India's cybersecurity cracks exposed! Are companies doing anything?

A new study has exposed the cracks in cybersecurity defenses that exist for many organisations in India. The ‘Exposing the Cybersecurity Cracks: India’ study, conducted by Ponemon Institute and sponsored by Websense, surveyed 545 IT and IT security practitioners in India with an average of 8 years experience in the field.

The report revealed how better communication and information about cybersecurity, the right investment in skilled personnel and enabling technologies and the adoption of security measures will minimize the risk of current and emerging cyber threats.
[caption id=“attachment_76923” align=“alignleft” width=“380”] Image: Thinkstock[/caption]

The study highlighted that communication roadblocks are barriers to reducing the risk of a cyber attack. About 25 percent of cyber security teams in India never speak with their executive team about cyber security.

APT’s and data exfiltration attacks rank as the top fears for IT security pros, the study highlighted.

“These fears are probably due to concerns that their technology will not protect them. Many would like to see a complete security refresh of their solutions as they feel frequently disappointed with the level of protection their security solutions give them.” In fact, 63 percent say their organisations have been very frequently or frequently disappointed in their security investments.

If they had the resources and opportunity, 37 percent of respondents would do a complete overhaul of their current enterprise security system. Sixty-seven percent say if their organisations had a data breach they would consider changing security vendors.

Encouragingly, almost half (40 percent of respondents) say they are planning on making significant investments and adjustments to their cyber security defenses during the next 12 months.

Security professionals feel the top three events that would compel executive teams to allocate more money to cyber security initiates are: exfiltration of intellectual property (61 percent), loss of revenues because of system downtime (52 percent) and data breach involving customer data (49 percent).

According to the report, 67 percent of respondents say they personally know another security professional whose company had sensitive or confidential data stolen as a result of an insider threat. Sixty-four percent say the data stolen by the insider was customer information and 59 percent say intellectual property was stolen.

Only 32 percent believe their company is investing enough in skilled personnel and technologies to be effective in executing its cyber security objectives or mission. In fact, 45 percent of companies represented in this research do not provide cybersecurity education to their employees.

Forty-five percent of respondents say their organisations have undergone a cyber threat modeling process in their present role. Of those that did, 100 percent found it to be important in terms of managing their cyber risk.

“Very few companies take steps internally to deal with new and emerging threats. When there is awareness about a new cyber threat, the primary response is to reach out to outsiders such as CERT, law enforcement and industry peers. An infrequent response is conducting assessments to determine vulnerability levels (12 percent) or having “fire drills” to determine readiness level (5 percent).”

Can too much hype by security vendors lead to disappointing investments in technology? Fifty-five percent say providers of security solutions hype the threats and risks companies face. Sixty-three percent of respondents say their company very frequently or frequently has purchased a security solution that was a disappointment.

Difficult deployment or user interface and downtime are the top reasons that would trigger a change in security vendors. Sixty-seven percent say a data breach would result in terminating a relationship with a security vendor.

To deal with the challenging and dynamic threat landscape, organisations need to have the intelligence to anticipate, identify and reduce the threats. Security professionals do not believe they are getting the right level of investment to be able to achieve their cyber security objectives and mission. Only 32 percent say their companies invest enough in skilled personnel and technologies to be effective in executing its cybersecurity objectives or mission. Sixty-eight percent of respondents say it is not enough or they are unsure about the level of investment.

The findings of this study expose the cracks in cybersecurity defenses that exist for many organisations. The study provides some recommendations:

-- Eliminate the uncertainty of cyber risks. Invest in technologies that provide visibility and details about high-risk behaviour, attempted attacks and the consequences of a successful on your organisation.

-- Improve access to better threat intelligence and real-time defenses.

-- Deploy an all-encompassing defense strategy that incorporates web and email channels, including SSL/TLS communications. Avoid focusing on just one channel. Rather, examine all the channels used to interact with information.

-- Assess security solution capabilities and deployments against a comprehensive kill chain model to eliminate gaps and minimise excessive overlap. Expand beyond defenses overly dependent upon identifying an attack at only the “malware” delivery stage.
--
Create security education and awareness programs that focus on the seriousness of cyber attacks and the importance of reducing high-risk behaviours.