Risky Business: Report Reveals Security Shortcomings Among Global Firms

A new study from security vendor Trustwave has highlighted an alarming lack of preparedness on the part of global IT and security professionals which could be exposing them to an increased risk of data breaches.

The vendor interviewed nearly 500 IT professionals located mainly in the US, UK and UAE to compile its 2014 State of Risk report and found security gaps everywhere.

Fewer than half (49%) said they fully encrypt stored data, and the majority of respondents (63%) don’t have a mature way of tracking sensitive data, effectively exposing them to greater risk.

What’s more, 21% don’t have an incident response procedure in place and 20% don’t have a standardized method of reporting incidents, the report found.

More worrying still is the fact that the majority of IT pros interviewed (60%) understand the legal implications of failing to safeguard data but significant numbers are failing to plan for the inevitable.

Some 21% said they never perform awareness training, 23% don’t hold security planning meetings and 24% don’t get their staff to read and sign security policies.

Astonishingly, despite the majority (58%) using third party companies to manage their data, nearly half (48%) have no policies in place to manage those outside providers.

Given this laissez-faire attitude to data protection, it’s perhaps unsurprising that a third of respondents said they have never initiated a risk assessment to locate valuable data and the controls protecting it.

One of the most important elements of the IT security team today is patch management.

Secunia yesterday claimed vulnerabilities this year will see a 40% increase over 2013, and with serious flaws regularly appearing in popular products from the likes of Microsoft, Adobe and Oracle the need to patch fast has never been greater.

Yet Trustwave found that 58% of firms don’t have a “fully mature” patch management program in place, while 12% don’t have a process in place at all.

Trustwave's vice president of global compliance and risk services, Michael Aminzade, argued the report shows many firms simply don't have a proper understanding of risk.

"If a business does not believe, or even realize, that the sensitive data that they store, process or transmit would ever be subject to theft and subsequent fraud then they have little motivation to devote resources to adequately protect their assets," he told Infosecurity.

The majority of respondents (75%) were SMBs with up to 1,000 employees.

"However, based on what we see in the field, enterprises still struggle with these kinds of security weaknesses as well," added Aminzade. "Any sized business can fall victim to a breach, which is why all firms need to make security a 'business-as-usual' imperative."

Culled from:

Information Security Magazine