Nearly half of UK IT pros report serious data breaches

Nearly half of IT professionals in the UK (47%) have experienced a serious data breach at their current employer, compared with 61% globally, a report reveals.

The report is based on an independent survey of IT professionals who have experienced a serious data breach at some point in their career in the UK, the US, Australia, Canada, France, Germany, India and Singapore in a wide range of industries.

Despite improvements in combating cyber crime and threats, IT security professionals are still struggling to secure their organisations and protect against breaches, according to the latest data theft report from cyber security firm McAfee.  

Adding to this challenge, the report shows that data breaches are becoming more serious as cyber criminals continue to target intellectual property (IP), putting the reputation of the company brand at risk and increasing financial liability.

The study shows that 70% of all breaches in the UK require public disclosure, putting brand reputation at risk, compared with 73% globally, which represents an increase of 5% since 2015.

The UK results also show that 64% of IT professionals think C-level executives should lose their job if a breach is serious enough, compared with just 55% globally. However, 61% of global respondents said that the C-level executives they work with expect more lenient security policies for themselves.

The report said the findings demonstrate the need for a cyber security strategy that includes implementing integrated security systems combined with employee training and an overall culture of security throughout the organisation to reduce future breaches.

“Threats have evolved and will continue to become even more sophisticated,” said Candace Worley, vice-president and chief technical strategist at McAfee.

“Organisations need to augment security measures by implementing a culture of security and emphasising that all employees are part of an organisation’s security posture, not just the IT team.

“To stay ahead of threats, it is critical that companies provide a holistic approach to improving the security process by not only utilising an integrated security solution, but also practising good security hygiene.”

Ed Baker, senior director EMEA partners at McAfee, said that with the of the EU’s General Data Protection Regulation (GDPR) approaching, IT security professionals are still struggling to secure and protect their organisations.

“It is crucial that cyber security firms and the channel work on a unified front,” he said. “The channel has the platform to offer guidance and ensure organisations adopt an integrated approach.”

Other key findings of the report include that:

• Data is now being stolen by a wide range of methods, with no single technique dominating the industry. The top vectors used to exfiltrate data are database leaks, cloud applications and removable USB drives.
• personally identifiable information (PII) and intellectual property (IP) are now tied as the data categories with the highest potential impact to 43% of respondents. Notably, PII is of greater concern in Europe (49%), most likely due to the recent enforcement date of the GDPR. In Asia-Pacific countries, intellectual property theft is of greater concern (51%) than PII.  
• IT is regarded as the culprit, with 52% of global respondents claiming IT is at fault for creating the most data leakage events, followed by business operations and production (29%) and sales (26%).
• Highly regulated internal groups, including finance (12%) and legal (6%), are the most secure.
• Security technology continues to operate in isolation, with 81% reporting separate policies or management consoles for cloud access security broker (CASB) and data loss prevention (DLP), resulting in delayed detection and remediation actions.
• IT professionals are taking action, with almost two-thirds stating they have purchased additional DLP, CASB and endpoint detection solutions over the past 12 months. Respondents believe that 65-80% of breaches experienced would probably have been prevented if one or more of these systems had been installed.

Nigel Hawthorn, data privacy expert at McAfee, said that as businesses adopt the cloud, they will need to ensure that security technology and processes are in place to track data wherever it is stored or used,  whether on an employee’s device or directly in the cloud.

“The step is knowing where and how data is being used, shared and stored by employees,” he said. “A good starting point to achieve this visibility is auditing corporate systems and networks to gain an understanding of the potential risks.

“Armed with this knowledge, IT can ensure that the right policies and safeguards are in place to protect data from device to cloud, detect malicious activity and correct any threats as soon as they arise.

“Improving the organisational culture is key. Despite increases in cyber security awareness and training, accidental employee-driven breaches account for a significant proportion of data loss. A strong security posture requires collaboration – both between employees and cyber security systems.”

Hawthorn added: “In addition to repeated cyber security training for staff, IT should focus on building proactive, platform-based and integrated cyber security systems that ensure tools can communicate to identify weak spots and reduce the risk of data breaches.

“Given that our findings show that IT itself is implicated in most data breaches, it is also serves as an important lesson that IT professionals must lead by example to drive a true culture of security in the enterprise.”