Almost six in 10 security leaders admit they find it difficult to action protective insights for their enterprise off the back of information provided by their security vendors. A similar percentage also believe the information they are given isn’t relevant to their organisation. These are just two concerning statistics found via Kaspersky research into the communications gap between vendors and enterprises. A resultant negative cycle of unprotected infrastructure on one side, and a lack of progressive insight being attained on the other, highlights the need for a change of approach for both.
More than eight in 10 cybersecurity decision-makers – primarily Chief Information Security Officers (CISOs) – agreed that they would like to work with a vendor that demystifies cybersecurity for their organisation. The issue at present is the information being relayed is having the opposite effect – 63% believe messages are too complicated to convey to the rest of their business, while almost 60% believe it would take too much time and resource to even try.
These findings derive from research conducted among more than 240 CISOs – or from similar executive positions – for companies containing more than 250 people. The study was complemented by an omnibus survey canvassing 2,000 UK adults of varying seniority to discover the severity of this industry issue, in terms of their own attitudes towards workplace security in the home. The results not only demonstrate the communication challenge that exists, but the ramifications of that disconnect among enterprise workers.
Among the more alarming statistics generated among UK employees, more than a quarter admit they have bypassed their employer’s security measures to download unauthorised software; 30% have connected to a mobile hotspot to do so; and a similar figure claim to not understand their employer’s security measures at all. Put simply, the notion of threat intelligence has not been effectively passed from vendor to employer to employee.
Clearly there is a messaging disconnect but decision-makers believe this is triggered at the beginning by the vendors themselves. As many as 58% claim this is because the vendors they work with don’t understand the threats they’re facing. The reality seems to be more of a vicious cycle between the two parties, resulting in businesses being left exposed through a lack of tailored defence, and vendors unable to remedy the situation through a lack of tailored insight.
Tinesh Chhaya, Founder of Decipher Cyber-Jenny, echoes this sentiment, saying: “If you’re not in the security industry, like large share of enterprises globally, it’s very difficult for these organisations to, understand. They’ve got a business challenge, to stay cyber secure, but perhaps don’t understand how to go out and look for solution for that business requirement. There are so many solutions and so many providers, to keep up with that within the industry is difficult, if you are not in the industry it could almost feel impossible.”
The good news is that this cycle can be reversed, although it needs to happen quickly given the transition to remote working this year. Back in March it was already reported that human error caused 90% of cyber data breaches in 2019, and this is likely to be compounded by a workforce being literally left to their own devices in 2020. More than half of cybersecurity leaders admit their businesses are facing an increased level of threat due to remote working, yet almost a third of workers say they feel that their employer’s security protocols are less important when working from home.
Education is required to plug that sizeable knowledge and requirement gap, and this onus starts with building stronger collaboration between vendor and enterprise. This will set the negative cycle of communication in the opposite direction – a direction towards enhanced engagement, improved communication, better insight and, ultimately, a more comprehensive cybersecurity infrastructure. Steps towards this goal include:
- Enforcing strong passwords, and updating them when required
- For employees working remotely, ensuring they use a corporate VPN
- Regularly carrying out updates on laptops and devices
- Ensuring employees store data in one place – that way, if a system is compromised, data can be retrieved much more easily
- Ensuring important data is encrypted
- Ensuring that data is regularly backed up
- Ensuring that staff apply network encryption and a strong administrator password to their routers, for guaranteed security
- And, for companies that have adopted a BYOD policy, limiting how often staff carry out personal tasks, such as banking or personal email, on work devices
David Emm, principal security researcher at Kaspersky, said: “These results highlight an alarming disconnect between vendors and enterprises, leading to flaws in cyber-defences and a lack of the right technologies being harnessed to ensure strong cybersecurity posture. However, this can be reversed with better communication and understanding of what enterprises require in order to protect their sensitive data, and it is up to the vendor community to drive this change. In the immediacy, amid remote working, keeping valuable assets protected, as well as employee education and empowerment, are of vital importance, alongside protecting all employee devices with comprehensive security software. With many employers ruling out office working in 2021 altogether, businesses can’t afford not to get remote working security right.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.