Five Warning Signs Your Security Policy Is Lacking
Warning signs of a weak security policy from SunGuard Availability Services.
What cyber security concern is looming large in the minds of security personnel these days? According to a new report from The Enterprise Strategy Group (ESG), 93 percent of security professionals in large corporations are concerned that Advanced Persistent Threats (APTs) pose a major threat to business networks.
The report, U.S. Advanced Persistent Threat Analysis, surveyed 244 security professionals working at enterprise (i.e., more than 1,000 employees) organizations in the United States, asking questions specifically directed at APTs, which are attacks designed to allow hackers to steal sensitive data.
APTs are often associated with military and defense contractors, but as the ESG report shows, APTs are now targeting both private and public sector companies. According to the report:
59% of the survey respondents are "certain" or "fairly certain" that their organizations have been the target of a previous APT attack. Furthermore, 72% of organizations believe they are a "highly likely" or "somewhat likely" target of future APT attacks. The research also indicates that many organizations are not adequately protected against future attacks: Nearly one-third of the large organizations surveyed believe that they are vulnerable to future APTs. Another key finding of note is that 46% of large organizations that ESG categorized as "most prepared for APTs" (based upon their existing security policies, procedures, and technical safeguards) say they are vulnerable to future sophisticated attacks.
If these large companies know they are vulnerable to attacks, are they doing anything to better protect their networks? Perhaps not as much as they could. This summer, Bit9 released a survey that found the majority of companies they spoke with were concerned about cyber attacks like APTs, just as the ESG survey found, but the Bit9 survey also found that 50 percent of the companies they surveyed rely on an honor system when it comes to employees following the security policies.
It seems like a lot of these surveys and reports come down to two issues: education and enforcing security policy. I would love to hear from security professionals about how they approach these two issues. Of course, protecting a network is more complicated than simply educating employees, but education and policy need to be more specific. That's one of the things the ESG survey wanted to find out, too. One of the goals of the survey was to ask security professionals at U.S. organizations if the U.S. federal government should provide specific APT education and cyber security programs. The report said:
Published reports about APTs demonstrate that these attacks are often used to steal sensitive data about military planning, advanced technology, personally identifiable information (PII), and other types of intellectual property (IP). As such, APTs could be construed as a threat to the defense and economy of the United States. ESG wanted to determine whether security professionals believe that APTs represent this type of threat and if so, what they believe the U.S. federal government should do in response.