“Eighty five per cent of organisations said that when handing over company data and information to another business/third party, they ask where this data will be stored and enquire about their security policies and practices, but are organisations fooling themselves?” said McLoughlin. “In a separate question, 37% of organisations admitted to only evaluating the security of third parties with which they share data or network access once a year or less and a further 37% said they don’t typically evaluate third parties IT security.”
“I would raise the question are organisations asking the question properly, what criteria are they using and how often are they asking the question and properly evaluating the security of their third parties,” said McLoughlin.
When it comes to incident response, organisations appear to have a reasonable grasp of what should be done. The top actions, where respondents were asked to indicate their top three, were to contact relevant internal personnel (85%), notifying affected parties (73%), preserve forensic evidence (63%), followed by reporting to the office of the Data Protection Commissioner (58%) and contacting IT service providers (55%). This was followed by notifying communications teams in case of leaks to the media (40%), notifying the Gardaí (39%) and addressing legal issues with solicitors (37%).Most worrying though, was nearly a quarter (24%) who said do nothing and hope no one finds out.
In recent times, the case of RSA shows that a well handled communications strategy around a data breach can not only help an organisation deal effectively with the incident, but can enhance the reputation of the organisation. As a security vendor, the kind of breach suffered could easily have sent the company into terminal decline, but instead RSA has re-emerged from the crisis with renewed vigour and leads a grass roots movement to get more people in the IT security industry talking to each other to ensure that information, best practice and success stories are shared, raising the overall capability to meet these challenges. Closer to home, incidents experienced by the popular online community Boards.ie and Carlow-based hosting and service provider Blacknight were also examples of serious incidents, well-handled that instead of wounding reputations has enhanced them.
Has the increasing number of news stories on IT Security breaches in businesses over the last year impacted the way in which you perceive the security of your company’s data and assets?
The survey asked how confident organisations were regarding their capability to respond to a breach. Less than a third (30%) of respondents said that they were fully confident, while 58% said they could do more. Less than one in 10 (8%) admitted they had inadequate measures in place, with just 3% saying that they did not know.
Furthermore, the survey asked about incident response strategy for third party suppliers. Almost half (46%) of respondents said that they had none in place, with 20% indicating they did not know.
“The fact that 58% of respondents admitted that they could do more is encouraging and needs to be recognised by government and industry watchdogs alike,” said McLoughlin.
“However what is really concerning is that 46% of Irish businesses surveyed do not have an incident response strategy in place. This might lead me to believe that there is still a lack of maturity and realisation out there among Irish organisations that it will happen to them and when it does they are not prepared at all for a security breach and therefore the implications will be disastrous. What this 46% unfortunately highlights is that there is still a deliberate, wilful indifference towards IT security hygiene.”
This lack of diligence when it comes to third parties was further highlighted when the survey asked about how often, on average, was the security of third parties with which data or network access was shared was evaluated. More than a third (36%) said that they typically did not evaluate third party’s security. More than a third (37%) said that they do so once a year or less, with just 18% saying they carry out evaluations more than once a year. Almost one in 10 (9%) said they did not know if such evaluations were carried out.Respondents were asked about their organisation’s willingness to participate in a form of information sharing and collaboration with other companies regarding breaches experienced and lessons learned. While less than half said they would (45%), this is still hugely encouraging as Irish organisations have traditionally been reticent about all things security related, especially when it comes to admission of failures.
Almost a quarter (24%) said they would not participate and 31% said that they did not know.
“This is a very encouraging statistic,” said McLoughlin, “Irish businesses should be encouraged to speak up and participate in information sharing with other companies about a breach and the lessons learnt. This was a key theme at the RSA Conference 2013 where several security experts emphasised how information sharing is a vital piece of the effort to improve cybersecurity at a time when attacks are escalating sharply, and insisted that the ability to share information on emerging threats freely without having to worry about liability must be a key part of any cybersecurity strategy.”
- Please rate in order of importance, where 1 is very important, the TOP THREE steps you would take if your company suffered a security breach.
While the attitude of those tasked with developing and implementing policies is important, buy in from users is also a critical part of security. The survey asked if an employee lost a personal mobile device (smartphone, tablet or laptop) that had access to the corporate network, data or applications, would that person report it.
The vast majority (78%) firmly believed they would, with a strong 13% believing they would not, and a significant 9% saying they did not know.
This is somewhat worrying, as it falls into a bit of a grey area. A personal device is the responsibility of the user, but it is also the user’s responsibility of the user to comply with any bring your own device (BYOD) policies which may be in place, as well those for information access. Therefore, a lost personal device should not, under accepted best practice, have any access to sensitive information without being either encrypted or at the very least, device control measures implemented that would render the device useless. Information tagging is now common too, so that any sensitive data that is stored on the device can be remotely deleted on loss or theft.
If your company experienced a breach would you be willing to stand up and participate in any form of information sharing and collaboration with other companies about the breach and lessons learn?
Finally, the survey asked if organisations gave staff training to enforce an IT security awareness culture within the organisation, including knowledge of cyber criminality. Almost two thirds (65%) said that they did via either training courses or printed materials. Almost a third (32%) said that they did not, while less than 3% said they did not know.
The overall picture that emerges is that organisations are broadly aware of their responsibilities when it comes to data protection and information security, with the vast majority taking appropriate measures. This is taking place in the context of a constant or rising threat level that is perhaps exacerbated by media coverage of incidents and their consequences. The proportion of respondents who said that they could do better, and would participate in forums for discussion are very encouraging and represent a change in attitudes from prevention only to handling an incident properly when it occurs.What is needed to facilitate such developments are more open fora in which organisations of all sizes and types can speak confidently about their own experiences and what worked for them.
“We must share knowledge and understanding of what works and what doesn’t, how an attack took place and how it was stopped in order to reduce the risks,” said McLoughlin. “There should be incentives in place for organisations that come clean and report a breach and indeed for those organisations that are willing to stand up and share their experience with other companies.”
Through open sharing and discussion, a wider knowledge and capability can help raise the protection level for all organisations.
Subscribers 0
Fans 0
Followers 0
Followers