New research from data protection company Vormetric and analyst firm 451 Research has revealed that 89% of UK organizations consider themselves vulnerable to cyber-attack, with almost a quarter (23%) admitting to feeling ‘very or extremely’ vulnerable.
The European Edition of the 2016 Vormetric Data Threat Report (DTR) features responses from senior IT security executives at large enterprises worldwide, including 100 from businesses in the UK, and details IT security spending plans, perceptions of threats to data, rates of data breach failures and data security stances.
The firms also discovered that 46% of UK organizations have experienced a data breach at some stage, with almost one in five (19%) suffering an attack in the last year.
In terms of spending to tackle this, companies planning to invest in security in the next 12 months are running the risk of doing so in the wrong areas, says Vormetric. Tools like network and endpoint defenses appear to be high on the agenda among those polled, but these have been proven to be largely ineffective against current threats to company data.
The threat landscape is continually evolving and becoming more dynamic. Therefore, as Jay Abbott, MD, Falanx Cyber Defence told Infosecurity, solely relying on traditional security methods in the hope they will defend against modern-day attacks is a big risk for businesses to be taking.
“AV, stateful firewalls and a perimeter focus just don’t cut it anymore” he argued. “Successful attacks are client-side, leverage the end-user themselves or the systems they use to perform their daily tasks and evolve at a significant rate. The ease at which anti-virus can be bypassed is astonishing and thinking you can ‘keep the bad guys out’ by building a wall and then letting all the users inside the wall request data through it from the outside world, is near lunacy.”
In the past, organizations have invested large amounts of money into the protection they currently have, but the bad guys have evolved to get around it and businesses struggle to understand why the tens of thousands of pounds worth of firewalls they bought last year are now lacking, Abbott said.
Louise Bulman, vice-president of EMEA for Vormetric, expressed a similar view, advising companies to use the far more affective approach of implementing technology that concentrates fundamentally on controlling access to data, something that can “bring about additional benefits by enabling technologies like cloud, big data and IoT which may otherwise have been deemed too risky.”
With the majority of organizations admitting to feeling susceptible to attack and apparently over-relying on outdated technology, it would come as no great surprise that 42% of UK respondents who plan to introduce Internet of Things (IoT) technologies view protecting sensitive data generated by IoT devices as their biggest security concern.
Speaking to Infosecurity, director of threat research at Webroot David Kennerley explained that IoT services offer hackers boundless criminal monetization, limited only by how creative and motivated they choose to be.
“Hacked IoT devices could provide a nice beachhead to the network resulting in more traditional cyber-attacks,” he said. “Also, let’s not forget hacked IoT devices can allow physical access to buildings and vehicles. Unfortunately the possibilities for the cyber-criminals are endless.
“Businesses need to be assured that IoT manufacturers are taking security seriously, that it’s not just an afterthought – that it’s considered at the design phase, to release and beyond.”
“In today’s current environment, believing a device is unlikely to be exploited is simply unacceptable. We need to move away from the ‘setup and configure once, then leave alone’ attitude. A combined approach of legislative restriction and specific security approaches will need to be considered and deployed to protect IoT devices and our data,” Kennerley added.
Lastly, UK organizations are continuing to associate compliance with security, despite data breaches continuing to affect enterprises that have been certified as ‘compliant’.
“Compliance does not ensure security,” said Garrett Bekker, senior analyst, information security at 451 Research. “As we learned from data theft incidents at companies that had reportedly met compliance mandates (such as TalkTalk, Morrison’s and others), being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen. UK organizations don’t seem to fully appreciate this, with almost half (47%) rating compliance as a top reason for protecting data, and with compliance the topmost IT security spending priority (48%).”