A survey of senior security practitioners has found that a third have no real-time insight on cyber risks.
The survey of 1,825 organisations in 60 countries by EY found that 43 per cent of respondents say that their organisation’s total information security budget will stay approximately the same in the coming 12 months, despite increasing threats, while 53 per cent said that a lack of skilled resources is one of the main obstacles challenging their information security program.
Mark Brown, executive director of cyber security and resilience at EY, said: “Too many organisations still fall short in mastering the foundational components of cyber security. The UK Government has attempted to fill this void by introducing the Cyber Essential Scheme. However, today’s findings highlight that organisations are not taking the basic steps, such as setting up a security operations centre or putting in place an incident response plan, and this continues to be a major cause for concern.
“Within the UK, we would recommend organisations engage with UK Government backed initiatives such as Cyber information Sharing Partnership (CISP) and UK CERT as well as establishing internal capabilities to respond to this threat.”
Marcus Ranum, senior strategist at Tenable Network Security, said: “The problem is that a lot of organisations simply aren’t fielding traditional perimeter tools correctly, and then complain that they can’t defend themselves. One company I spoke with recently declared that their firewalls were inadequate, but it turned out that they had every user behind the firewall using Internet Explorer and running with a Java Virtual machine enabled in each browser. If you bypass the firewall then it can’t protect you!
“The belief is that every threat that gets through defences is ‘advanced,’ except that it’s really not. The reality is there are a lot of failures of basic security taking place and the truly advanced stuff doesn’t even show up on the radar screen. The firewall (or anything else by itself) won’t protect you completely.
“Similarly, the traditional perimeter has advanced considerably, and I expect much more complete traffic analysis and sanitisation solutions on the perimeter – a firewall simply isn’t enough. To be successful at thwarting attacks, organisations need a mix of endpoint security, configuration control and patch management, vulnerability assessment and management, and a monitoring and analysis capability to make sure it’s all working. Before we declare any other tech obsolete or, heaven forbid, ‘dead’, could we try deploying it properly first?”
Elena Kharchenko, head of consumer product management at Kaspersky Lab, said: “People who believe that they are safe because cyber criminals will just leave them alone and won’t be interested simply don’t understand the nature of online threats. Hackers don’t usually focus on specific targets, they try to scoop up as many victims as possible.”