sb-as logo
Story image

RSA Research: 75% of organisations at risk, says cyber security mindsets must change

15 Jun 2016

Cyber risk statistics are still high, according to RSA's latest survey that shows 75% of respondents have a significant cyber security risk exposure.

This, the research says, is because too many organizations are relying on perimeter-based solutions, while better-equipped organizations use detection and response technologies.

The survey analysed responses from 878 respondents in 81 countries and more than 24 industries, and respondents also self-assessed their organizations through the NIST Cybersecurity Framework (CSF).

The CSF framework used a 5-point scale to rate five functions: Identification, protection, detection, response and recovery. It was run by RSA Research, an EMC Security Division.

"This second round of cybersecurity research provides tangible evidence that organizations of all sizes, in all industries and from all geographies feel unprepared for the threats they are facing. We need to change the way we are thinking about security, to focus on more than just prevention – to develop a strategy that emphasizes detection and response. Organizations need to set their agendas early, build comprehensive strategies and not wait for a breach to force them into action," says Amit Yoran, president, RSA, The Security Division of EMC.

The survey found that Incident Response (IR) capabilities are underdeveloped, with 45% of all respondents saying IR capabilities are 'ad hoc' or 'non-existent'.

According to RSA, organizations' inability to quantify the risks and potential impacts of threats make it harder to prioritise mitigation and investment. These two areas are the foundation for building security and risk management protocols.

The survey also showed that organizations are more likely to improve their security after they have experienced a cyber attack that has impacted their business. In addition, many organizations ignore cybersecurity because they do not understand how cyber risks can affect them.

The report confirmed that 65% of organizations that experience frequent incidents are more likely to have developed or advantaged cyber maturity capabilities. It demonstrates that experience is key to developing maturity, but the report says organizations must focus on prevention more than detection and response.

There was also a small increase in the number of organizations that have mature cybersecurity programmes with advantaged capabilities, from 4.9% to 7.4%.

The survey highlights that critical infrastructure operators such as government and energy providers need to improve their cyber maturity. Only 18% of government and energy providers ranked their organizations as developed or advantaged.

Conversely, defense organizations and air operators reported the highest maturity, at 39% described themselves as developed or advantaged.

Only 26% of financial service organizations rated themselves as well-prepared for attacks, a decrease of 7%.

Paul Jespersen, vice president of Enterprise Business Development and Emerging Products at Comodo, says phishers are using wide nets to catch as many victims as possible.

“They then use social engineering, public information and social media to send convincing emails from what appears to be a trusted executive, attorney or associated vendor asking for wiring of a reasonable amount of money— as not to raise red flags. They put in this effort because they know that people are likely to fall for these well-executed schemes if they can be made to believe they are authentic requests," Jespersen says.

“In addition to technology solutions to restrict access, guarantee identity and trust, and protect against malware exploits, it’s critical for business employees to use common sense and stay alerted by their IT departments on the existence of business email scams. Employees can look out for any anomalies in the sender’s email domain, where the cybercriminal will often change one letter—making it difficult to spot the difference. And if employees are unsure of the legitimacy of a transfer request, they should contact IT and confirm verbally or outside of email with that executive or vendor for verification before proceeding. These tips apply to all forms of phishing, spearphishing and cybercrime, and all employees should be reminded of them regularly,” Jespersen concludes.

Story image
Online gaming a 'hotbed' for DDoS attacks — report
The latency and availability issues present in online gaming, in particular, presented an attractive target to attackers, in addition to the enduring popularity of gaming in the era of COVID-19.More
Story image
App security not keeping up with rapid development — Radware
“With more than 70% of respondents reporting that their production apps have already left the data centre, ensuring the security and integrity of these data and applications is becoming more challenging, particularly in multi-cloud environments.”More
Story image
Hornetsecurity acquires Altaro, the latest in acquisition spree
The move is a culmination of a medley of acquisitions made by Hornetsecurity recently, following the January 2019 acquisition of Spamina, a Spanish cloud email security company, as well as EveryCloud, its British market partner, in early 2020.More
Story image
Malware variants becoming increasingly prevalent, sophisticated and evolved
"The modern threat landscape and ongoing evolution of malware are loud factors pushing every business to understand and identify modern malware threats and the necessary precautions to take to protect against them."More
Story image
Trend Micro adds cloud-native container security to Cloud One Services Platform
Designed to ease the security of container builds, deployments and runtime workflows, the new service helps developers accelerate innovation and minimise application downtime across Kubernetes environments.More
Story image
Huawei: Corporates must focus on data minimisation and business continuity to mitigate data security challenges
"From a long-term sustainable point of view, organisations will need to adopt data minimisation and privacy by design and default."More