research Archives - Page 12 of 13 - Cyber Secure Forum | Forum Events Ltd
Posts Tagged :

research

Cybersecurity skills gap increases to 2.9 million globally

960 640 Stuart O'Brien

New research shows a widening of the global cybersecurity workforce gap to nearly three million across North America, Latin America, Asia-Pacific (APAC), and Europe, the Middle East and Africa (EMEA).

The 2018 (ISC)² Cybersecurity Workforce Study (formerly the Global Information Security Workforce Study) is based on feedback from a sample of professionals responsible for securing their organisations around the world.

It includes IT/ICT staff within organisations ranging from large enterprises to small businesses who may or may not have formal cybersecurity roles but do have hands-on responsibility for securing critical assets every day – spending at least 25% of their time on such activities.

Key insights revealed in the study include:

  • Of the 2.93 million overall gap, the Asia-Pacific region is experi­encing the highest shortage, at 2.14 million, in part thanks to its growing economies and new cybersecurity and data privacy legislation being enacted throughout the region
  • North America has the next highest gap number at 498,000, while EMEA and Latin America contribute a 142,000 and 136,000 staffing shortfall, respectively
  • 63% of respon­dents report that their organisations have a shortage of IT staff dedicated to cybersecurity. 59% say their companies are at moderate or extreme risk of cybersecurity attacks due to this shortage.
  • 48% of respondents say their organizations plan to increase cybersecurity staffing over the next 12 months
  • 68% of respondents say they are either very or somewhat satisfied in their current job
  • Women represent 24% of this broader cybersecurity workforce (compared to 11% from previous studies), while 35% are Millennial or Gen Y (compared to less than 20% from previous studies)
  • More than half of all respon­dents globally (54%) are either pursuing cybersecurity certifications or plan to within the next year

Some of the biggest career progression challenges respondents reported are:

  • Unclear career paths for cybersecurity roles (34%)
  • Lack of organisational knowledge of cybersecurity skills (32%)
  • The cost of education to prepare for a cybersecurity career (28%)

The four areas cybersecurity pros feel they will need to develop most or improve on over the next two years in order to advance in their careers include:

  • Cloud computing security
  • Penetration testing
  • Threat intelligence analysis
  • Forensics

“This research is essential to fostering a clearer understanding of who makes up the larger pool of cybersecurity workers and enables us to better tailor our professional development programs for the men and women securing organizations day in and day out,” said (ISC)2 CEO David Shearer, CISSP. “We will share these powerful insights with our partners in government and the private sector to help establish the programs necessary to advance the cybersecurity profession. By broadening our view of the workforce to include those with collateral cybersecurity duties within IT and ICT teams, we discovered that professionals are still facing familiar challenges, but also found striking differences compared to previous research, including a younger workforce and greater representation of women.”

Download the full study at www.isc2.org/research.

Biometrics and behaviour-based authentication on the rise

960 640 Stuart O'Brien

A new survey suggests our relationship with passwords to identify ourselves online is shifting.

For some of us, it’s shocking to consider single-factor authentication is even in use today, given that poor password habits and stronger computing power has led to an increase in hacking-related breaches involving either stolen or weak passwords.

But a Callsign survey has revealed that a knowledge-based approach, such as passwords, for accessing online accounts is now favoured by less than half of UK and US respondents (45% on both sides of the Atlantic).

Over the last few years, increased availability of biometric tools on laptops, tablets and smartphones has given consumers a taste for biometric identification, and in the survey 30% noted a preference for sharing and storing biometric information (32% in the UK and 27% in the US) for identification when accessing an online account or making a purchase.

Bit it’s clear there’s still a long way to go in shifting consumer attitudes away from solely relying on passwords. Callsign says biometric information as well as behavioural biometric data – such as the way a user swipes their screen or their unique keystroke pattern when entering their password – need to become the norm, so companies can more intelligently identify anomalies and apply additional layers of security.

With employees frequently cited as the weakest link in corporate cybersecurity enforcement, it is no surprise that traditional passwords are preferred at work, where people’s reluctance to embrace more innovative methods of identification over a presumed ease of access is commonplace.

Knowledge-based identification was the most favoured by 56% of workers (58% in the UK and 51% in the US), while biometric methods were preferred by a mere 15% of workers.

