sb-as logo
Story image

RSA Research: 75% of organisations at risk, says cyber security mindsets must change

15 Jun 2016

Cyber risk statistics are still high, according to RSA's latest survey that shows 75% of respondents have a significant cyber security risk exposure.

This, the research says, is because too many organizations are relying on perimeter-based solutions, while better-equipped organizations use detection and response technologies.

The survey analysed responses from 878 respondents in 81 countries and more than 24 industries, and respondents also self-assessed their organizations through the NIST Cybersecurity Framework (CSF).

The CSF framework used a 5-point scale to rate five functions: Identification, protection, detection, response and recovery. It was run by RSA Research, an EMC Security Division.

"This second round of cybersecurity research provides tangible evidence that organizations of all sizes, in all industries and from all geographies feel unprepared for the threats they are facing. We need to change the way we are thinking about security, to focus on more than just prevention – to develop a strategy that emphasizes detection and response. Organizations need to set their agendas early, build comprehensive strategies and not wait for a breach to force them into action," says Amit Yoran, president, RSA, The Security Division of EMC.

The survey found that Incident Response (IR) capabilities are underdeveloped, with 45% of all respondents saying IR capabilities are 'ad hoc' or 'non-existent'.

According to RSA, organizations' inability to quantify the risks and potential impacts of threats make it harder to prioritise mitigation and investment. These two areas are the foundation for building security and risk management protocols.

The survey also showed that organizations are more likely to improve their security after they have experienced a cyber attack that has impacted their business. In addition, many organizations ignore cybersecurity because they do not understand how cyber risks can affect them.

The report confirmed that 65% of organizations that experience frequent incidents are more likely to have developed or advantaged cyber maturity capabilities. It demonstrates that experience is key to developing maturity, but the report says organizations must focus on prevention more than detection and response.

There was also a small increase in the number of organizations that have mature cybersecurity programmes with advantaged capabilities, from 4.9% to 7.4%.

The survey highlights that critical infrastructure operators such as government and energy providers need to improve their cyber maturity. Only 18% of government and energy providers ranked their organizations as developed or advantaged.

Conversely, defense organizations and air operators reported the highest maturity, at 39% described themselves as developed or advantaged.

Only 26% of financial service organizations rated themselves as well-prepared for attacks, a decrease of 7%.

Paul Jespersen, vice president of Enterprise Business Development and Emerging Products at Comodo, says phishers are using wide nets to catch as many victims as possible.

“They then use social engineering, public information and social media to send convincing emails from what appears to be a trusted executive, attorney or associated vendor asking for wiring of a reasonable amount of money— as not to raise red flags. They put in this effort because they know that people are likely to fall for these well-executed schemes if they can be made to believe they are authentic requests," Jespersen says.

“In addition to technology solutions to restrict access, guarantee identity and trust, and protect against malware exploits, it’s critical for business employees to use common sense and stay alerted by their IT departments on the existence of business email scams. Employees can look out for any anomalies in the sender’s email domain, where the cybercriminal will often change one letter—making it difficult to spot the difference. And if employees are unsure of the legitimacy of a transfer request, they should contact IT and confirm verbally or outside of email with that executive or vendor for verification before proceeding. These tips apply to all forms of phishing, spearphishing and cybercrime, and all employees should be reminded of them regularly,” Jespersen concludes.

Story image
New project development inhibited by cybersecurity, Kaspersky research states
"There are still some practical steps that can be taken to make sure that an emerging technology or a product reaches its launch. Cybersecurity doesn’t have to be another corporate barrier, but it should be on an integral part of the project all long."More
Story image
The business case for an in-house ethical hacker
Ethical hackers, also known as penetration testers or white-hat hackers, mimic the techniques used by malicious hackers to try and break into computer systems and discover vulnerabilities before the bad guys can exploit them.More
Story image
Entrust launches cloud-based ID issuance solution
The Sigma instant ID solution uses encryption, trusted HSM technology and secure boot to issue highly secure physical and mobile identities.More
Story image
Criminals scale back DDoS attacks after 'abnormal' spike in Q2
The Q2 spike seems to have been short-lived as DDoS activity returns to ‘normal’ levels over Q3, with 73% fewer attacks than seen in the previous quarter.More
Story image
Why organisations should wise up to the DDoS extortion trend
While it is essential to have a DDoS mitigation solution in place, it’s also important to test that it works as expected, writes NCC Group director of technical security consulting for Asia Pacific Tim Dillon.More
Story image
Revealed: Imperva publishes research on decade old botnet, responsible for millions of attacks
Imperva Research Labs has revealed findings of a six-month intensive investigation into a botnet that has been exploiting CMS vulnerabilities.More