Research has showed that 41 per cent of IT professionals believe it is only a matter of time before there is a major cyber attack against the United Kingdom’s critical national infrastructure.
The research, commissioned by RedSeal of 350 IT professionals and conducted by OnePoll, found that 17 per cent are simply not convinced it will not happen. Also, only 44 per cent of respondents said that they could sincerely say that their company is secure, while 36 per cent said that they could not.
Commenting, Bob Tarzey, analyst and director at Quocirca, said: “There is no doubt that certain terrorist groups and some nation states see a vested interest in damaging this country in whatever way they can, who knows if they will succeed at some point? If you asked me on 10th Sept 2001 if I think the twin towers would collapse the next day, I would have said ‘no’.”
Tom Cross, director of security research at Lancope, said: “With respect to threats against critical infrastructure, the vulnerability is there, but it is difficult to predict when attacks are going to happen. Security vulnerabilities have existed in critical infrastructure for many years, and warnings about that have been repeatedly issued.
“Some progress has been made in improving the security of these systems in recent years, particularly in the wake of the Stuxnet incident, which demonstrated to people that the threat is real. However, actual attacks occur when the vulnerability aligns with the strategic interests of an attacker. It is hard to say when and where that is going to happen.”
As well as this, more than half (51 per cent) or respondents admitted that they would not be able to walk into a board meeting and provide the board with key performance indicators to show what level of success their investment is having in defending the network against attackers.
When asked if a board asked you if the company is secure could you truthfully answer yes, less than half (44 per cent) said that they could say yes, while 19.71 per cent were unsure and 36 per cent said that they would say no. More than half (38 per cent) said that they believed that IT personnel and the board speak different languages and therefore did not get the budget that they needed. While 40 per cent said that this was not a problem, 20 per cent said that they were not sure.
Also, the research found that 34 per cent of respondents believe that they are constantly playing a game of cat and mouse when it comes to securing their systems from the cyber-crime community. Tarzey said that it seems strange that they would think not. “Cyber criminals and hacktivists are getting more sophisticated, so are the defences, call it cat and mouse, call it an arms race, there is no doubt in my mind it is happening.”
Cross said that this depends on the nature of the attacks that your organisation is experiencing. “Most botnet operators are looking for targets of opportunity – if you have your security ducks in a row, they will move on to another target,” he said.
“However, sophisticated, persistent attackers of the sort that we associate with nation-state sponsored espionage have a completely different character. They will persist in targeting your network despite the steps that you are taking to detect them and keep them out, and when you discover them, they will change tactics in order to stay invisible to you.”
The survey also found that 43
per cent of respondents do not have visibility into their global network, while 31 per cent said that they have so much vulnerability that they cannot see what is critical.
Also, 26 per cent of respondents said that often their systems were so overloaded with data that they could not generate actionable reports, impacting both their capability to detect incidents and to report to the board.
Parveen Jain, CEO at RedSeal, said: “It’s pretty clear that the majority of today’s companies just don’t have any visibility into their networks and therefore don’t know what needs protecting and what doesn’t. We often see major corporations being attacked hundreds of thousands of times a day, but as they don’t know which attacks are the most harmful, they don’t know where to put up their defences.”
“The cyber-criminal community know that companies are overwhelmed with too much data and don’t have the resources or tools to protect their most valuable assets, so they take advantage of the weak spots.”