Other insights from this survey include:

  • Despite the high preference for knowledge-based identifiers at work (58% in the UK and 51% in the US), they are less favourable for personal use, where 46% noted they were preferred when logging in to check an account balance and 44% chose it for making a purchase or a balance transfer
  • The UK tends to be more receptive to biometrics compared to the US, with 32% to 27%, respectively, noting they’d prefer it overall
  • In the US, age is a significant factor as Baby Boomers (55+) are more receptive to passwords (46%) and biometric identifiers (31%) than younger respondents (aged 18-24), with 39% preferring passwords and 26% preferring biometric identifiers. Younger respondents (those 18 to 24) were more receptive to behavioural identifiers (12%) compared to those aged 55+ (4%)

“The study suggests we’re at a tipping point where our reliance on simple passwords is on a steady downward turn,” said Callsign CEO Zia Hayat. “Although two-factor and multi-factor authentication, along with biometrics, are an improvement, they are still flawed. Ultimately, we understand the privacy of users is paramount. Companies need to offer choice and control when it comes to the data that is collected and the identification methods used – another reason multi-factor identification is so limited.”

“However, there is a new realm of behavioural identification that is truly revolutionising and streamlining identification and improving customer experiences, all whilst minimising fraud. Here at Callsign, we’re creating a much more positive experience with greater protection and better privacy for the consumer or worker.”

Callsign commissioned YouGov Plc to conduct the survey. Total sample size was 2,131 adults in the UK and 1,160 adults in the US. Fieldwork was undertaken in August 2018.

Cybersecurity insurance up among UK firms, but full coverage lacking

960 640 Stuart O'Brien

The number of UK firms with cybersecurity insurance has risen in the past year — but less than half say their cyber insurance covers all risks.

The second annual cybersecurity survey from research and consultancy firm Ovum, for Silicon Valley analytics firm FICO, found that the number of UK firms reporting they have no cybersecurity insurance dropped from 31 percent in 2017 to 10 percent in 2018.

While this is substantially better than the 24 percent reported across all 11 countries surveyed, only 38 percent of UK respondents said their cybersecurity insurance covers all risks.

Telecommunications firms were the most likely to have no cybersecurity insurance — 17 percent reported this, compared to just 5 percent of financial services firms.Furthermore, less than half — just 40 percent — of firms said their insurer based their premiums on an accurate analysis of their risk profile.

Most firms said premiums are based on an inaccurate analysis, on industry averages or on unknown factors.

“Cybersecurity insurance has become a must-have for UK firms in a short period of time,” said Steve Hadaway, FICO general manager for Europe, the Middle East and Africa. “But with that growth will come increased pressure on insurers to increase the transparency and fairness around how premiums are set. Businesses will demand that their investments in cybersecurity protection — and the strength of their cybersecurity posture — drive their premiums down.”

“Although UK organizations perform well in terms of the uptake of cyber insurance, the fact that fewer than 40% have comprehensive insurance demonstrates there is still some way to go for these firms to have a broad view of their security posture and how to present it for insurance,” said Maxine Holt, research director at Ovum. “It could also show that these companies have a current security posture that insurers are not prepared to cover comprehensively. We should not detract from the positive news here; 90% of UK organizations have elevated the importance of cybersecurity to a level that requires insuring, even if only partially.”

Ovum conducted the survey for FICO through telephone interviews with 500 senior executives, mostly from the IT function, in businesses from the UK, the US, Canada, Brazil, Mexico, Germany, India, Finland, Norway, Sweden and South Africa. Respondents represented firms in financial services, telecommunications, retail and ecommerce, and power and utilities.

UK cybersecurity skills concerns highlighted

960 640 Stuart O'Brien

Only 56 per cent of UK firms believe they have sufficient cybersecurity skills in-house to deal with the numerous threats they are facing, according to new research.

Databarracks questioned over 400 IT decision makers in the UK as part of its 10th annual, survey in order to understand their views on a series of issues relating to IT security and business continuity.

Certainly, it seems cybersecurity investment has grown – in 2016, 59 per cent of respondents said that they had invested in safeguards to help fight against cyber threats, with the figure rising to 67 per cent in 2018.

Likewise, in 2016 only 12 per cent of firms surveyed said that they had updated their cybersecurity policy in the past 12 months, while in 2018 26 per cent of those surveyed said they had done so.

Meanwhile, threat monitoring software is now used by 28 per cent of businesses, compared to just 13 per cent of businesses in 2016.

Plus, the number of organisations that employed a Chief Security Information Officer has increased massively from one per cent in 2016 to 14 per cent in 2018.

