Five years after September 11, 2001, 85 percent of IT executives feel that U.S. government agencies are not prepared for cyberterrorism attacks. Yet, 86 percent believe their own organizations are prepared to defend against cyberterrorism, according to a survey from nCircle.
Analysts are skeptical about what they see as inflated affirmative responses, especially in light of security breaches and hacker attacks that make headlines nearly every day. Indeed, even consumers agree that companies are not prepared. More than 2 million consumers report losing money directly simply because of phishing attacks, according to Gartner.
“Organizations are doing a much better job, but there is a long way to go. To feel so confident about readiness for cyberterrorism is a little unrealistic. We’ve seen 120 data breaches in the last three and a half months that have compromised personal information. It happens to some of the largest companies out there,” nCircle CEO Abe Kleinfeld told TechNewsWorld.
More Disbelief
Most enterprises are not prepared for cyberterrorism, Michael Sutton, a security evangelist for SPI Dynamics, agreed. He backed up his opinion by pointing to the number of known vulnerabilities that remain unpatched for months at a time.
“Look no further than statistics from antivirus vendors detailing the spread of worms and viruses. The vast majority of malcode takes advantage of known vulnerabilities for which patches are available. Why does malcode continue to successfully propagate? It succeeds because systems are not patched in a timely fashion,” Sutton told TechNewsWorld.
With the advent of complex Web applications, every company with a custom Web app is now a software shop, and Web application developers are not security experts. Unless these development shops have baked security into their software development lifecycle, they run the risk of creating a gaping hole into their corporate network.
The Risk Scoring System
nCircle’s Kleinfeld does not believe organizations can truly be prepared for an attack without an objective risk scoring system. Most companies that sell security products, he contended, have focused on reacting to security attacks rather than measuring the overall security of an organization and to prioritize the security activities.
“Companies need to measure, manage and reduce their information security risk,” Kleinfeld said. “You want to ensure that the most important risks are addressed up front. We don’t have a consistent rating system, so it’s all pure guesswork as to how enterprises are performing when it comes to security.”
There is already a standardized scoring system for security vulnerabilities that is gaining traction called the Common Vulnerability Scoring System (CVSS). Sutton, for one, feels that CVSS has done a solid job of producing a system that objectively evaluates vulnerability severity while still accommodating for enterprise specific risks.
While there is no de facto scoring system for overall enterprise risk, there is no shortage of compliance documents and best practice frameworks to choose from when determining what to measure. IT managers can take their pick from among CoBIT, ISO/IEC 27001, SOX, GLB, Basel II, HIPPA and others.
Mitigating the Risks
“I don’t feel that the solution lies in producing yet another standard,” Sutton argued. “It is the responsibility of the companies themselves to measure their exposure to risk and ensure that risks are appropriately mitigated. Producing standards does nothing to prevent risk if those standards are not appropriately applied.”
Mitigating the risk requires much more than firewalls and antivirus software, he said. Those are just tools to assist with risk mitigation — not surefire solutions. Mitigating risk requires looking at the three pillars of IT — people, processes and technology in combination.
“Throwing up a firewall does nothing if it doesn’t have adequate rules and no one is responsible for managing the technology,” Sutton noted. “Likewise, putting a policy in an employee manual is a waste of time if you don’t also educate employees and apply controls to ensure that the rules are adhered to.”