Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

Security perception vs reality

June 2012 Information Security

McAfee has announced the State of Security report showing how IT decision makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It also reveals companies’ IT security priorities around processes, practices and technology for 2012.

As the corporate data environment expands, effective information security is possible only by creating a Strategic Security Plan (SSP) which incorporates a comprehensive threat analysis and an in-depth layered security risk mitigation approach. The survey looked to identify some of the key trends facing enterprises in developing their SSPs.

Security maturity

The survey respondents categorised themselves into various states of security maturity. These categorisations help to understand the mindset of the companies as they view enterprise information security. The terms below are used to describe the level of security maturity of participating organisations:

Reactive – uses an ad hoc approach to defining security processes and is event driven. 9% of the surveyed companies claim to be at this stage.

Compliant – has some policies in place, but has no real standardisation across security policies. The organisation adheres to some security standards or the minimum required. 32% of the surveyed companies claim to be at this stage.

Proactive – follows standardised policies, has centralised governance and has a degree of integration across some security solutions. 43% of the surveyed companies claim to be at this stage.

Optimised – follows security industry best practices and maintains strict adherence to corporate policy. The organisation utilises automated security solutions which are highly integrated across the enterprise. 16% of the surveyed companies claim to be at this stage.

“Every organisation needs to take a layered approach to security, utilising both processes and solutions designed to prevent compromise. Complicating the challenge of managing risk and securing data is the fact that ‘the enterprise’ now extends far beyond office walls and perimeter firewalls,” says Jill Kyte, vice president at McAfee. “Companies are giving network access to business partners and contract workers, and in some cases, even to customers. Workers access the enterprise network remotely using mobile devices, many of which are personally owned.

“Moreover, data and applications are being moved into public and hybrid cloud environments where the data owners have little direct control over security and all of this requires a business to have a strategic security plan.”

Key findings

* Organisations are confident about identifying the most critical threats to their environments and knowing where their critical data resides. However, most companies are not confident about quantifying the potential financial impact of a breach, should one occur.

* Organisational awareness and protection against information security risks is very important. However, one-third of the ‘Optimised’ companies are uncertain about their IT security posture in terms of awareness and protection. Despite having formal strategic plans, 34% of the companies believe they are not adequately protected against information security risks which could impact their business.

* A majority of the respondents say that as they develop strategic security plans, they include consideration of potential threats and the associated risk to business, and financial analysis. Yet, four out of five of the companies experienced a significant security incident in the past 12 months.

* Almost a third of organisations surveyed have either not purchased or not yet implemented many of the next generation security technologies that are designed to address current-day threats. Despite more than 80% of the organisations identify malware, spyware and viruses as major security threats.

* Two out of every five organisations have either an informal or ad hoc plan or no security strategic plan in place. The size of the organisation matters when it comes to having a formal SSP.

* Six of every 10 large enterprises have a formal SSP, two out of every three mid-size enterprises has a formal SSP, while this ratio dips to only one in two small enterprises.

* Organisations in North America and Germany are more likely to have a formal SSP than those in other regions of the world. This may be attributed to the regulatory environments in those countries.

* Top priorities for 2012 include implementing stronger controls to protect sensitive data and ensuring business continuity. The lowest priority is to reduce capital and operating expenditures for security infrastructure, which indicates that organisations are willing to spend on the right kind of security solutions.

Conclusions

While organisations are working on their strategic security plans and putting in their best efforts toward protecting business systems and critical data, there is much room for improvement all the way around.

Step up to a higher security maturity level. Only 16% of the survey respondents classify their organisations as being at the ‘Optimised’ level. Worse, however, is the fact that 9% of the organisations are ‘Reactive’ in their approach to IT security.

Executive involvement is crucial. While IT and security personnel may take the lead in developing the plan, it is important to have insight from those who best understand the business systems and the data they use. Moreover, executive involvement is critical to set the tone for the importance of security throughout the organisation.

Test early, test often, and make adjustments as needed. What good is a plan if it is developed and put on a shelf? If it is never tested? Unfortunately, the survey learned that 29% of ‘Compliant’ companies never test how they would respond to an incident. What is more, the fact that 79% of the surveyed companies had security incidents in the past year indicates that there are gaps in the security plans that must be addressed.

Use budget allocations wisely. Though every manager would like to have a bigger budget to be able to apply more safeguards, the ‘Optimised’ companies have found ways to reach the highest level of performance with the same level of funding (percentage-wise) as the companies who are less prudent with their budgets.

Use the right tools for the current threats. The survey shows that 45% of the companies have not deployed the next generation firewalls. Mobile security is another area that should not be ignored, yet 25% of the organisations have not purchased any tools for this purpose.

Focus on protecting the lifeblood of the company – the sensitive corporate data. The top priorities for 2012 include implementing stronger controls to protect sensitive data and ensuring business continuity. Additional high priority activities are all meant to improve each organisation’s overall security posture. This is encouraging because without timely recognition and mitigation of security threats, an organisation may be the next news headline – and nobody wants that dubious distinction.

For more information contact McAfee, +27 (0)11 707 5500, [email protected]





Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

A strong cybersecurity foundation
Milestone Systems Information Security
The data collected by cameras, connected sensors, and video management software can make a VMS an attractive target for malicious actors; therefore, being aware of the risks of an insecure video surveillance system and how to mitigate these are critical skills.

Read more...
Surveillance and cybersecurity
Cathexis Technologies Information Security
Whether your business runs a security system with a handful of cameras or it is an enterprise company with thousands of cameras monitoring sites across a multinational organisation, you must pay attention to cybersecurity.

Read more...
Cybersecurity and AI
AI & Data Analytics Information Security
Cybersecurity is one of the primary reasons that detecting the commonalities and threats of what is otherwise completely unknown is possible with tools such as SIEM and endpoint protection platforms.

Read more...
What are MFA fatigue attacks, and how can they be prevented?
Information Security
Multifactor authentication is a security measure that requires users to provide a second form of verification before they can log into a corporate network. It has long been considered essential for keeping fraudsters out. However, cybercriminals have been discovering clever ways to bypass it.

Read more...
SA's cybersecurity risks to watch
Information Security
The persistent myth is that cybercrime only targets the biggest companies and economies, but cybercriminals are not bound by geography, and rapidly digitising economies lure them in large numbers.

Read more...
Cyber insurance a key component in cyber defence strategies
Information Security
[Sponsored] Cyber insurance has become a key part of South African organisations’ risk reduction strategies, driven by the need for additional financial protection and contingency plans in the event of a cyber incident.

Read more...
Deception technology crucial to unmasking data theft
Information Security Security Services & Risk Management
The ‘silent theft’ of data is an increasingly prevalent cyber threat to businesses, driving the ongoing leakage of personal information in the public domain through undetected attacks that cannot even be policed by data privacy legislation.

Read more...
Data security and privacy in global mobility
Security Services & Risk Management Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Read more...
Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Read more...
The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Read more...











SMART Security Business Directory



Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.