Peter Groucutt, Managing Director at Databarracks, said: “Investment in cyber security safeguards, should translate to improved confidence but the findings show it is yet to make a significant difference. We are in the midst of a rapidly accelerating arms race. Organisations are desperately trying to match criminals, by working hard to improve knowledge, training and investment in security defences, but are clearly concerned about keeping pace. Importantly, organisations shouldn’t become disheartened. While confidence levels are not where we hoped, businesses are making positive strides and acting on the front-foot to fight back, which makes us optimistic for the future.”

Risk-based approach needed to stop cyber crime

960 640 Stuart O'Brien

A report by Gartner has advised companies to take a risk-based approach to stop cyber crime, rather than trying to prevent attacks with large-scale, expensive security deployments.

A survey commissioned by Gartner of 3,160 CIOs across 98 countries and various major industries showed that 35% had already invested in a form of digital security at their company, with 36% admitting that they were planning to activate digital security at their company in the short term.

Discussing the findings, Rob McMillan, research director at Gartner, said: “Raising budgets alone doesn’t create an improved risk posture.

“Security investments must be prioritised by business outcomes to ensure the right amount is spent on the right things.”

McMillan advised companies to take a risk-based approach, with businesses continuously changing plans and security techniques as and when necessary.

“Taking a risk-based approach is imperative to set a target level of cybersecurity readiness,” added MacMillan.

“In a twisted way, many cybercriminals are digital pioneers, finding ways to leverage big data and web-scale techniques to stage attacks and steal data.

”CIOs can’t protect their organisations from everything, so they need to create a sustainable set of controls that balances their need to protect their business with their need to run it.”

UK firms ‘overconfident’ on cybersecurity

960 640 Stuart O'Brien

Business are displaying a false sense of security when it comes to their IT security, flying in the face of evidence showing rising incidents of cyber attacks.

That’s the conclusion of a study conducted by Ovum on behalf of US-based analytics firm FICO, which found that three quarters of UK execs felt their firm was getter prepped than competitors for  a cyber attack.

What’s more, and 43 per cent said their firm was a top performer – second highest only to Canada out of the eight countries surveyed.

By comparison, 68 per cent of executives from US firms said their firm was better prepared than their competitors, and 37 per cent said their firm was a top performer.

Ovum conducted telephone surveys for FICO of security executives at 500 companies in the US and 10 other countries in order to compile its report.

Power and utilities providers respondents in the US were the most confident, or least realistic, with 86 per cent rating their firms above average or top performers.

Financial services respondents were the least confident, or most realistic, with 60 per cent rating their firms above average or top performers.

In the UK, financial services respondents were least realistic, with 96 per cent rating their firms above average or top performers, while retail and e-commerce respondents were most realistic, with 57 per cent rating their firms above average or top performers.

Only 36 per cent of organisations are carrying out more than a point-in-time assessment of what their cybersecurity risk is.

MPs concerned over hacking threat to critical national infrastructure

960 640 Stuart O'Brien

Two thirds of MPs consider the compromise of critical national infrastructure to be the biggest cyber security threat facing the UK.

A year on from the cyber attack on parliamentary emails, a YouGov survey commissioned by NCC Group has gauged the opinions of MPs in the House of Commons with regards to their personal cyber security, the cyber risks associated with national security and societal wellbeing, and the consequences of a successful attack on parliament.

The results revealed that 62% of MPs across all regions, including 70% of Conservatives and 57% of Labour MPs, consider a compromise of critical national infrastructure to be the biggest risk.

Despite this common ground between MPs across parties on the threat to critical national infrastructure, the survey indicated divides with regards to the severity of other cyber threats. 42% of Conservatives said that they consider a compromise of nuclear capabilities to be one of the top two threats, compared to just 14% of Labour MPs, while 44% of Labour MPs considered democratic interference to be a significant threat, compared to 16% of Conservative MPs.

Alongside this, the survey highlighted that 75% of all MPs are concerned that a breach of their personal email could negatively affect the cyber security of the House of Commons, highlighting that most MPs understand the crucial role they personally play in enhancing the UK Parliament’s security posture.

It was also revealed that, in the event of a successful cyber attack, 73% of all MPs considered the breach of constituents’ privacy to be their biggest concern, alongside a leak of sensitive information relating to parliamentary business (46%).

These results have been released ahead of a meeting at the House of Commons, which addressed the cyber threats challenging the UK political landscape and outlined how MPs can best contribute towards tackling this growing threat.

