Confidence in Information Security Capabilities Is Lacking

Five Common Data Encryption Myths

Data breaches and cyberattacks happen daily, across industries and to businesses of all sizes. However, as these attacks become more sophisticated, companies admit that they are at a loss on how to best protect the data. According to eWeek, a study from RSA shows that those responsible for protecting the network don’t necessarily trust their information security capabilities.

The Cybersecurity Poverty Index survey revealed that four in 10 companies admitted that their security capabilities were “functional,” or, in terms of the survey, average. In all, approximately 75 percent of the 400 companies interviewed confessed that their security abilities were either average or below average when compared to the standards suggested by the Cybersecurity Framework, which was developed by the U.S. National Institute of Standards and Technology.

The RSA study used five areas to measure information security capabilities, as eWeek reported:

The five components of an information-security program include identifying threats, protecting information assets, detecting attacks, responding to incidents and recovering from compromises.

According to InfoSecurity Magazine, a second study conducted at RSA, this one from Venafi, found a serious disconnect between actual information security capabilities and what IT professionals choose to believe. The 2015 RSA Conference survey showed that often IT organizations are too trusting of certificates and cryptographic keys:

[M]ost security departments and systems blindly trust keys and certificates, which leaves enterprises unable to determine what is ‘self’ and trusted in their networks and what is not, and therefore dangerous. This means that cyber-criminals can use them to hide in encrypted traffic, spoof websites, deploy malware and steal data.

This study revealed that IT support staff struggles to detect and correct compromised certificates or keys. The survey found that 78 percent of respondents only conduct a partial remediation due to their implicit trust in the security capabilities of keys and certificates. And to make things worse, most companies have no strategy in place to handle a security incident involving vulnerable keys and certificates, which weakens information security capabilities even more.

Most businesses reported that they are most confident with the most traditional methods of security—primarily protecting the perimeter and the data inside the perimeter—at a time when this type of protection is less effective. But where confidence is truly lacking is in the maturity of the security systems and their ability to defend from a more sophisticated attack.

Weak security may be the one area where large and small companies are on equal footing. Organizations of all sizes appear to struggle with putting adequate security tools in place. While part of the reason for this struggle has to do with the lack of funds—most security experts admit that security remains near the bottom of the IT-funding list despite the threat risk—a greater reason is that in-house staff isn’t able to keep up with the ever-evolving sophistication of the attacks. Organizations are not adequately protecting all of the data at multiple points.

There can be no excuses for not being confident in information security capabilities in today’s threat environment. Too much is at risk for both the enterprise and its customers. If organizations aren’t comfortable enough with the security systems currently in place, it may be time to look for help from outside.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba