Archive | Information Security RSS feed for this section

Cyber security in the UK

By on April 24, 2013 in Content, Corporate Environments, Information Security, Post

Effective cyber security is good for business, according to the UK’s Department for Business, Innovation and Skills (BIS), which has published its 2013 Information Security Breaches Survey.  The report presents the findings from over 1000 respondents across small, medium and large firms in a range of sectors.  The figures show that companies in the UK have experienced the highest ever number of reported security breaches and the costs to firms are also at an all-time high.  The average cost to a large firm of its worst security breach is reported to be between £450k and £850k.  For small firms, the figure ranges between £35k and £65k.

The increased use of cloud computing, mobile devices and social networks can increase risk (14% of large organisations reported a security breach via a social network).  Ongoing changes in the business environment can also lead to uncertainty about who is responsible for information and data ‘ownership’.  This is particularly true in large organisations where 33% of respondents reported that such responsibilities were ‘unclear’.

Most of the respondents reported that they have written information security policies, yet 34% report that employee understanding is poor.  Training levels remain low, despite evidence that training and awareness can significantly reduce the impact of security breaches.

Threats from outside – and within

The BIS states that cyber-attacks have grown ‘in frequency and intensity’ over the last year.  These include hacktivism attacks, phishing, identity fraud and denial of service attacks.  Companies are not just subject to external threats.  Staff related breaches may be both deliberate and inadvertent and can range from accidentally sending emails to the wrong recipients or disgruntled employees taking business critical data with them when they leave the company.

Key findings

  • 87% of small firms experienced a security breach last year
  • 93% of large companies experienced a security breach
  • 36% of the worst security breaches were caused by inadvertent human error
  • 10% of the worst security breaches were caused by deliberate misuse of systems by staff
  • 23% of respondents haven’t carried out any form of security risk assessment
  • 9% of large organisations had a security or data breach in the last year involving smartphones or tablets
  • 4% of respondents had a security or data breach in the last year relating to one of their cloud computing services
  • 92% of respondents expect to spend at least the same on security next year (and 47% expect to spend more)
Comments { 0 }

Antivirus software – an ‘illusion of security’?

By on December 6, 2012 in Information Security, Post

The detection rate of new viruses by antivirus software is currently lower than 5%.

In a Hacker Intelligence Initiative study of 40 antivirus (AV) products (conducted by business security firm Imperva) the results suggest that it can take up to a month for 75% of the products to add viruses to their lists and begin protecting their customers against them.  On average it took three weeks between information about threats being made available and AVs addressing them.

The challenge is that new viruses and malicious programs are being created and distributed on an industrial scale every day and that AV software needs to be updated continuously.  Hackers and attackers understand AV products in depth and are able to design around their strengths and weaknesses.

The researchers ‘hunted down’ 82 viruses using a mixture of search, hacker forums and ‘honey pots’ and then tested them against 40 AV products.  They conclude that AVs are fast to respond to malware that spreads rapidly but that blind spots exist when it comes to viruses with limited distribution.

The anti-virus products tested include paid-for and freeware (e.g. Avast), with little significant difference in performance between the two groups.

Imperva concludes that IT security should continue to use AVs but that they should also focus on what they call ‘aberrant’ behaviour.  They give an example of a breach of information security in a US state.  Once the initial breach had been successful, systems failed to notice that data was being accessed and moved around several times before eventually being moved out of the network by the hackers.

According to Gartner (2011) the global annual spend on antivirus software is $7.4 billion.

You can read the research findings (including some thoughts on the methodology) here.

Original source: ITProPortal

Exiting employees helping themselves to information

By on July 25, 2012 in Information Security, Post

It’s not just stationery that walks out of the office with exiting employees.  According to a survey conducted by the records and information management company Iron Mountain, a significant proportion of employees has removed confidential information from the office – in spite of data protection and other information governance guidelines.