Ollie Whitehouse, global chief technical officer at NCC Group: “It’s very positive to see that a majority of MPs are aware of the different threats we face and realise the gravitas of a successful attack, particularly with regards to our resilience as a nation.

“In recent years, the government has been proactive in implementing initiatives to strengthen the UK’s stance against evolving technical and geopolitical threats which attempt to compromise the integrity of our nations. MPs play a significant role in these initiatives, so it’s important to maintain continued education around modern threats and informed dialogue amongst all stakeholders. This will ensure that parliamentary staff at all levels understand the steps they need to take, in both their professional and personal lives, in order to address cyber risk head on.”

Study highlights demand for phishing attack simulation and training

960 640 Stuart O'Brien

A global study has highlighted market demand for simulation and training to combat phishing attacks.

The research, commissioned by Barracuda Networks, revealed several points highlighting the need for organisations to include simulation and training as part of their email security posture.

It includes responses from over 630 participants who all had a responsibility for email security in their organisations. Some of the key findings include:

  • 98 percent of respondents said their organization would benefit from additional email security capabilities with phishing simulation (63%), social engineering detection (62%), email encryption (60%), and data loss prevention (59%) leading the way in terms of capabilities valued.
  • 100% of the respondents have good intentions and believe that user training is important; however, only 77% are actually training their employees.
  • It was also reported that larger organisations (over 1000 employees) are more likely to train their employees.
  • Poor employee behaviour (84%) is a greater email security concern than inadequate tools (16%); however, there’s no consensus on the level of employee that will fall for an attack.

Accordingly, Barracuda has expanded its PhishLine product portfolio with a streamlined edition well-suited for organizations with less than 1,000 employees, tuned specifically to be ready for distribution through the reseller channel.

It claims PhishLine can prevent email fraud, data loss, and brand damage by training and testing employees to recognize highly targeted phishing attacks.

“As phishing attacks have become increasingly stealthy and targeted, our adversaries have shifted their focus from the largest organizations to smaller targets,” said Hatem Naguib, SVP and GM of Security at Barracuda. “Today’s announcement expands our PhishLine portfolio, by building on our enterprise grade offering with a solution aimed specifically at simplicity and fast time to value, fit for today’s resource-constrained midsized businesses.”

Third of C-Suite execs would pay hacker’s ransom demands rather than invest in more security

960 640 Stuart O'Brien

One third of global business decision makers report that their organisation would try to cut costs by considering paying a ransom demand from a hacker rather than invest in information security.

In the UK, this figure drops to a fifth (21 per cent) of respondents. The findings from the 2018 Risk:Value Report, commissioned by security specialist NTT, show that another 30 per cent in the UK are not sure if they would pay or not, suggesting that only around half are prepared to invest in security to proactively protect the business.

Examining business attitudes to risk and the value of information security, NTT Security’s annual Risk:Value Report surveys C-level executives and other decision makers from non-IT functions in 12 countries across Europe, the US and APAC and from multiple industry sectors.

The findings are particularly concerning, given the growth in ransomware, as identified in NTT Security’s Global Threat Intelligence Report (GTIR) published in April. According to the GTIR, ransomware attacks surged by 350 per cent in 2017, accounting for 29 per cent of all attacks in EMEA and seven per cent of malware attacks worldwide.

Levels of confidence about being vulnerable to attack also seem unrealistic, according to the report. 41 per cent of respondents in the UK claim that their organisation has not been affected by a data breach, compared to 47 per cent globally. More realistically, of those in the UK, 10 per cent expect to suffer a breach, but nearly a third (31 per cent) do not expect to suffer a breach at all. More worrying is the 22 per cent of UK respondents who are not sure if they have suffered a breach or not.

Given that just four per cent of respondents in the UK see poor information security as the single greatest risk to the business, this is unsurprising. Notably, 14 per cent regard Brexit as the single greatest business risk, although competitors taking market share (24 per cent) and budget cuts (18 per cent) top the table.

When considering the impact of a breach, UK respondents are most concerned about what a data breach will do to their image, with almost three-quarters (73 per cent) concerned about loss of customer confidence and damage to reputation (69 per cent). This is the highest figures for any country.

The estimated loss in terms of revenue is 9.72 per cent (compared to 10.29 per cent globally, up from 2017’s 9.95 per cent). Executives in Europe are more optimistic, expecting lower revenue losses than those in the US or APAC.

The estimated cost of recovery globally, on average, has increased to USD1.52m, up from USD1.35m in 2017, although UK estimates are lower at USD1.33m this year. Globally, respondents anticipate it would take 57 days to recover from a breach, down from 74 days in 2017. However, in the UK, decision makers are more optimistic believing it would take just 47 days to recover, one of the lowest estimates for any country.

