Most security professionals helpless to stop data theft, study shows

A global study has uncovered the deficient, disconnected and in-the-dark conditions that challenge IT security professionals

A global study has uncovered the deficient, disconnected and in-the-dark conditions that challenge IT security professionals.

The top finding of the report is that 63% of more than 4,800 IT security practitioners polled doubt they can stop data theft, because of deficiencies in security systems.

The study is the first of two conducted by the Ponemon Institute, aimed at exposing weaknesses in cyber security and sponsored by security firm Websense

Areas of focus include the effectiveness of security systems, the perceived value of confidential data and visibility into cyber criminal activity.

The report reveals that security professionals are using systems that fall short in protecting organisations from cyber attack and data leaks.

“This report shows that the cyber security industry still has more work to do when it comes to addressing cyber attacks,” said John McCormack, Websense chief executive.

“Security professionals need effective security measures and heightened security intelligence to keep organisations safe from advanced attacks and data loss.”

Attack intelligence critical

Websense believes the intelligence to anticipate, identify and reduce the threats is critical, because the security threat landscape is more challenging and dynamic than ever.

According to the report, current deficiencies mean that 57% of respondents do not think their organisation is protected from advanced cyber attacks.

“In some cases this is because security professionals are not seeing value in current counter-measures,” said Neil Thacker, European information security and strategy officer at Websense.

“In other cases they are not reviewing their requirements often enough with the result that current systems are no longer as up to date as they should be.

“And some organisations are still trying to protect their perimeter, endpoints and servers, but are not really focusing on the data, which they should ultimately be trying to protect.”

Security system shortcomings

More than two-thirds of respondents believe cyber security threats sometimes fall through the cracks of their companies’ existing security systems.

“This is typically due to the complexity of deployments, and sometimes a lack of resource,” said Thacker.

“Often an increasing number of point solutions are brought in to meet requirements and are piled up, but a more strategic approach would be better.”

The study found that in the past year, 44% of companies represented in this research experienced one or more cyber attacks that infiltrated networks or enterprise systems.

According to the report, 59% of companies do not have adequate intelligence or are unsure about attempted attacks and their impact.

While just over half say their security systems do not inform them or they are unsure if their system can inform them about the root causes of an attack.

Lack of understanding in senior management

The study revealed a disconnect between management and the perceived value of confidential data, with 80% of respondents saying their company’s leaders do not equate losing confidential data with a potential loss of revenue.

This is in contrast to recent Ponemon Institute research, which indicates that data breaches have serious financial consequences for organisations.

The average cost per lost or stolen record due to a data breach is $188 and the average cost of an organisational data breach is $5.4m, the research found.

“Many organisations have struggled to implement a risk-based approach into security and communicate that across the business,” said Thacker.

“But one of the main reasons for this disconnect is because the business has not valued its assets.”

In some cases, he said, the business has left it up to the information security team to value assets and determine what is important and what is confidential.

Nearly half of respondents say their board-level executives have a sub-par understanding of security issues.

“Data theft risks should be a boardroom discussion because businesses are generating income by using the intelligence they can pull from that data,” said Thacker.

“There needs to be a greater focus on data, on data driving a business, on the value of that data, and on the business putting a value on that asset.”

Security professionals and the business

The study found many security professionals find it hard to keep track of the threat landscape and were not even sure if they had been the victim of an attack.

Only 41% of respondents believe they have a good understanding about the threat landscape facing their company.

“The threat landscape has to be put into the context of the business, and I see a lot of organisations struggling with that,” said Thacker.

“For this reason, threat modeling as an exercise is hugely valuable in helping organisations focus on the data that needs to be protected and the type of attacks and attacker it needs to be protected from.”

While only 37% of respondents could say with certainty that their organisation lost sensitive or confidential information as a result of a cyber attack.

“This is mainly due to a lack of data forensics and a lack of real-time event monitoring and the ability to link this back to the ‘who’, the ‘what’, the ‘where’ and the ‘how’.

“If they do not have that context and the visibility into what is confidential and what is actually leaving the organisation, they are really going to struggle.”

And 35% of those who had lost sensitive or confidential information did not know exactly what data had been stolen.

“This is of particular concern with more legislation coming into effect around data breach notification, and I would expect companies to be looking to improve in this area,” said Thacker.

“Organisations need to improve their ability to know what data is being targeted and what data is being stolen, which can be tied to poor processes alongside technology.”

Read more on Hackers and cybercrime prevention