A lack of security expertise is one of the biggest and broadest problems in information security, says Wendy Nather, enterprise security research director at 451 Research.
“There are many companies that are below the ‘security poverty line’ that have little expertise and have no hope of defending themselves against attacks,” she told Computer Weekly.
Such companies have a “disproportionate dependence” on third-party organisations, says Nather.
“But they typically find it difficult to implement recommendations by consultants. They are rarely able to re-architect their networks or update their systems,” she says.
Nather believes this is a problem affecting the security of the wider business community and that the security industry needs to find ways to help.
“For example, one US-based organisation called Securing Change has a mission to provide pro bono security services for non-profit organisations.
“We need a lot more of that, as well as more practical, inexpensive solutions, rather than just telling people to buy one of everything,” she says.
Protect against cyber threats
Among larger organisations, Nather believes there is a growing awareness of the need for information security, particularly in the wake of the Mandiant report.
Read more on third-party suppliers
- The lawyer, the supplier and the consultant on outsourcing security
- Stop service providers becoming data security Achilles heel
- Infosec 2012: Trust in 3rd party suppliers takes planning, says compliance officer
- Moving from in-house IT to third-party hosting services: Case study
- Third-party apps now a top vulnerability, says security expert
On 18 February, the firm published a report that identified a secretive branch of China's military based in Shanghai as one of the world's "most prolific cyber espionage groups".
One of the biggest changes in the past 12 months, says Nather, is that there is a lot more open discussion about cyber espionage.
“Companies that may have not bothered before because of the mistaken belief that they would not be targeted are now looking to see if they have been compromised,” she says.
Although awareness of cyber threats is rising and companies are changing their approach and taking the risk much more seriously, Nather believes that many more companies need to take action.
“Even when companies do find that they have been compromised, their executive leadership will take a very lax attitude towards it,” she says.
Worse still, some organisations simply give up. They see no point in improving their information protection if they feel their intellectual property has already been stolen.
“But there is nothing to say they cannot get breached again, and it is likely that at some point in the future they will develop more intellectual property, or they may serve as a stepping stone to compromise one of their partners,” says Nather.
No company is an island – each company has a responsibility to be as secure as possible, she says.
Many companies are below the ‘security poverty line’ with no hope of defending themselves against attacks
Wendy Nather, 451 Research
Block third-party security holes
Similarly, organisations need to realise that attackers are getting extremely clever in the way they are targeting information assets, says Nather.
“Increasingly, attackers are using indirect routes into organisations, such as coming through third-party service providers,” she says.
This is something many companies are not taking seriously enough yet, or if they are aware of it, they are often not sure what to do about it, says Nather.
“They should be having a frank conversation about security, but one of the biggest problems is that many organisations do not know who their service providers are,” she says.
For example, many organisations tend to view Salesforce.com as a utility on the desktop and fail to recognise it as a service provider with which they should be having a serious talk about security.
Once organisations have identified all their service providers, they should see what controls they can put in place, suggests Nather.
“So as not to trust them so much and allow a completely open downstream pipe from their provider, they should limit their traffic to only that which is needed, but many forget to do that."
Nather is to take part in a quick-fire Q&A session on scanning the threat horizon and predicting future risks during Infosecurity Europe 2013 at Earls Court, London, 23-25 April.