Simply Security - News, Views, and Opinions from Trend Micro

Posted on May 31st, 2012 in Cybercrime, Web Threats by Simply Security | Be the first to comment | Tags: cybercrime, web threats

Cybersecurity risk management programs lack the ability to protect companies.

As the web landscape continues to evolve, it is becoming a necessary resource that companies must harness if they wish to remain competitive and relevant in today's business world. While this evolution is enabling enterprises to become more efficient, the changes are also creating new dangers that decision-makers need to tackle. A new study by RSA, however, found that there is a growing misunderstanding between how the IT threat landscape is connected to risk management.

RSA found that the complexities associated with data security and privacy are creating gaps in boardroom understanding as to how organizations should tackle risk management. This confusion suggests that decision-makers don't realize how vulnerabilities in computer systems and digital data can undermine a number of operations throughout the enterprise.

Although complexities vary across industries, all sectors are failing to assign key data privacy roles within the company, as fewer than two-thirds of respondents have full-time personnel responsible for maintaining data security standards that meet international best practices. These positions include CISOs, CPOs or CSOs who have defined boundaries to their job requirements.

"The increasing criticality of digital resources and the more complex threat landscapes mean senior executives and boards must get better at marrying security functions with corporate operations," RSA president Tom Heiser said.

RSA also revealed that more than half of respondents are not analyzing cyberthreat management programs or undertaking important activities that help manage reputational and financial risks associated with data breaches. While this is a global trend, some industries are even less proactive in their attempt to deter web threats from severely damaging companies.

Energy and telecom boards, in particular, are not taking the appropriate measures to insure cyber-related assets. RSA found that 79 percent of utilities and 77 percent of IT and telecom firms around the world are not reviewing web insurance, while only 52 percent and 44 percent of financial and industrial sectors, respectively, are not.

These trends also vary by region. More than three-quarters of Asian businesses are likely to have risk management boards responsible for data protection, while only 40 percent of North American and 38 percent of European companies have delegated officials in charge of maintaining cybersecurity.

A separate report by professional services firm Deloitte noted that the cyberthreat landscape has evolved into an increasingly complex and sophisticated criminal society with attacks capable of crippling entire companies, regions and customer profiles. There is now an entire underground economy where hacktivists, cybercriminals and other malicious groups can steal, package and resell volumes of sensitive information.

"Cybercriminals today are sophisticated; they are getting inside corporate systems and stealing confidential and proprietary data," Carnegie Mellon CyLab global risk CEO Jody Westby said. "It is imperative that boards and executives take appropriate governance steps to protect their organization's computer systems and information."

Westby recommends enterprises leverage monitoring tools that permit greater visibility into the network, as well as acquire cybersecurity expertise by hiring individuals trained in how to safeguard information from sophisticated attacks.

Additionally, Deloitte says the advent of mobility and increasingly common deployment of BYOD (bring your own device) initiatives are creating even more potential for vulnerabilities to crop up. By leveraging mobile device management tools, businesses may be able to improve weaknesses that would otherwise be present in mobile strategies. These solutions help IT departments limit access to sensitive information and grant unique insight into which platforms may be corrupted by malware and other malicious appliances.

A report by CIO Forum noted that BYOD is one of the top risks for companies today. Regardless of industry, these initiatives seem to be appearing in businesses all over the world as the consumerization of IT continues to permeate the enterprise. As a result of the influx of smartphones and tablets, mobile risks have been increasing exponentially, as employees will often circumvent IT to leverage personal gadgets in the office.

According to the Ponemon Institute, nearly 60 percent of businesses said that workers have disregarded mobile security protocol. As a result, more than half of organizations experienced data loss within the past year because of insecure mobile platforms.

By creating positions specifically designed for cybersecurity, such as CISOs or CPOs, businesses will likely be able to safeguard digital information more effectively and potentially set up better defenses against malicious organizations. A study by Biz9 found that nearly two-thirds of firms believe they will fall victim to an attack by cybercriminals or another outside party like Anonymous within the next six months.

"Boards that fail to step up their cyber risk management are placing their organizations at risk and could be breaching their fiduciary duty to protect the assets of the corporation, which includes digital assets," Westby asserted.

Data Security News from SimplySecurity.com by Trend Micro