lolloj - Fotolia
The UK falls below the global confidence in ability to accurately assess cyber risk, which has dropped 12 percentage points over 2016, a survey has revealed.
The world’s information security professionals gave global cyber readiness a C-average, with a score of just 70%, according to Tenable Network Security’s Global cybersecurity assurance report card for 2017.
The scorecard is based on a poll of 700 security practitioners in nine countries and across seven industry verticals to calculate a global index score reflecting overall confidence in the world’s cyber defences.
According to this year’s data, global cyber security confidence fell six points over 2016, but overall decline in confidence is the result of a 12-point drop in the 2017 Risk Assessment Index, which measured the ability of respondents to assess cyber risk across 11 key components of the enterprise information technology (IT) landscape.
In the UK, confidence among respondents in their organisation’s ability to assess risks has taken a significant knock, falling from 73% to 59% – a 14% drop. Security assurance has also taken a slight dent, falling from 74% to 73%. This gives the UK an overall score of 66%, a D-grade classed as a “fail”.
Overall, respondents cited the “overwhelming cyber threat environment” as the single biggest challenge facing IT security professionals today, followed closely by “low security awareness among employees” and “lack of network visibility” due to bring your own device (BYOD) practices and shadow IT.
“Today’s network is constantly changing – mobile devices, cloud, internet of things, web apps, containers, virtual machines – and the data indicates that a lot of organisations lack the visibility they need to feel confident in their security posture,” said Cris Thomas, strategist at Tenable Network Security.
“It’s pretty clear that newer technologies such as DevOps and containers contributed to driving the overall score down, but the real story isn’t just one or two things that need improvement, it’s that everything needs improvement,” he said.
Read more about cyber security
- Businesses cannot afford to be complacent about cyber security, experts warn after research by Lloyds of London shows most European businesses have been breached in the past five years.
- Cyber security must be top of the agenda for business, policy and research, according to a report by The Royal Society.
- The UK’s National Cyber Security Centre is to be the UK’s one-stop authority on infosec, based in London and led by GCHQ’s Ciaran Martin.
- An essential part of information security is identifying and managing the risks, experts tell the European Information Security Summit 2016.
According to the survey, the most challeging areas includ cloud services, mobile devices, and new areas such as containerisation and DevOps.
Cloud software as a service (SaaS) and infrastructure as a service (IaaS) were two of the lowest-scoring risk assessment areas in the 2016 report. SaaS and IaaS were combined with platform as a service (PaaS) for the 2017 survey, and the new “cloud environments” component scored 60% (D-), a seven-point drop compared with 2016’s average for IaaS and SaaS.
Identified alongside IaaS and SaaS in the 2016 report as one of the biggest enterprise security weaknesses, risk assessment for mobile devices dropped eight points from 65% (D) to 57% (F).
Two new IT components were introduced for 2017 – containerisation platforms and DevOps environments.
New security concerns
DevOps is transforming the way software teams collaborate through increased consistency and automation, but it also introduces new security concerns. In fact, respondents reported just 57% confidence in the ability to assess security during the DevOps process.
At the same time, adoption of containerisation technologies such as Docker is exploding as organisations look to accelerate innovation cycles and reduce time-to-market. Unfortunately, only 52% of respondents felt that their organisation understood how best to assess risks within container environments.
India was the top scoring country, with an overall cyber security assurance score of 84% (B), followed by the US with 78% (C+), Canada with 75% (C), France with 74% (C) and Australia with 71% (C).
Next was the UK with 66% (D), followed by Singapore with 64% (D), Germany with 62% (D-) and Japan with 48% (F).
Surprisingly, retail was the top-scoring sector with 76% (C) and worrying government was the lowest scoring with 63% (D).
After retail came financial services, with 72% (C-), manufacturing with 72% (C-), telecoms with 70% (C-), healthcare with 65% (D) and education with 64% (D).