Nine tenths of UK organisations feel vulnerable to cyber threats – where should your priorities lie?
“Is your company vulnerable?”
This is one of the first questions any IT pro needs to ask themselves when starting a conversation about cybersecurity in the workplace.
That vulnerability can come in various forms. If your company is a high level, public facing institution, that vulnerability can come from simply existing as a worthwhile target for criminal hackers, eager to exploit data or convey a political message. But on the other side of the coin, even if your company is a small business, that vulnerability can manifest in the form of cybersecurity complacency – allowing even the most basic of attackers an easy route in through the back door.
So it’s not surprising that a recent survey from Vormetric found that 89 percent of UK organisations feel more vulnerable than they have been in the past, especially to threats both from inside the workforce and outside. On top of this, 23 percent admitted they were ‘very or extremely’ vulnerable.
When asked to pick the three most important reasons for securing sensitive data, the top answers were ‘reputation and brand protection’, given by 50 percent of UK organisations, ‘compliance requirements’, given by 47 percent and ‘implementing best security practices’, given by 41 percent.
Garrett Bekker, an analyst at 451 Research, said the results pointed to budget troubles, peddling the feeling of vulnerability.
“But IT security spending plans tell another story, with compliance the top priority at 48 percent, while reputation and brand protection spending dropped to 45 percent. Clearly, organisations are having trouble prioritising their budgets to best ensure the safety of customers and the viability of their business.”
But shouldn’t sustained coverage of high profile breaches in the media have those budgets set free of limits? While security budgets are increasing, there is still some confusion as to what areas need to be prioritised.
Vormetric found that many organisations are planning investments in tools like network and endpoint defences, tools that are allegedly ineffective against current threats to company data.
“Enterprises and public sector organisations are under increasing scrutiny from stakeholders and the public where it comes to safeguarding confidential and sensitive information,” argued Louise Bulman, vice president of EMEA for Vormetric.
“It’s therefore surprising and concerning that companies are continuing to over-rely on tools that consistently fail against modern, multi‐layered attacks. Technology that concentrates fundamentally on controlling access to data is a far more affective approach, and one which can bring about additional benefits by enabling technologies like cloud, big data and IoT which may otherwise have been deemed too risky.”
ViaSat UK CEO Chris McIntosh supports this notion that controlling access is key: “Attackers generally will always go for the weakest point in a system, whether this is a back door to the network or through a member of the organisation.
“For example, there is no point in spending thousands on the most advanced security software if the default password is “password1”. Ensuring all passwords are changed immediately, that all sensitive data is moved to an encrypted device and that all points of the network can be trusted can ensure any vulnerabilities are closed off and that attacks do not continue unnoticed.”
Controlling access, naturally, feeds into the wider issue of compliance, but 451’s Bekker argued that compliance alone just doesn’t ensure security.
“As we learned from data theft incidents at companies that had reportedly met compliance mandates (such as TalkTalk, Morrison’s and others), being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen,” he said. “UK organisations don’t seem to fully appreciate this, with almost half (47 percent) rating compliance as a top reason for protecting data, and with compliance the topmost IT security spending priority (48 percent).”
Whatever the vulnerability, the lesson that needs to be learned here is that no company is completely safe from attack.
“Nowadays, getting hacked is not a matter of choice, it’s a matter of time,” said Paul Briault, director of digital security at CA Technologies.
Adopting a ‘this won’t happen to me’ mentality is the first step to exposing your business to vulnerabilities, because it means you are not prepared for all eventualities. Most organisations, however, still have a reactive approach to security – rather than accepting a breach as an inevitable occurrence and planning accordingly, they marginalise security until it’s too late.