2,000 office workers in France, Germany, Spain and the UK were surveyed.  32% of them admitted to taking or forwarding confidential information on more than one occasion.  Of those who are removing information:

  • 51% are taking information from confidential customer databases
  • 46% are taking presentations
  • 21% are taking company proposals
  • 18% are taking strategic plans
  • 18% are taking product or service roadmaps

The employees’ attitudes to their actions are interesting.  Many of those surveyed felt a sense of ‘ownership’ of the information, particularly if they had a role in creating it in the first place.  34% of respondents were completely unaware of any company guidelines regarding the removal of information from the office.

Information and data are – of course – key organisational assets.  Information professionals have the opportunity to influence organisational information governance policy and educate employees about their information responsibilities.

European businesses and information risk

By on June 15, 2012 in Europe, Information Security

Although intellectual property can represent a high percentage of a company’s value, a significant proportion of organisations are failing to protect their information assets.

According to research undertaken by Iron Mountain and PwC, European businesses are not taking the protection of corporate secrets and intellectual property (IP) as seriously as other information risk issues.

The research shows that only 41% of mid-sized European businesses have plans to protect intellectual property and that 54% of companies believe that safeguarding this type of information is less important than protecting financial, customer and employee information.

Four industry sectors (financial services; insurance; manufacturing; pharmaceuticals) in six European countries (France, Germany, Hungary, Netherlands, Spain, UK) were analysed.  The pharmaceutical industry, despite being IP intensive, performed the worst – only 30% of the companies include IP in their information risk management and data protection plans.

Companies should focus beyond the direct cost of data loss or theft and take into account other, less direct costs, such as the potential impact on brand reputation and public trust.  According to the research, the best companies:

  • Treat information as a board room issue
  • Have a balanced information strategy – which is regularly monitored
  • Have a multi-disciplinary team in charge of information risk

A summary of the report (Information Risk Maturity Index) is available here.

How to align IM with organisational risk management

By on July 20, 2011 in Information and Knowledge Management, Information Security

As recent events have only too clearly shown, poor information management and control (particularly when combined with a ‘flexible’ appreciation of information ethics and legislation) can lead to financial and reputational loss.

It was an extraordinary coincidence of timing that while a UK Government Select Committee was in progress in Westminster, members of NetIKX were discussing the concept of organisational information risk management.

Liz Scott-Wilson, currently an information architect at a large law firm, has years of experience in information management and consulting roles in both the public and private sectors.  In her presentation she shared what she considers to be the most valuable lesson of her career.  When it comes to exerting influence within your organisation the key to success is to focus on what keeps senior people in your organisation awake at night.

Senior managers are unlikely to care much about the intricacies of information governance but they will be concerned about organisational risk.  Liz outlined how in a previous role, she had analysed a (very detailed) organisational risk register and identified information pressure points.  She then used these to demonstrate how effective information management could help mitigate organisational risk at key pressure points.

Key lessons from Liz’s presentation:

  • Focus on real pain points for senior managers
  • Ensure you understand the power systems in your organisation
  • Find friends in your organisation’s governance/risk teams
  • Reflect organisational language in your strategy
  • Demonstrate how IM can bring plausible and affordable processes to mitigate risk

The key call for action was to encourage anyone interested in demonstrating the importance of IM to organisations to meet with organisational risk managers.

 

(There were two speakers at the event.  Watch out for a second blog entry!)

Facing up to the cybersecurity challenge

By on June 20, 2011 in Information Security, Mobile Devices, Web Technology & The Cloud

In the latest issue of McKinsey Quarterly James Kaplan identifies a perfect storm of factors that are conspiring to make cybersecurity a major business challenge.

  • Stakeholders expect more ‘openness’.  Increased demands for mobile/smartphone access present new types of security threats
  • More corporate value is to be found online – making it a more attractive target for cybercriminals
  • Interconnected supply chains making extended networks vulnerable to weak links in the chain
  • Increasingly sophisticated cybercriminals and malware

Organisations need a new mindset to tackle cybersecurity challenges. This includes moving from a focus of ‘protecting the perimeter’ to identifying, and protecting, their most valuable intellectual assets.  Most critical of all is to acknowledge that cybersecurity is at best a constant battle rather than a one-off problem that can be tackled and ‘solved’.