As ever, the recent
InfoSecurity Europe show threw up some fascinating insights into
the state of the IT security market. Here we present the highlights
of the show and what is about to happen in IT
security
Nearly two-thirds of respondents
to the recent biennial Department of Trade and Industry (DTI)
Information Security Breaches Survey expect there to be more
security incidents in the next year than in the last. And
three-fifths of companies believe it will be harder to detect
security breaches in the future.
These conclusions, revealed at
the Infosecurity Show, demonstrate that UK businesses are winning
yesterday’s battles, but are not preparing the foundations for
defeating a more technology-focused form of guerrilla
warfare
And there lies the rub. The
survey results show that even as the UK embraces the internet, with
many small businesses making the most of their broadband
connections, this new environment is accompanied by new security
threats. There are more sophisticated blended threats; spyware,
driven by organised crime; and the advent of new technologies such
as instant messaging and voice over Internet Protocol (VoIP), which
have scarcely been addressed.
As the survey concludes, “This is
certainly not a time for complacency”. Although the number of
companies affected has dropped slightly in the last two years, it
is still twice the level seen a decade ago. In addition, the total
cost of security incidents is up on two years ago, with small
businesses particularly taking the brunt of attacks. Broadband may
be always on; it’s also always under attack.
That is not to say security is
not a priority for many companies. It clearly has to be, with 97%
of companies having an internet connection, 88% of which are
broadband, and around 80% having a website.
So, given the increased
dependence on IT systems, it is vital that firms continue to take
information security seriously, and generally, they say they do.
Three-quarters of UK businesses rate security as a high or very
high priority to their senior management or board of directors, and
that priority is consistent across all sizes of
company.
Although businesses need to carry
out security risk assessments, and only 44% of companies have done
this in the last year, the number of companies with a formal
security policy at its highest level: nearly three times as many
have a security policy as did six years ago.
Those policies are being
supported by increased information security expenditure, some of
which is spent acquiring external expertise. The average UK
business now spends 4% to 5% of its IT
budget on information security,
and almost every UK business makes some use of external guidance or
expertise to supplement its in-house security capability. Such an
investment in security has translated into progress against all
five key recommendations made two years ago, which comprised
drawing on the right expertise, setting clear policies, investing
in security, keeping defences up to date and responding to security
incidents.
But there is no getting away from
the issue that new technologies pose a particular security threat.
Anti-virus and patching disciplines have improved, yet a quarter of
UK businesses are not protected against spyware. In addition, only
1% have a comprehensive approach to identity management, with 84%
saying there is no business requirement to improve
this.
Three-fifths of companies that
allow remote access do not encrypt their transmissions; yet those
businesses that do allow remote access are more likely to have
their networks penetrated than other companies.
One in five wireless networks is
still completely unprotected, and a further one in five
is
unencrypted. As for removable
media devices, which can hold large volumes of
data,
55% of firms have taken no steps
to protect themselves against the threat posed by
such devices.
There’s another area that many in
the know are now warning against: insider threat. While botnets may
have been the sexy subject for discussion, a number of companies
exhibiting at the show reported a significant increase in the
number of visitors to their stands who had reported insider attacks
resulting in corporate losses.
The banking and financial
services world particularly, is worried that those insider attacks
– which many have been warning about for years – are now becoming a
reality, perhaps being driven by bribes from organised crime. It’s
perhaps no surprise then that a recent survey by Websense at the
e-Crime Congress found that 45% of e-crime experts believe the
biggest threat to an organisation’s data comes from inside the
company.
Testing is another area that has
seen an interesting trend, with specialists such as First Base
Technologies, an exhibitor at Infosecurity and a veteran
penetration testing specialist, warning that those providing
penetration testing services need to invest more time in the
reports they write for clients. The number of organisations
claiming to offer penetration testing services – usually as part of
a portfolio – may have increased, but some might say the overall
quality of their reporting hasn’t.
Infosecurity wouldn’t have been
complete without some newcomers. Perhaps the one with the highest
profile, thanks to a testimonial from Paul Simmonds, global chief
information security officer at ICI, was Secerno, an Oxford-based
company specialising in application-level intrusion detection, and
whose first products will be aimed at protecting
databases.
Overall, there is little doubt
that security-savvy companies are now adopting an integrated
risk-based approach to information security, including taking
account of emerging technologies, and securing the organisation
against them.
Without these actions, there is
little doubt that UK businesses face being exposed in tomorrow’s
security landscape. And if those businesses have to be aware of the
security threats from new and fast-moving technologies and threats,
then so should the DTI. So, there must be a case for making the
Security Breaches Survey an annual event: there is no predicting
what the security landscape will look like in two
years.