Companies Still Gambling with Security

Friday, October 2, 2015 @ 03:10 PM gHale

Security professionals know cyber security drills are a good way to prepare for any kind of onslaught, but companies rarely run these drills, a new survey found.

The survey, conducted by Lieberman Software Corporation at the Black Hat Conference 2015 in Las Vegas this past August, looked at the attitudes of nearly 150 IT security professionals. In the survey, 92 percent of IT security professionals said cyber security drills are a good way to prepare, but 63 percent admitted their organizations never run such drills, or only do so annually.

Board Security Knowledge Questioned
Security Differences by Industry
Strategy Shift: Security by Design
DDoS Attacks: Small, but Repeated

It also revealed only 11 percent of organizations carry out cyber security drills quarterly, while 26 percent conduct them every six months.

“What concerns me most about this survey is that the majority of IT security professionals fully understand the benefits of running cyber security drills, but only a small percentage actually put these drills into practice,” said Philip Lieberman, chief executive of Lieberman Software.

“In today’s threat landscape, organizations are attacked continuously,” he said. “With this in mind, you would think companies would be doing everything they can to limit the damage of potential cyber attacks. However, our study reveals this clearly isn’t the case. And IT teams are fully aware of the consequences.”

The survey also revealed IT professionals often warn their superiors about pending security disasters, but think that executive management fails to take action. When asked about the obstacles they face trying to convince management to proactively deal with cyber threats, the responses were:
• 11 percent said they couldn’t find a way to give IT a place in the corporate board room
• 10 percent said they couldn’t find budget to rectify the situation
• 12 percent said they couldn’t convince management to understand the severity of cyber threats
• 45 percent said all of the above

“IT security is a companywide issue. Any CEO or corporate board who does not realize this will have a nasty shock when their company is attacked, their share price plummets and they lose customers,” Lieberman said. “Corporate boards should learn about the cyber threats targeting their companies, and should have a good understanding of the company’s IT security posture.

Executive management should assume that intruders are already inside their networks,” Lieberman said. “They should ensure that their organizations can contain cyber attacks by securing privileged access, and by removing shared and long-lived credentials that intruders exploit to move around the network. This will mitigate damage and protect the company’s reputation when a cyber attack does occur.”

Click here for more information on the survey.