BreachExchange mailing list archives
Cyberattacks and Security Risk: Why One-Third of Midsize Companies Turn a Blind Eye
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 19 Dec 2013 00:46:24 -0700
http://midsizeinsider.com/en-us/article/cyberattacks-and-security-risk-why-one- IT security is idealized as a form of certainty. Midsize businesses want firm assurances that cyber criminals will not slip through open network windows or crawl under improperly installed firewalls. The reality is that imperfections remain no matter what defenses are put in place; as a result, some companies turn a blind eye to IT security risk instead of meeting it head on. Internal Revenue Security? It is no wonder some midsize companies are down in the mouth about IT security. According to a December 10 article in Accounting Today, even the Internal Revenue Service (IRS) has information security problems. One year ago, the Treasury Inspector General for Tax Administration (TIGTA) found that information security at the IRS was a "material weakness." Improvements have been made over the last twelve months, and TIGTA's new report has downgraded the tax service's security risk to "significant deficiency." A small victory, perhaps, but a step in the right direction. TIGTA Inspector General J. Russell George noted, "Since the IRS now relies extensively on its computer systems to carry out the responsibilities of administering our nation's tax laws, it must ensure that those systems are effectively secured to protect sensitive financial and taxpayer data." While the IRS has improved the performance of their e-file system, there are still data quality problems that put taxpayer information at risk. The IRS may deal with consumer data at a massive scale, but its challenges are not significantly different from those of a midsize business. Conversion from perimeter security and on-site server regulation to cloud-based defenses and remote access have disrupted IT departments of all sizes, forcing them to rethink how they look at risk and security. Even so, recent survey data demonstrates that some companies choose to ignore risk altogether. Swing and a Miss ZDNet reported on a survey conducted by Sophos and the Ponemon Institute that found that one-third of all midsize companies did not know whether they had been the victim of a cyberattack in the last year. Among the security professionals surveyed, those closer to the top of the management structure — and therefore further removed from security risk — were uncertain about the nature and severity of threats to their business. This dovetails with the finding that 58 percent of respondents believe that management does not see cyberattacks as a "significant risk." The disconnect may simply be the problem of data volume, as in the case of the IRS, or it may be that this data points to a larger problem in the IT sector. The ultimate cause lies somewhere in between, perhaps as a function of causes and control. IT professionals are hard-pressed to keep up with the type and number of threats emerging and are often tasked with more immediate concerns such as managing the influx of personal devices in the workplace. What is more, cloud services are starting to deliver application-level defense advanced enough that IT professionals, in comparison, are not as effective at guarding the front lines as they were when local stacks ruled the virtual roost. Turning a blind eye to security risk will not make it go away, but tackling each threat individually is not something that midsize businesses can afford to do. To make the most of security resources, IT professionals need management to recognize the seriousness of intellectual property and consumer data theft. They must then use budgets effectively to find agile, intelligent security services.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Cyberattacks and Security Risk: Why One-Third of Midsize Companies Turn a Blind Eye Audrey McNeil (Dec 19)