Security breaches that gravely tarnish the reputation of a well-known business are now a weekly, if not daily, occurrence.
It was electronics giant Sony’s misfortune that dominated the headlines in April 2011, after hackers stole a staggering 100 million customers’ details.
Just weeks before, brands as high powered as JPMorgan Chase and McKinsey were affected when a marketing agency’s email list was hacked.
Little wonder, then, that information security is an issue that preys on the minds of business executives, fearful that it might be their turn next to apologise for failing to prevent a data breach.
And yet, it is a topic that organisations rarely speak about publicly. This is perhaps with good reason – no-one wants to advertise the weaknesses of their security precautions to would-be hackers, and nor do they want to provoke them with boastful claims.
But this means that it can be difficult for organisations to benchmark their security precautions against those of their peers. This arguably makes it more difficult for good security practices to become widespread.
Information Age, in partnership with security advisory firm Invictis, recently surveyed 333 IT, security and business executives in the UK about the security practices, processes and technologies that they use to safeguard their data.
The results of that survey are presented here, in the hope that they provide a useful, albeit informal, glimpse into the standard of information security practices as they stand today.
Security’s standing
A simple but revealing question was to ask respondents how they rate their organisation’s overall security posture.
The large majority (74%) replied that they rate it either highly or extremely highly. Fewer than 3% considered their security posture to be below average.
This is not necessarily the statistical impossibility that it might seem – the survey may well have attracted a disproportionate number of respondents whose organisations are very good at security. However, it does suggest that UK organisations consider security to be an issue that is under control.
For whatever reason, respondents from the telecommunications sector were most likely to rate their security posture ‘extremely highly’ (58%), while respondents from the education sector were among the most likely to rate theirs as average or worse.
Organisations of more than 1,000 employees, and those of between 500 and 1000 employees, rated their security postures equally highly, while those of 500 or fewer were most likely to consider themselves ‘average’.
Three-quarters of organisations reported that there is a senior-level executive with specific responsibility for security. Quite logically, a smaller proportion of organisations with 500 or fewer employees have such an executive (60%) compared with larger organisations (80%) When asked whether security is adequately funded and/or resourced at their organisation, 41% of respondents replied yes to both. Almost as many (35%) said there are adequate funds but that ‘headcount is limited’.
Not surprisingly, those respondents who rated their security posture ‘extremely highly’ were the most likely to report that it is both well funded and well resourced.
NEXT>>> Information risk
Page 2 of 3
Respondents were asked whether their organisation classifies information assets according to their sensitivity and value to the business. A small minority (14%) replied with an outright no, but the remainder were split between ‘yes’ (45%) and ‘partially’ (41%).
More companies in the 500 to 1,000-employee range reported that information
was classified in this way only ‘partially’ (48%) than gave a wholehearted ‘yes’ (41%), while the opposite was true of the 1,000+ bracket.
A comfortable majority of respondents (62%) revealed that they have both a formal risk assessment methodology and a central ‘risk register’ that covers all the risks that their organisation faces. Just 13% had an assessment methodology with no register; 10% had it the other way round and an unlucky 13% had neither.
Among the industry sectors least likely to have both methodology and register were manufacturing (42%) and media (40%).
The survey examined how frequently organisations conduct security audits. It found that 42% conduct internal audits every 12 months, 15% do so every six months and 15% do not carry out any. The sector most likely to have six-monthly internal audits was IT and technology (42%), followed by insurance (41%). Surprisingly, about as many respondents in the 500 to 1,000 employee size bracket said they conduct no internal audits (18%) as in the sub-500 bracket (17%).
The picture was only slightly different for the frequency of external security audits; again, every 12 months was the most common response (42%).
Personnel and process
The survey also investigated how organisations ensure that their employees are up to speed on security policy and best practice. The most common approach, by a whisker, was continuous or periodical training through questionnaires or the intranet (29%). Just behind that was formal training every 12 months (28%).
Perhaps worryingly, 20% of respondents do not provide any security training, but simply give employees a copy of the security policy when they join the company.
Among the sectors most likely to take this approach were education (40%) and, most worrying of all, government (27%). The continuous training approach was most popular in the banking sector (58%).
Practically half of respondents (49%) reported that all employees, contractors and third parties are subject to a formal screening process, with signed terms and conditions relating to security responsibilities. A further 30% said that their organisations include terms and conditions relating to security into contracts but that there is no screening process, and 13% said neither measure is in place.
Banking, telecommunications and professional services companies were the most likely to screen employees, contractors and partners. Very surprisingly, respondents from the education sector were the most likely neither to screen employees nor include information security terms and conditions in contracts.
A considerable majority of respondents (68%) reported that there is a formal mechanism for reporting data breaches, and a detailed incident response process. Only 10% lacked both precautions, and about half of these (47%) were in the sub-500-employee size bracket.
Insurance and telecommunications were the best-equipped sectors when it came to reporting mechanisms and response processes, while more respondents in the manufacturing sector claimed to have neither (24%) than in any other.
NEXT>>> Technology choices
Page 3 of 3
Beyond processes and best practices, the report also asked which security technologies respondents use to protect their information.
It should come as little surprise which technologies were most popular. ‘Firewalls/virtual private networks’ was the most commonly adopted option with 98.5% of the sample (though one might have expected the figure to be 100%).
‘Secure remote access’ came second with 86% of the sample, followed by ‘antivirus/antispyware’ with 84%. Email- and web-based content security followed with 79% and 76% respectively.
At the lower end of the scale, identity access management was the least popular response with just a quarter of the sample, although this may be a question of terminology.
Intrusion detection and prevention systems are used by just 42% of respondents, while log management is used by 49%. This suggests that many businesses do not consider themselves to be potential targets for the kind of complex, targeted cyber attack that these tools are said to protect against.
The relative popularity of security technologies was roughly the same across organisations of all sizes. One exception to this is encryption, which is used by a noticeably smaller proportion of medium-sized organisations (48%) than of larger organisations (72%).
There were more pronounced differences between market sectors. For example, intrusion detection and prevention systems are used by 76% of respondents in the financial services sector, far greater than the 42% cross-sector average.
Other examples are as follows: device control is used by 87% of finance firms and 91% of insurance companies, the survey found, compared with 62% of the overall sample; privileged user management technology is used by 80% of telecommunications companies but just 60% of the overall sample; and encryption is especially well adopted among respondents from the healthcare (80%) and utilities (89%) sectors.
The relative adoption of technologies as a function of how highly respondents rated their security posture was as expected – the higher the rating, the more likely an organisation was to have adopted each technology.
This was the overall picture than the survey confirmed. The larger an organisation, the more likely it is to fund andresource security properly. That in turn means they are more likely to have adopted security best practices and technologies.
Respondents from finance-related sectors reported a high level of adoption of the various security measures, while those from the public sector, especially education, often trailed behind.
Of course, there is still a chance that organisations that rate their security posture ‘extremely highly’ might fall prey to a high-profile security breach tomorrow. But, at the very least, this shows that proper process, training and investment grant organisations a certain peace of mind.