Kai Grunwitz, Senior VP EMEA, NTT Security, said: “We’re seeing almost unprecedented levels of confidence among our respondents to this year’s report, with almost half claiming they have never experienced a data breach. Some might call it naivety and perhaps suggests that many decision makers within organisations are simply not close enough to the action and are looking at one of the most serious issues within business today with an idealistic rather than realistic view.

“This is reinforced by that worrying statistic that more than a third globally would rather pay a ransom demand than invest in their cybersecurity, especially given the big hike in ransomware detections and headline-grabbing incidents like WannaCry. While it’s encouraging that many organisations are prepared to take a long-term, proactive stance, there are still signs that many are still prepared to take a short-term, reactive approach to security in order to drive down costs.”

According to Risk:Value, there is no clear consensus on who is responsible for day to day security, with 19 per cent of UK respondents saying the CIO is responsible, compared to 21 per cent for the CEO, 18 per cent for the CISO and 17 per cent for the IT director. Global figures are very similar.

One area of concern, however, is whether there are regular boardroom discussions about security, with 84 per cent of UK respondents agreeing that preventing a security attack should be a regular item on the Board’s agenda. Yet only around half (53 per cent) admit it is and a quarter don’t know.

UK respondents estimate that the operations department spent noticeably more of its budget on security (17.02 per cent) than the IT department did (12.94 per cent). This compares to the global figures of 17.84 per cent (operations) and 14.32 per cent (IT), on average.

Each year the NTT Security Risk:Value report shows that companies are still failing when it comes to communicating information security policies. An impressive 77 per cent in the UK (compared to 57 per cent globally) claim to have a policy in place, while 10 per cent (26 per cent globally) are working on one. While 85 per cent of UK respondents with a policy in place say this is actively communicated internally, less than a third (30 per cent) admit that employees are fully aware of it.

In terms of incident response planning, the UK is the most well prepared with 63 per cent of respondents saying their organisation has already implemented a response plan, well above the global figure of 49 per cent, while 18 per cent are in the process. Just 1 per cent in the UK say they have no plans to implement an incident response plan.

“The UK is leading the pack when it comes to planning for a security breach or for non-compliance of information/data security regulations,” added Kai Grunwitz. “Given that the GDPR has just come into force, this is encouraging. However, while the majority claim their information security and response plans are well communicated internally, it seems it’s only a minority who are ‘fully aware’ of them. This continues to be an area that businesses are failing on time and time again and needs to be addressed as a priority.”

For further information on NTT Security’s 2018 Risk:Value report and to download a copy, visit: https://www.nttsecurity.com/en-uk/risk-value-2018

Just a third of UK firms will be GDPR compliant by May 25

960 640 Stuart O'Brien

UK companies are hugely ill-prepared for this week’s General Data Protection Regulation (GDPR) enforcement deadline, according to new research.

Less than a third (29%) of organisations surveyed by USB drive specialist Apricorn felt confident they would comply, and when questioned further and asked whether there were any areas they might be likely to fail, 81% could think of some area of the new requirements that might cause them to fail when it comes to GDPR compliance.

Fifty per cent of organisations who know that GDPR will apply to them admit that a lack of understanding of the data they collect and process is their number one concern relating to non-compliance.

On top of this, almost four in ten (37%) believe they are most likely to fail because of gaps in employee training, and almost a quarter (23%) say their employees don’t understand the new responsibilities that come with the GDPR.

While one in ten still regard the GDPR as a mere tick box exercise, a substantial proportion do view it as being of some benefit to their organisation – for example 44% agree that the new regulation is a welcome opportunity to overhaul their organisation’s data handling and security processes.

The most commonly taken step so far, for those who say they will be at least somewhat prepared for the GDPR, is to review and update their security policies for mobile working (67%). However, 30% still worry they could fail to comply due to mobile working, and almost a quarter (22%) of respondents are concerned they may fail due to a lack of encryption.

“Data or personally identifiable information (PII) is at the heart of GDPR and mapping and securing it should be every organisation’s number one priority. By now, all employees, from the top down, should have an understanding of the importance of GDPR and the role they play in keeping this data safe,” said Jon Fielding, Managing Director, EMEA Apricorn. “While we know that many organisations have provided some form of employee training, clearly in some cases this hasn’t been effective and organisations should address these gaps urgently.”