Cyberattacks and Security Risk: Why One-Third of Midsize Companies Turn a Blind Eye

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://midsizeinsider.com/en-us/article/cyberattacks-and-security-risk-why-one-

IT security is idealized as a form of certainty. Midsize businesses want
firm assurances that cyber criminals will not slip through open network
windows or crawl under improperly installed firewalls. The reality is that
imperfections remain no matter what defenses are put in place; as a result,
some companies turn a blind eye to IT security risk instead of meeting it
head on.

Internal Revenue Security?

It is no wonder some midsize companies are down in the mouth about IT
security. According to a December 10 article in Accounting Today, even the
Internal Revenue Service (IRS) has information security problems. One year
ago, the Treasury Inspector General for Tax Administration (TIGTA) found
that information security at the IRS was a "material weakness."
Improvements have been made over the last twelve months, and TIGTA's new
report has downgraded the tax service's security risk to "significant
deficiency." A small victory, perhaps, but a step in the right direction.
TIGTA Inspector General J. Russell George noted, "Since the IRS now relies
extensively on its computer systems to carry out the responsibilities of
administering our nation's tax laws, it must ensure that those systems are
effectively secured to protect sensitive financial and taxpayer data."
While the IRS has improved the performance of their e-file system, there
are still data quality problems that put taxpayer information at risk.

The IRS may deal with consumer data at a massive scale, but its challenges
are not significantly different from those of a midsize business.
Conversion from perimeter security and on-site server regulation to
cloud-based defenses and remote access have disrupted IT departments of all
sizes, forcing them to rethink how they look at risk and security. Even so,
recent survey data demonstrates that some companies choose to ignore risk
altogether.

Swing and a Miss

ZDNet reported on a survey conducted by Sophos and the Ponemon Institute
that found that one-third of all midsize companies did not know whether
they had been the victim of a cyberattack in the last year. Among the
security professionals surveyed, those closer to the top of the management
structure — and therefore further removed from security risk — were
uncertain about the nature and severity of threats to their business. This
dovetails with the finding that 58 percent of respondents believe that
management does not see cyberattacks as a "significant risk."

The disconnect may simply be the problem of data volume, as in the case of
the IRS, or it may be that this data points to a larger problem in the IT
sector. The ultimate cause lies somewhere in between, perhaps as a function
of causes and control. IT professionals are hard-pressed to keep up with
the type and number of threats emerging and are often tasked with more
immediate concerns such as managing the influx of personal devices in the
workplace. What is more, cloud services are starting to deliver
application-level defense advanced enough that IT professionals, in
comparison, are not as effective at guarding the front lines as they were
when local stacks ruled the virtual roost.

Turning a blind eye to security risk will not make it go away, but tackling
each threat individually is not something that midsize businesses can
afford to do. To make the most of security resources, IT professionals need
management to recognize the seriousness of intellectual property and
consumer data theft. They must then use budgets effectively to find agile,
intelligent security services.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.