The ‘Uncertainty Index’

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cnmeonline.com/blog/the-uncertainty-index/

The potential business impact of cyber attacks and data loss, along with
high-profile data breaches experienced by organisations like LexisNexis
andEvernote, seems to have done little to convince small and mid-size
businesses that they should be making cyber security a priority.

 Recently, the Ponemon Instituteand Sophos released a study: Risk of an
Uncertain Security Strategy, which reveals that security is not a key
priority for many SMBs because management and IT functions areuncertain
about their organization’s security strategy and the threats they face.

 Uncertainty about how these issues impact an organisation’s security
posture could lead to making sub-optimal decisions about a security
strategy.  It also makes it difficult to communicate the business case for
investing in the necessary expertise and technologies.

 Based on responses to 12 survey questions, Ponemon created an “Uncertainty
Index” or score that measures where the highest uncertainty exists.  The
index ranges from 10 (greatest uncertainty) to one (no uncertainty).

 So what canSMBs learn from this index?

- With a score of 5.9, U.S. organisations have the highest uncertainty
index, followed closely by the UK (5.0).  Organisations in Asia-Pacific
scored 4.8, while SMBs in Germany seem to have the best understanding of
their security risks with an uncertainty score of 3.8.
- Smaller organisations have the most uncertainty.  Companies with fewer
than 100 employees have an uncertainty score of 6.5.
- Surprisingly, an organisation’s leadership team has the most uncertainty.
 According to the study, the higher the position, the more removed an
individual could be in understanding the organisation’s risk and strategy.
 Executive/VP titles have an uncertainty score of 6.9 and directors have a
score of 6.8.
- Retailing; education and research; and entertainment and media have the
highest level of uncertainty while uncertainty drops significantly for
organizations in the financial services and technology sectors.  It is
possible that the high degree of certainty in the financial sector can be
attributed to the need to comply with data security regulations.

Uncertainty creates risk and based on the findings, the study identified
seven consequences of an uncertain security strategy:

 Cyber attacks go undetected -A significant number of respondents (33
percent) are unsure if their organisation experienced a cyber attack in the
last 12 months.

 Data breach root causes are unknown - While 51 percent of respondents say
their organisation has had a data breach, 44 percent cannot identify the
root cause.

 Intelligence to stop exploits is not actionable - Because of the lack of
knowledge about the frequency and magnitude of cyber attacks, there appears
to be a lack of actionable intelligence.  Thirty-three percent say lack of
in-house expertise prevents a fully effective IT security posture and 5
percent cite no understanding how to protect against cyber attacks.

 Cyber security is not a priority -Forty-four percent of respondents report
IT security is not a priority.  As evidence, 42 percent say their budget is
not adequate for achieving an effective security posture.  Compounding the
problem, only 26 percent of respondents say their IT staff has sufficient
expertise.  On average, organisations have three employees who are fully
dedicated to IT security.

 Weak business case for investing in cyber security -Respondents in more
senior positions have the most uncertainty about the threats to their
organisations.  According to the findings, 58 percent of respondents say
management does not see cyber attacks as a significant risk.

 Mobile and ‘Bring Your Own Device’ (BYOD) security ambiguity -Fifty
percent of respondents say mobile devices diminish an organisation’s
security posture.  However, 58 percent report these concerns are not
stopping the adoption of tablets and smart phones within their
organisation.  The survey also reveals that BYOD is a concern.  Forty-five
percent say BYOD diminishes an organisation’s security effectiveness.

 Financial impact of cyber crime is unknown – Respondents estimate that the
cost of disruption to normal operations is much higher than the cost of
damages or theft of IT assets and infrastructure.  And 29 percent cannot
estimate the cost of damage or theft of IT assets and 22 percent do not
know that it costs the organisation due to disruption.

 Recommendations

So what should SMBs be doing to better protect themselves from the threat
of cyber attacks?:

- Organisations need to concentrate resources on monitoring their security
situation in order to make intelligent decisions. While assessing where
they stand on the security continuum, organisations need to focus on
monitoring, reporting and proactively detecting threats.
- Establish mobile and BYOD security best practices.  Carefully plan and
implement a mobile strategy so that it doesn’t have an impact on the
overall security posture.
-  Organisations should look for ways to bridge the gap created by a
shortage of information security professionals.  Consider ways to free-up
time for in-house resources, including a move to cloud technologies,
security consulting and easy-to-manage solutions.
- Measure the cost of cyber attacks, including lost productivity caused by
downtime.  Work with senior management to make cyber security a priority
and invest in solutions that restore normal business activity more quickly
for a high return on investment.
- Organisations in all sectors are regularly breached and regulations are
often simply the beginning of properly securing a network.  Consider
consolidated security management to gain a more accurate picture of threats
that will help focus on problem areas.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.