While IT security threats are imminent, CEOs and other members of the management team are in the dark about potential cyber-attacks against their companies. That is according to a Ponemon Institute report, “Cyber Security Incident Response: Are we as prepared as we think?” The research also suggested that, as a result, Computer Security Incident Response Teams (CSIRTs) often lack the resources necessary to fend off the advanced threats facing organisations.
Commissioned by IT security product firm Lancope, the research surveyed 674 IT and IT security professionals in the UK and United States who are involved in their organization’s CSIRT activities. The study concludes with key recommendations for organisations looking to improve their incident response process.
Findings from the study include:
· Security incidents are imminent – Sixty-eight percent of respondents say their organisation experienced a security breach or incident in the past 24 months. Forty-six percent say another incident is imminent and could happen within the next six months.
· Management is largely unaware of cyber security threats – Eighty percent of respondents reported that they don’t frequently communicate with executive management about potential cyber-attacks against their organisation.
· Organisations are not measuring the effectiveness of their incident response efforts – Fifty percent of respondents do not have meaningful operational metrics to measure the overall effectiveness of incident response.
· Breaches remain unresolved for an entire month – While most organisations said they could identify a security incident within a matter of hours, it takes an entire month on average to work through the process of incident investigation, service restoration and verification.
· CSIRTs lack adequate investments – Half of all respondents say that less than 10 percent of their security budgets are used for incident response activities, and most say their incident response budgets have not increased in the past 24 months.
· Network audit trails are the most effective tool for incident response – Eighty percent of respondents say that analysis of audit trails from sources like NetFlow and packet captures is the most effective approach for detecting security incidents and breaches. This choice was more popular than intrusion detection systems and anti-virus software.
Dr Larry Ponemon, chairman and founder of the US-based Ponemon Institute, said: “The findings of our research suggest that companies are not always making the right investments in incident response. As a result, they may not be as prepared as they should be to respond to security incidents. One recommendation is for organisations to elevate the importance of incident response and make it a critical component of their overall business strategy.”
Mike Potts, president and CEO of Lancope, said: “If 2013 is any indication, today’s enterprises are ill-equipped to identify and halt sophisticated attacks launched by nation-states, malicious outsiders and determined insiders. Now is the time for C-level executives and IT decision-makers to come together and develop stronger, more comprehensive plans for incident response. This communication is critical if we want to reduce the astounding frequency of high-profile data breaches and damaging corporate losses we are seeing in the media on a near-daily basis.”
In detail
The survey concluded that many IT security incident response teams lack the tools and forensic audit trails that they need to property investigate incidents. They may not have the staff that they require, or access to consultants who can augment full-time staff in emergencies. They may not have engaged in basic incident planning, such as crafting a PR and analyst relations plan to execute in the event of a breach. They may not be testing their readiness regularly.
It’s not all about IT technology, as sometimes, the computer security incident that is being responded to is not an attack from the outside, but a crime by one of the organization’s own employees. The researchers suggested that the right way to detect and manage these incidents differs significantly from situations that involve remote network compromises. Only 26 percent of respondents indicated that multi-disciplinary insider threat management was in place in their organization. This is another area that deserves more focus from IT people, the research suggested. Notably, 17 percent of respondents indicated that they did have an insider threat programme, but it was limited to IT and was not coordinated with human resources and the corporate legal department.
All too often, according to the report, the insider threat is viewed as a computer security problem, and technical issues to be dealt with by IT. In fact, insider threat is a categorically different problem, the report argued, because in this case the attacker is an employee, and the relationship between the employee and the employer plays a part. Likewise, in the event of a material exposure of customer data, it may be necessary for the organisation to disclose facts about the breach to the public. Those businesses that can credibly and professionally communicate with the public, about the nature of the breach and the steps that they are taking to address it, have the opportunity to make the best of a difficult situation, the report suggested. Less than a quarter (23 percent) of respondents indicated that they have a defined PR and analyst relations plan in place.
For the full report visit the Lancope website.
