's understandable that 75% of respondents rate the maturity of their vulnerability identification as very low to moderate. 

Most organizations do at least have reactive processes in place for determining whether they've been attacked; only 12% have no breach detection program in place. But the most worrying finding of the Ernst & Young survey is that some organizations may be confused about their legal responsibilities: 17% of respondents say they would notnotify allcustomers, even if a breach affected customer information, and 10% would not even notify customers knownto be affected.

What I take from all this is that the people who are tasked with protecting data within organizations are often deeply confused or misinformed about what they need to be doing, even when there's adequate awareness of risk and support for correcting it. Rather than preparing in advance, most organizations are reacting to alarm bells only after the damage has been done. This bodes poorly for the industry when a diverse range of organizations are one unlucky day away from serious disruption.

Given the increasing complexity of technology, the persistent obscurity of digital security regulation, and the growing sophistication of threats, this problem is sure to increase. Rather than focusing on helping businesses assemble a collection of the fanciest widgets in all the land, we as security educators and professionals should instead focus on the everyday processes of security that are as banal and crucial as regular janitorial service. While counting machines and planning network structure may be less exciting than the blinky lights of advanced gadgetry, it would seem that this is precisely what would most benefit many organizations.

Related Content:

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-2607
PUBLISHED: 2018-05-21
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users...
CVE-2018-1108
PUBLISHED: 2018-05-21
kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
CVE-2018-11330
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted.
CVE-2018-11331
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.
CVE-2018-7687
PUBLISHED: 2018-05-21
The Micro Focus Client for OES before version 2 SP4 IR8a has a vulnerability that could allow a local attacker to elevate privileges via a buffer overflow in ncfsd.sys.