Uncertainty is not the word organizations want associated with their IT security posture, but in many cases, the shoe seems to fit, a new study has found.
According to a survey of 2,000 IT security professionals at small to midsized businesses by the Ponemon Institute, one-third of respondents admitted they are not certain if a cyber attack has occurred in the past 12 months.
Part of this may be due to a weak approach to security by CISOs and senior management. Fifty-eight percent said that management does not see cyber attacks as a significant risk to their business, and 44 percent said a strong security posture is not a priority. In addition, while 32 percent say the CIO is responsible for setting priorities, 31 percent say no one person is responsible.
“Only 11 percent of respondents say the CISO is responsible for setting IT security priorities,” Dr. Larry Ponemon, founder of the institute, told SecurityWeek. “In contrast, the CIO received 32 percent of the vote, followed by no one function at [31 percent]. It’s my opinion that the CISO is most likely to understand the real security concerns of the organization and is in the best position to set priorities for IT security.”
Other studies by Ponemon have indicated that a good incident response plan and strong leadership from the CISO can reduce the cost of a data breach significantly. The lack of senior management involvement in cyber security among those in the survey may account for a lack of resources being allocated to security challenges. According to the survey, 42 percent said their budget is not adequate for achieving an effective security posture. Organizations were also challenged by the fact that only 26 percent of respondents said they had enough security expertise in-house to handle security.
“In our experience, smaller-sized organizations lack the resources to fully detect cyber attacks,” Ponemon said. “This weakness can be overcome with a combination of expert personnel and enabling security technologies. On a positive note, managed security solutions and cloud-based security technologies make it economically feasible for SMBs.”
Interestingly, while many respondents expressed uncertainty about detecting cyber-attacks, data breaches are uncovered more readily. Some of that is because many data breaches are due to lost or stolen devices as opposed to stealthy cyber-attacks, but the reason actually goes deeper, opined Chet Wisniewski, whose firm, Sophos, sponsored the study.
“If information is stolen there are usually repercussions,” said Wisniewski, senior security advisor at Sophos. “Credit card companies identify you as the source of the stolen card data, criminals post your information online, [and] others may even hold your data for ransom. The attacks themselves are silent, but deadly. Detecting attacks in progress requires a coordinated effort and the ability to know that something that isn’t normal is happening. Of course, most organizations don’t know what normal is, making it rather difficult to detect anomalies.”