Most Companies Unprepared For Cyber-Attacks, Analysts Say
Despite the belief by most CIO’s that their companies are well-positioned to deal with a security attack, security experts say the majority of companies are not prepared to deal with cyber-attacks.
According to a Harvey Nash survey of more than 2,000 CIOs, a large majority of CIOs (87 percent) feel “quite well” or “very well positioned” to deal with a current or near-future security attack. However, security analysts say that CIOs that feel they are prepared are fooling themselves.
“I think in nearly all of these cases, ignorance is bliss,” said Benjamin Caudill, a principle security consultant at Rhino Security Labs. “Those who say they are prepared for a dedicated attack often have a limited idea of what that entails – including areas such as physical security, social engineering, and password cracking.”
With recent high-profile companies including the New York Times, Facebook, and even the Pentagon admitting that they had been hacked, Caudill says that small to mid-sized businesses are even more vulnerable because they have smaller budgets for security tools to fight attacks.
“Cyber crime on small businesses has risen drastically in the past year, making up 31% of all targeted attacks in 2012,” Caudill said. “The prevailing opinion among small businesses is that they aren’t a target for hackers; they have less intellectual property and proprietary information. However, small businesses are being targeted exactly because they are complacent and often can’t afford the newest security tools and knowledgeable employees.”
Most companies are facing budget freezes in IT, making spending on security even more difficult. Over the last 12 months, approximately three in 10 CIOs were operating in an IT spending freeze, while an additional three in 10 CIOs were managing declining IT budgets, according to Harvey Nash.
The FBI recently changed its priorities to focus on cyber security as “a national security threat,” saying organized cyber attacks are replacing terrorism as the number one threat to the American nation. The FBI created “cyber-squads” to police the web, however, they haven’t been able to fight off website attacks of the White House, CIA, FBI, Department of Justice, US Department of Homeland Security, and many others.
A recent breach at the Pentagon found that China used cyberattacks to access data from nearly 40 Pentagon weapons programs and almost 30 other defense technologies, increasing pressure on U.S. officials to take action on cyber threats.
So if the FBI and Pentagon are unable to successfully fight cyber crime, why are company CIOs so sure that they can?
Most CIOs believe that software products, firewalls and security systems are protecting their company’s networks, however, analysts say that these can provide a false sense of security and that education is vital.
“Education is not emphasized enough,” said Scott Greene, a computer forensics expert and CEO of Evidence Solutions. “Users are usually the problem. Layers of security certainly help and make an organization harder to get to, but if users, especially those who bring their own device, aren’t careful, they can get past the defenses of the company or organization and the Malware is in.”
According to Harvey Nash, BYOD (bring your own device) is becoming more popular for many companies with 35 percent of CIOs planning to invest more in the technology in the coming year, but it can also increase data security risks and create weaknesses in the technology shield.
With CIOs expecting to invest more in cloud, BYOD and outsourcing in the coming year, and the growing trend of shadow IT, over one-fifth of CIOs feel they have lost an element of direct control over their IT assets in the last five years, the survey said. These new technologies are actually making protecting data even more challenging for CIOs. So all those CIOs that say they are prepared for a cyber attack may actually be living in their own cloud.
“Saying your company is impenetrable to cybercrime is akin to saying your ship will never sink,” said Caudill.
Damon Petraglia, cybercrime expert agrees. “The bottom line is that most organizations have been breached and many do not realize it. So understand that the probability is that your organization has been or will be breached. It is how the breach is handled that is important.”