When it comes to how businesses are approaching cyber security, most know what to do in the event of a cyber incident, defending against phishing and social engineering attacks is priority, and concern over company web facing applications is high, according to a recent survey by TrainACE, a cyber security training organization.
Security breaches can occur at all different levels, as is seen by some of the major breaches in the 21st century. One of the best-known security breaches was WikiLeaks, which occurred when an army private by the name of Bradley Manning sent nearly 100,000 classified military documents to a website for release. Other major breaches include Stuxnet, which was a computer virus that was developed to hinder the development of nuclear weapons in Iran, and the Sony PlayStation breach, in which a hacker collected the personal data of over 77 million PlayStation users, including 12 million credit card numbers.
When TrainACE asked more than 200 senior-level IT and security professionals about cyber security practices in their businesses, 59 percent said their company has a cyber incident response plan; the attacks companies are most concerned with are phishing and social engineering (37 percent), followed by mass malware (25 percent); and most respondents, 32 percent, think Web facing applications are the most vulnerable target to attack in their organization, followed by Internet exposed devices.
More than half (54 percent) of the respondents indicated that their company had not been hacked or experienced a data breach in the last 12 months; forty-eight percent of respondents think current and former employees pose the greatest cyber security threat to their organization, followed by hackers (33 percent); the number of respondents who found a Trojan on their work computers, 46 percent, was equal to the percentage who had not; eighty-one percent of respondents said their company follows a set of update guideline procedures, while 90 percent have password policies in place.
Of the 17 percent of respondents that indicated they had been hacked or experienced a data breach, 70 percent found a Trojan on their work computer; nearly 20 percent of those who confirmed a hack or breach said they don’t have a cyber incident response plan, but are now considering one. Not surprisingly, of those respondents who said they do not have a cyber incident plan and are not considering a plan, most said they also do not have a set of update guidelines and don’t plan to implement them. The percentage of companies with password policies also dropped sharply to 68 percent.
“The findings we’ve compiled suggest that while most companies are employing best practices when it comes to cyber security, there is still a way to go before adoption is universal,” said CEO/President, Ralph P. Sita, Jr., CPA, TrainACE. “All companies have different reasons and needs when it comes to cyber security, but it’s troublesome to learn that many still don’t have the basics in place, such as a cyber incident plan or set of updates guidelines. Of course, these are generally the companies that learn the hard way after a hack or data breach. ”
Most respondents – 42 percent – said that their organization is “extremely” effective in identifying and mitigating cyber threats with internal employees. Those companies that had been hacked or breached said their organization was only “moderately” effective; and for respondents who said no and not considering a cyber incident plan, “not really a concern” became the top answer in identifying and mitigating cyber threats with internal employees. Most respondents, regardless of their answers, knew who to contact in their company if they are hacked or if their computer is infected.
When it comes to company spending on cyber security measures this year, most respondents indicated an increase, most of which was going towards software. Of those respondents who knew what percent of their organization’s overall IT budget is allocated for information security, most said 6 – 10 percent. Plans to hire more IT security staff over the course of the year appear flat – yes and no were evenly split at 30 percent. Most respondents – 75 percent – said they have training for security policy in place.
TrainACE conducted this survey from April 1 to May 15, 2014. For a complete copy of the results, click here.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.