UK Firms’ Faith In Security Tools And Policies Is Misplaced

Steve McCaskill,
security

Less than half of firms regularly take basic measures like installing patches and updating software, Cisco research finds

Cisco has warned that many businesses’ faith in their security tools and policies is misplaced, as just 42 percent of UK firms have highly sophisticated measures in place – less than India, the US and Germany.

The networking firm’s Annual Security Report found that 75 percent of Chief Information Security Officers (CISOs) believe their tools are ‘very’ or ‘extremely’ effective yet less than half take standard steps like patching and updating software to the latest versions, increasing their protection.

“We see less than half of the security teams surveyed using standard tools like patching and configuration management to help prevent security breaches,” said Jason Brvenik, principal engineer of Cisco’s security business group. “Even with leading security technology, excellence in process is required to protect organizations and users from increasingly sophisticated attacks and campaigns.”

Security at all levels

Malware, virus, security © Finchen, Shutterstock 2014The firm notes that despite the discovery of the Heartbleed vulnerability last year, just 56 percent of all installed OpenSSL versions are more than four years old, indicative of this less than active approach.

Overall, utility and telecoms firms have the most sophisticated measures in place, with government agencies much better equipped to deal with malicious attacks than financial service organisations and transport companies.

Cisco is urging all firms to adopt a ‘hands on deck’ approach to security as attackers become more adept at exploiting all kinds of vulnerability. The report notes that hackers are more likely to target individual users rather than compromising servers and operating systems in their attacks, with many unwitting users providing assistance by falling for browser and email scams.

New trends

New methods by hackers include ‘snowshoe spam’, which is the sending of low volumes of spam from large sets of IP addresses to avoid detection, the use of less common exploit kits that security firms are unaware of and malicious combinations, which involves combining two types of exploit, such as one in Flash and one in JavaScript, which combine weaknesses to make it more difficult for security tools to detect and block the threat.

“Security needs an all hands on deck approach, where everybody contributes, from the board room to individual users,” explained John N. Stewart, senior vice president, chief security and trust officer at Cisco. “We used to worry about DoS, now we also worry about data destruction. We once worried about IP theft, now we worry about critical services failure.

“Our adversaries are increasingly proficient, exploit our weaknesses and hide their attacks in plain sight. Security must provide protection across the full attack continuum and technology must be bought that is designed and built with that in mind.  Online services must be run with resiliency in mind, and all of these moves must happen now to tip the scales and protect our future.  It requires leadership, cooperation, and accountability like never seen before in our industry.”

 Do you know all about the Internet of Things? Take our quiz.