Infosec ignorance is not an option for enterprises

Security

The end of a year is always a good time for statistics, not least as they get thrown in the direction of us journalist types likes coins at a football match.

Take McAfee, for example, which has revealed, with just a hint of ironic surprise, that 2012 has seen an 'explosion' in cyber crime. Detected mobile malware has almost doubled over the previous quarter's total, and the end of the year has seen an all-time high when it comes to successful database breaches. Although the news that there is more malware comes as no great knee-wobbler, the fact that certain types of malware are back on the agenda (ransom ware is on the up, as are AutoRun exploits and password-stealing Trojans) when you might think they were well protected against already should be enough to send a small shiver up the infosec spine.

Here's the thing - and it's far from rocket science - IT security is never, ever, someone else's problem.

Could the revival of old hat exploits, running alongside zero-days and socially engineered targeted and persistent attacks, be indicative of something more than just the obvious observation that there's money to be made in cyber crime and during times of recession more folk are prepared to play the risk versus reward game?

According to a survey conducted for Kaspersky Lab, 58 per cent of companies questioned admitted to a lack of resources in both staffing and improving IT security, and half lack knowledge or understanding about the potential security threats facing the enterprise. Even more alarming was the revelation that a third of key IT specialists were simply not aware of any of the most common IT security epidemics that not only targeted the corporate sector but posed a direct threat to their own business.

It seems that 'poor understanding among senior managers of the reasons why IT departments exist' was to blame for the lack of resources into staffing and improving IT security systems, reducing the organisations ability to cope with security threats, exploits and incidents. Although security problems cannot be rectified just by hiring more staff, 35 per cent of those asked had insufficient employees trained to deal with IT threats is indicative of the real problem: the lack of understanding of the real danger to the business that IT insecurity poses.

A low level of staff training, higher than acceptable levels of computer illiteracy among staff leading to social engineering opportunities for the bad guys, are obviously areas that need addressing.

Kaspersky Lab states that "teaching staff the basics of IT security should be no less important than installing the latest security software" and it's very hard to argue with that statement. Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, sums it up by saying "IT security staff are not always sufficiently trained and competent to protect businesses from the most pertinent threats. This is why our goal, as a leader in the IT security industry, is not only to produce solutions, but also to raise awareness."

Mr Kaspersky has got it bang on. And he's not the only one. Although it is easy to dismiss the news-led information sites, blogs, releases from security vendors as 'just another marketing opportunity' there is more to it than that. Most of these companies, and the researchers working for them, want to defeat the cyber criminals and that's just as big a driver as making money; perhaps more so for the white coats on the front line of the battle. Unfortunately, if only journalists and other security researchers are reading what they have to say, then at the end of the day it's a bit of a pointless obsession.

Here's the thing - and it's far from rocket science - IT security is never, ever, someone else's problem. Ultimate ownership of your data security belongs to you and nobody else. Sure, security vendors are forever introducing new defensive technologies, or at least new ways of applying old ones, and the cloud offers perhaps the most interesting and potentially effective example.

The trouble is, the bad guys are moving as fast if not faster than the good guys. New threats are being developed all the time, and worryingly old ones continue to be exploited. Until those in a position within the enterprise to do something about it get to grips with the fact that ignorance is not an option, there's a good chance that we will be reading more of the statistics that this piece started with in the years to come.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.