As ever, the recent InfoSecurity Europe show threw up some fascinating insights into the state of the IT security market. Here we present the highlights of the show and what is about to happen in IT security
Nearly two-thirds of respondents to the recent biennial Department of Trade and Industry (DTI) Information Security Breaches Survey expect there to be more security incidents in the next year than in the last. And three-fifths of companies believe it will be harder to detect security breaches in the future.
These conclusions, revealed at the Infosecurity Show, demonstrate that
And there lies the rub. The survey results show that even as the
As the survey concludes, “This is certainly not a time for complacency”. Although the number of companies affected has dropped slightly in the last two years, it is still twice the level seen a decade ago. In addition, the total cost of security incidents is up on two years ago, with small businesses particularly taking the brunt of attacks. Broadband may be always on; it’s also always under attack.
That is not to say security is not a priority for many companies. It clearly has to be, with 97% of companies having an internet connection, 88% of which are broadband, and around 80% having a website.
So, given the increased dependence on IT systems, it is vital that firms continue to take information security seriously, and generally, they say they do. Three-quarters of
Although businesses need to carry out security risk assessments, and only 44% of companies have done this in the last year, the number of companies with a formal security policy at its highest level: nearly three times as many have a security policy as did six years ago.
Those policies are being supported by increased information security expenditure, some of which is spent acquiring external expertise. The average
budget on information security, and almost every
But there is no getting away from the issue that new technologies pose a particular security threat. Anti-virus and patching disciplines have improved, yet a quarter of
Three-fifths of companies that allow remote access do not encrypt their transmissions; yet those businesses that do allow remote access are more likely to have their networks penetrated than other companies.
One in five wireless networks is still completely unprotected, and a further one in five is
unencrypted. As for removable media devices, which can hold large volumes of data,
55% of firms have taken no steps to protect themselves against the threat posed by
There’s another area that many in the know are now warning against: insider threat. While botnets may have been the sexy subject for discussion, a number of companies exhibiting at the show reported a significant increase in the number of visitors to their stands who had reported insider attacks resulting in corporate losses.
The banking and financial services world particularly, is worried that those insider attacks – which many have been warning about for years – are now becoming a reality, perhaps being driven by bribes from organised crime. It’s perhaps no surprise then that a recent survey by Websense at the e-Crime Congress found that 45% of e-crime experts believe the biggest threat to an organisation’s data comes from inside the company.
Testing is another area that has seen an interesting trend, with specialists such as First Base Technologies, an exhibitor at Infosecurity and a veteran penetration testing specialist, warning that those providing penetration testing services need to invest more time in the reports they write for clients. The number of organisations claiming to offer penetration testing services – usually as part of a portfolio – may have increased, but some might say the overall quality of their reporting hasn’t.
Infosecurity wouldn’t have been complete without some newcomers. Perhaps the one with the highest profile, thanks to a testimonial from Paul Simmonds, global chief information security officer at ICI, was Secerno, an Oxford-based company specialising in application-level intrusion detection, and whose first products will be aimed at protecting databases.
Overall, there is little doubt that security-savvy companies are now adopting an integrated risk-based approach to information security, including taking account of emerging technologies, and securing the organisation against them.
Without these actions, there is little doubt that