According to several IoT industry analysts, IT security professionals are not confident that they can prevent cyber-attacks on the Internet of Things. Not only do companies still need to get their data security houses in order, the market for data security products is frustratingly being described by one analyst firm as “immature”. Jeremy Cowan reports.
Once the stuff of fiction the risk of harm to people, businesses and national critical infrastructure from an attack on cyber-physical systems through the IoT is growing (See: Concerns grow that IoT is not secure in long term as Beecham report urges industry to protect end users). According to the global consulting firm Protiviti, cyber security threats are not only an increasingly common phenomenon but their report, 2014 IT Security and Privacy Survey, also suggests that businesses are struggling to manage their IT securely.
Ryan Rubin, managing director of Protiviti and UK leader of the firm’s IT security and privacy practice said: “Our survey results tell a story of gaps between where companies currently stand and where they should be in relation to fundamental elements of IT security. Some progress has been made since our last survey, yet many organisations still fall short of important standard protocols for IT security and privacy. Companies need to take more action in relation to the risks they recognise to better protect their crucial data.”
The survey’s results are linked to five major themes that suggest companies still need to make further improvements to their IT security and privacy practices.
- Organisations lack high confidence in their ability to prevent a cyber-attack or data breach. While executive management has a higher level of awareness when it comes to the organisation’s information security exposures, lower confidence levels among IT executives and professionals in preventing an attack or breach likely speak to the creativity of cyber-attackers and the inevitability of a breach – and the need for strong incident response planning and execution.
- Companies are not preparing properly for crisis scenarios. Worryingly, there is a significant year-on-year jump in the number of organisations without a formal and documented crisis response plan to execute in the event of a data breach or cyber-attack.
- There is a correlation between board engagement and stronger IT security profiles. Nearly three out of four boards have a good level of understanding about their organisation’s information security risks, according to survey results. Boards that are concerned with how their business is addressing its risks, have significantly stronger IT security profiles. On the other hand, one in five boards appears to have a low level of engagement in how the company is addressing information security risks. “With greater market sensitivity to information security issues as well as a rise in associated legal requirements, we would expect board interest to be even higher in most organisations,” said Rubin.
- Companies do not have proper ‘core’ data policies. One in three companies does not have a written information security policy (WISP). More than 40% of firms lack a data encryption policy. One in four do not have acceptable use or record retention / destruction policies. These are critical gaps in data governance and management, and they carry considerable legal implications.
- Not all data is equal. The percentage of organisations that retain all their data and records has more than doubled, which is not necessarily a positive development. In addition, a relatively large number of organisations do not prioritise data that is processed and governed with a data classification schema. Even fewer companies appear to prioritise data that is highly regulated, including mobile payment and PCI (payment card industry) data and mHealth-related information.
Are CxOs taking responsibility?
It’s a relief to see, however, that the Protiviti survey shows CIOs and CSOs are more engaged in taking on the primary responsibility for security policies than in the past. Companies are also becoming more aware of their data lifecycle – where and how long their data is stored. (www.protiviti.com/ITsecuritysurvey)
One more sobering thought; the survey showed that – despite news stories and industry conjecture to the contrary – only a small number of organisations are moving their sensitive data into the cloud.
Cyber-security – Late or just in time?
The need for cyber-security tools and expertise may be greater than ever but the market for industrial cybersecurity products remains extremely immature. Analysts IHS, report that there are approximately 160 Industrial cybersecurity system vendors worldwide who offer a wide variety of hardware, software and services.
In contrast to other sectors of industrial automation, no one vendor dominates; and those with the highest market share typically specialise in a particular region, industry sector or technology. Toby Colquhoun, senior analyst at IHS Inc, believes there will be a “shakeout” and the market will attract some new entrants, but this will be largely offset by companies choosing to exit the business and by acquisition-driven consolidation.
Colquhoun says, “A quiet revolution is already occurring in an industry more used to incremental improvement. Vendors of control systems have united around IEC 62443 (the international version of ISA-99) which, when finalised, will describe how to secure control system assets throughout their lifecycle (including development). Whereas security was an afterthought in earlier generations of control system, asset owners have pushed suppliers to restructure their products to implement security features which provide some inherent levels of protection. Only parts of the IEC 62443 standard have so far been released; but once the standard and certification services are available, all tier 1 vendors are expected soon to offer an IEC 62443 product.”
Where I differ from IHS is in their belief that legislation on industrial cybersecurity is unlikely. As Colquhoun says, cybersecurity legislation governing the North American power industry (NERC-CIP) “shows that it is possible to spend a lot of money without improving security.” (See: ‘We’re 9 meals from anarchy’: Take the cybersecurity threat to IoT seriously.) Although essentially an optimist, I can’t help believing that it’s not a question of IF but WHEN there’s a cyber-attack on a water or energy utility, food retailer or their logistics chain. In this scenario, legislation will hurriedly and belatedly follow a successful attack as surely as night follows day.
New laws? We don’t comply with the old ones!
Cyber security company Sophos based in Oxford, UK, today announced the results of its research highlighting attitudes among end users towards security and data protection across Europe. The research, conducted by Vanson Bourne, reveals that 84% of respondents agree Europe needs stronger data protection laws, but 77% are not confident their organisations complies with current regulations.
Of the 1,500 professional consumer and office workers surveyed across the UK, France and Germany, the majority confirmed that they were concerned about both their personal data (79%) and their corporate data (65%). However, almost half (49%) said their organisation either did not have a data protection policy in place or had not communicated this to its employees.
Follow this and other stories on Twitter: @jcm2m and @jcvplus