A new study from security vendor Trustwave
has highlighted an alarming lack of preparedness on the part of global
IT and security professionals which could be exposing them to an
increased risk of data breaches.
The vendor interviewed nearly 500 IT professionals located mainly in the US, UK and UAE to compile its 2014 State of Risk report and found security gaps everywhere.
Fewer than half (49%) said they fully encrypt stored data, and the
majority of respondents (63%) don’t have a mature way of tracking
sensitive data, effectively exposing them to greater risk.
What’s more, 21% don’t have an incident response procedure in place
and 20% don’t have a standardized method of reporting incidents, the
report found.
More worrying still is the fact that the majority of IT pros
interviewed (60%) understand the legal implications of failing to
safeguard data but significant numbers are failing to plan for the
inevitable.
Some 21% said they never perform awareness training, 23% don’t hold
security planning meetings and 24% don’t get their staff to read and
sign security policies.
Astonishingly, despite the majority (58%) using third party companies
to manage their data, nearly half (48%) have no policies in place to
manage those outside providers.
Given this laissez-faire attitude to data protection, it’s
perhaps unsurprising that a third of respondents said they have never
initiated a risk assessment to locate valuable data and
the controls protecting it.
One of the most important elements of the IT security team today is patch management.
Secunia yesterday claimed
vulnerabilities this year will see a 40% increase over 2013, and with
serious flaws regularly appearing in popular products from the likes of
Microsoft, Adobe and Oracle the need to patch fast has never been
greater.
Yet Trustwave found that 58% of firms don’t have a “fully mature”
patch management program in place, while 12% don’t have a process in
place at all.
Trustwave's vice president of global compliance and risk services,
Michael Aminzade, argued the report shows many firms simply don't have a
proper understanding of risk.
"If a business does not believe, or even realize, that the sensitive
data that they store, process or transmit would ever be subject to theft
and subsequent fraud then they have little motivation to devote
resources to adequately protect their assets," he told Infosecurity.
The majority of respondents (75%) were SMBs with up to 1,000 employees.
"However, based on what we see in the field, enterprises still
struggle with these kinds of security weaknesses as well," added
Aminzade. "Any sized business can fall victim to a breach, which is why
all firms need to make security a 'business-as-usual' imperative."
Culled from:
Information Security Magazine
No comments:
Post a Comment
What are your thoughts on this post?