European firms have holes in risk strategies, survey shows

Security professionals in Europe have significant gaps in their enterprise risk strategies, despite thinking that they are on track, a survey has revealed

Security professionals in Europe have significant gaps in their enterprise risk strategies, despite thinking that they are on track, a survey has revealed.

While 79% of security professionals polled by HP at Infosecurity Europe 2012 in London believe they have an information security risk plan in place, only 14% are very confident that their current IT security solutions are giving them a complete, concise picture of their security and risk state.

Close to 90% of the 500 respondents said they believe they have governance mechanisms in place to drive right user behaviour and monitor adherence, but 43% were not confident that they had visibility of risk within their organisations.

This was despite the fact that more than half of respondents are able to capture a significant amount of security vulnerability information at both the network (60%) and application layer (52%).

Risk management disconnect

While 70% of respondents felt they were able to talk about risk in a way that makes sense to the business, only 24% said they were very able to translate IT risk into business risk.

"The survey results show that risk management, even in large organisations, is disconnected," said Jay Huff, director, HP enterprise security products in Europe.

It also revealed that in many organisations, security professionals still focus on perimeter defences, he said, "but the variety of attack methods means this strategy is one of diminishing returns."

HP said IT must be able to develop a sustainable and comprehensive approach to securing the enterprise across data, applications, devices and networks.

However, the survey showed 44% of security professionals do not have the capabilities to uncover and report vulnerabilities in custom applications, with only 60% of respondents carrying out real-time monitoring of security events.

Intelligent security

HP said organisations should establish a clear framework and layered system of defence, in response to a new breed of cyber threats targeting holes between products, disparate processes, and gaps in security readiness.

HP's approach to security is not about perimeter defences or securing the end point, said Huff, it is about enabling organisations to "apply actionable intelligence to improve security posture".

An increased percentage of survey respondents (60%) felt that cyber attacks have increased over the past 12 months, compared with just 43% a year ago, with a further 75% believing attacks will increase again in the next six months.

According to respondents, the top three information security risks for organisations are: staff inadvertently breaching security (19%); mobile devices (18%); and malware and viruses (17%).

Read more on Hackers and cybercrime prevention