BY Richard Summerfield

Cyber threats are evolving all the time, and while cyber criminals become more sophisticated and better equipped, it is the responsibility of companies to ensure that they are well prepared for any attacks. Yet, according to a new report from Alert Logic, many organisations lack confidence that their systems can withstand an assault.

The ‘Threat Monitoring, Detection and Response Report’ notes that companies are increasingly under attack from ransomware and phishing, and frequently experience data losses (these are the three biggest concerns for companies). Yet many cyber security executives in the UK are unconvinced that their company’s overall security posture is adequate.

Just 42 percent of the 400 executives surveyed indicated that they were moderately confident about their company’s ability to repel an attack. Thirty-two percent of executives felt that their company was more likely to experience a cyber breach in the next 12 months, compared to a year ago. Twenty-nine percent believed a breach was less likely, 22 percent did not expect the threat to change and 17 percent were unsure.

Many companies expressed concern about their ability to resist attacks. Primarily, executives believed that a lack of budget (51 percent), a lack of skilled personnel (49 percent) and lack of security awareness (49 percent) were the most significant obstacles facing security teams and the biggest barriers companies face when trying to defend themselves from attack.

Insiders are another growing concern for respondents. Fifty-four percent of those surveyed perceived a growth in these threats over the past year. Indeed, inadvertent insider breaches were cited as the biggest internal threats companies faced (61 percent). Insufficient user training contributed considerably, with 57 percent of respondents claiming that improving training would help overcome internal threats.

Yet despite the increased profile of cyber threats in the media, many cyber security executives do not expect to see their budgets increase substantially. Only 32 percent expect to get more, while 9 percent expect to receive less and 54 percent anticipate the same level.

A number of organisations are utilising threat intelligence platforms to respond to attackers.  Forty-seven percent of respondents reported that they were deploying open-source threat intelligence. Thirty-seven percent claimed that they uses a range of commercial vendors. Forty-nine percent claimed that the use of threat intelligence platforms had a positive impact on reducing data breaches.

Report: Threat Monitoring, Detection and Response Report

BY Richard Summerfield

Despite an increase in the number of cyber attacks and data breaches over the last 12 months, including a number of high profile cyber events, there has been a decline in how seriously C-suite executives view cyber risk, according to a report from Zurich and Advisen Ltd.

In ‘The Seventh Annual Survey on the Current State of and Trends in Information Security and Cyber Risk Management’, 60 percent of the risk professionals surveyed said executive management view cyber risk as a significant threat to their organisation. However, this is down significantly from the 85 percent recorded in 2016.

The eroding of the importance of cyber security issues among senior management is a worrying trend, particularly in light of the number of cyber incidents recorded over the last 12 months, as well as the volume and value of the data stolen.

According to the report, only 53 percent of respondents knew of any changes to their companies’ cyber security systems in response to the high-profile attacks that took place in early 2017. Furthermore, growth in the purchase of cyber insurance has gone stagnant after a steady six-year increase from 35 percent to 65 percent.

“These findings may indicate that businesses are not up to speed on the magnitude of impact that business interruption losses are beginning to have on businesses,” said Erica Davis, head of Specialty E&O for Zurich North America. “Businesses must adopt a mindset of resilience that extends beyond the four walls of their organization. As cyber security breaches persist, it is more critical than ever to engage in an ongoing, comprehensive review of all business partner relationships including how those vendors and business partners approach their own exposures and controls and how the vendors’ supplier approach fits into their overall resilience plan.”

A total of 315 respondents, across a spectrum of businesses of all sizes, contributed to the report. Fifty-six percent of respondent were from companies with revenue of $1bn or less.

Report: The seventh annual survey on the current state of and trends in information security and cyber risk management

BY Richard Summerfield

Given the increasing sophistication of cyber criminals and the potential risks faced by companies that fall victim to attack, cyber security has become a hot topic in recent years. According to a new report from the President’s National Infrastructure Advisory Council (NIAC), however, cyber defences in the US are not currently fit for purpose.

The report, 'Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure', was based on reviewing hundreds of previous studies plus interviews with 38 cyber experts, who were mostly in the financial services and electricity sectors.

The NIAC, which was created in the aftermath of the 11 September 2001 attacks in the US, is charged with the task of advising the Department of Homeland Security on the security of US critical infrastructure against any form of attack, be it physical or cyber based. It believes that cyber security provisions in the US are currently experiencing a pre-9/11 moment. According to the report, if more is not done to protect the country’s critical infrastructure, such as the financial system or electric grids in the US, both the government and private industries run the risk of missing a “narrow and fleeting window of opportunity before a watershed, 9/11-level cyber attack".

The report notes: “Cyber is the sole arena where private companies are the front line of defence in a nation-state attack on US infrastructure. When a cyber attack can deliver the same damage or consequences as a kinetic attack, it requires national leadership and close coordination of our collective resources, capabilities, and authorities."

The NIAC has proposed 11 specific recommendations to shore up the country’s cyber security defences. Chief among these is establishing specific network paths designated for the most critical networks, which would include dark fibre networks for critical control system traffic and reserved spectrum for backup communications during emergencies. The NIAC also recommended private organisations and government bodies improve their threat information sharing. In addition, the government should provide incentives for any hardware upgrades performed, as well as establish a centre of excellence which will showcase best-in-class tools across the industry and provide a test bed environment for companies to test and evaluate new software, among others.

“We believe the US government and private sector collectively have the tremendous cyber capabilities and resources needed to defend critical private systems from aggressive cyber attacks – provided they are properly organized, harnessed, and focused. Today, we’re falling short”, the report suggests.

Report: Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure