Business use of technology is evolving faster now than at any point in the last decade. Internet use has moved way beyond e-mail and Web sites and into the realms of social networks and externally-hosted software services accessed across the Internet (often referred to as cloud computing).
These changes have increased the vulnerability of UK companies and public sector organisations to new cyber attacks. Hacking and denial of service attacks have doubled in the last two years. As a result, security remains high on management’s list of priorities.
These are among the preliminary findings of the 2010 Information Security Breaches Survey (ISBS) commissioned by Infosecurity Europe and written by PricewaterhouseCoopers LLP. The full results of the survey including details of the number and cost of security breaches in the UK, will be revealed at Infosecurity Europe in London on 28 April.
The rate of adoption of newer technologies has accelerated over the last two years and most respondents now say they use wireless networking, remote access and VoIP. Some 85% of smaller organisations said they were using wireless, almost double the use in 2008. The number of organisations allowing staff to have remote access to their systems has also increase with nine tenths of large companies now doing this.
As organisations have looked to cut their IT costs, they have increasingly turned to external providers who host applications on their behalf. These services, including Software as a Service (SaaS) and cloud computing, are now used by over three-quarters of the organisations polled and of these, 44% said they were entrusting critical services to third parties. All sectors are making use of the services, but government is least likely to release control of critical services.
At the same time that companies are increasing their dependence on other organisations for their IT services, there has been an explosion of new cyber attacks. 61% of large organisations have detected a significant attempt to break into their network in the last year, twice as many as two years ago.
Some 15% of large organisations have detected actual penetration by an unauthorised outsider into their network in the last year, and it is likely that many more were undetected. 25% of large organisations have suffered a denial of service attack in the last year, also more than double the proportion in 2008. Outsourcing IT services does not make the security risk go away, but few companies are taking enough steps to ensure their outsourced services are not vulnerable to attack.
Very few organisations are encrypting data held on virtual storage, including the ‘cloud’. Worryingly, only 17% of those with highly confidential data at external providers ensure that it is encrypted. Virtualisation and cloud computing seem to be set to follow the trend, established over the last decade, of controls lagging behind adoption of new technologies. Given the increased criticality and confidentiality of information held on virtual storage, organisations need to respond quickly to close this control gap.
Responding to the data leakage threat
The increasingly inter-connected business environment and prevalence of externally provided services is reflected by a growing data leakage threat. That threat is driving an increased demand for assurance over third parties. ISO 27001 is becoming a common standard for compliance; 40% of large organisations are being asked to demonstrate compliance with the standard.
ISO 27001 and PCI (Payment Card Industry) standards are also driving adoption of some specific security mechanisms. PCI, in particular, is driving more encryption of website transactions and sensitive data fields in databases. However, organisations that need to meet government requirements are more likely to encrypt data transfers and removable media.
Andrew Beard, director, OneSecurity, PricewaterhouseCoopers LLP, said: “It seems that organisations will respond to specific requirements mandated by government or other authorities, but when the requirements are less explicit, adoption of good practice is lower. Assurance reporting appears to increase organisations level of comfort. However, as adoption of the assurance reporting standards remains low, it seems likely that some organisations have a false sense of security.”
Staff postings to social networking sites pose a new data leakage risk. Yet, at the same time, social networking is increasingly important to businesses. Organisations are reassessing their approach to controlling staff access to the Internet. The trend, established between 2006 and 2008, of allowing more staff to access the Internet has been reversed. Nearly half of large organisations now restrict which staff can access the Internet; less than a third did so in 2008.
Organisations want to allow effective use of the Internet, but reduce inappropriate use. Use of software to block access to inappropriate websites is slightly up on two years ago. Web access logging and monitoring is relatively static. However, more sophisticated use is being made of these tools than in the past. Organisations are one and a half times as likely to monitor postings to social networking sites if social networking is considered very important to their business.