[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
And so, now the news
* Stop calling it a ransomware “attack”
* Security in the retail sector on the rise
* Hacked companies still prioritize innovation over cybersecurity
* Massive Delta outage highlights need for quality data center power, backup plans
* Homeland Security shares initiatives for securing government services from emerging cyber threats
* Australia to regulate bitcoin under counter-terrorism finance laws
* What next for cyber resilience?
* FERC Takes Action on Cybersecurity in Response to Ukrainian Cyber Attacks
* Healthcare cybersecurity market flooded with solutions
* Cyber checklist is dead, long-live the new A-130
* Threat Modeling in the Enterprise, Part 1: Understanding the Basics
Stop calling it a ransomware “attack”
I dislike the term “ransomware attack.” Why, you ask.
It’s a matter of perception.
The word “attack” indicates specific intent against a particular individual or group.
An attack means someone (or something) is targeted.
But I’m hesitant to use the terms “attack” and “targeted” when discussing ransomware.
Calling a ransomware infection an “attack” focuses blame on an enemy.
I consider this mindset dangerously close to fear mongering.
Ransomware is distributed on a large scale.
Criminal groups generally use two methods to distribute malware: malicious spam (malspam) and exploit kit (EK) campaigns.
These are most often large-scale operations that attempt to reach as many potential victims as possible.
Yes, those relatively few infections often have major consequences, but they’re not the result of narrowly-defined attacks.
They’re the result of large-scale campaigns.
The important part isn’t necessarily who is infected.
The important part is that enough people with enough resources are infected to make it profitable for the criminals.
We tell ourselves we must know our enemy so we can better protect our network.
However, I think we put too much focus on the enemy and not enough focus on ourselves.
Is everyone in your organization following best security practices.
Is security a truly essential part of your corporate culture.
Is security a primary concern when establishing or upgrading your network architecture, or does cost outweigh the best security measures.
Most organizations have problems in these areas.
We convince ourselves there are certain weaknesses we must live with.
Sure, call it a ransomware incident.
Just don’t call it a ransomware attack.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cdde3e1c6f&e=20056c7556
Security in the retail sector on the rise
LONDON—Across the globe, retail spaces will purchase more physical security measures, such as cameras and EAS (electric article surveillance) systems, and the Americas will be a strong region in the forecast period from 2016 to 2020, according to a July 28 report from research firm Technavio.
“We see the retail sector becoming one of the top three physical security [vertical markets],” Amrita Choudhury, Technavio research analyst, told Security Systems News.
The retail market, government and the hospitality industry, will be the largest vertical markets globally, she said.
For the combined Americas region, including North and South America, the market value is “around $2.09 billion for 2016, and by 2020 it’s going to be around $2.69 billion, and the CAGR will be 6.38 percent,” Choudhury said.
Choudhury couldn’t provide data on individual territories, but said, “the U.S. is definitely a big player in this market.”
The Americas made up about 47 percent of the total market in 2015, Choudhury said, and that percentage will drop slightly—down to around 46.3 percent by 2020.
The Americas market is still growing, but other regions, such as Asia/Pacific, are growing at a faster rate.
Dropping prices for security products, such as high-end cameras, is another factor driving growth in the retail sector, she said.
Some retailers would prefer to use the analog cameras they have, instead purchasing an IP camera, Choudhury said, which could be a challenge for the market.
Axis, Bosch, Checkpoint, Honeywell, and Tyco are the top five vendors in this market, Choudhury said.
Other vendors include AxxonSoft, Hikvision Digital, Panasonic, Salient Systems, Siemens, she said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=65c08f91b8&e=20056c7556
Hacked companies still prioritize innovation over cybersecurity
Eight out of 10 executives surveyed acknowledge that their companies had been compromised by cyber attacks in the past two years, according to a new study by KPMG.
Yet less than half of the 403 CIOs, CISOs and CTOs the firm surveyed said that they had invested in information security in the past year.
The notion that hacked companies are underinvesting in cybersecurity defies logic until you understand that most CIOs are told to prioritize innovation over risk mitigation.
Companies grappling with digital transformations are racing to find their own Pokemon Go.
CEOs laser focused on growing the business are loath to slow down to reduce risk.
Ultimately, cybersecurity fails to become the imperative that it should be.
Underinvestment in cybersecurity means less spending on talent and safeguards to protect companies from emerging threats, including business email compromises and ransomware, in which hackers hijack corporate networks and demand money to relinquish control.
In a June survey, security firm Malwarebytes found that 41 percent of U.S. businesses had encountered between one to five ransomware attacks in the previous 12 months.
Such attacks threaten to have devastating impact on company brands and, ultimately, bottom lines.
Bell points to a lack of oversight or governance over how CIOs are allocating their budgets.
Bell says that cybersecurity has traditionally been aligned with IT infrastructure but he suggests companies link it to innovation.
Ideally, CIOs, chief digital officers and their CISO partners will work to layer in protection as new solutions are baked rather than bolted on after the minimum viable product is launched.
Bell says his research uncovered a “cyber-awareness maturity curve” between sectors such as financial services and tech firms and retail and automobile makers.
This is somewhat alarming given retailers’ emphasis on mobile and personalized shopping and automotive manufacturers’ focus on building connected cars that increasingly rely on automated driver assistance technologies.
Bell found that banks and technology companies are relatively on their game with regard to bolstering their cyber postures, with 66 percent and 62 percent, respectively, reporting that they had invested in information security.
That compares to 45 percent of retailers and 32 percent of automotive manufacturers that claimed to have invested.
Of companies surveyed, 69 percent reported having a cybersecurity leader, such as a CISO, in place.
5 percent of both banks and technology companies said they had a CISO or some other position of its ilk compared to 58 percent and 45 percent of retail and automotive companies who fessed up to having a cyber leader.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=92a15a5bbe&e=20056c7556
Massive Delta outage highlights need for quality data center power, backup plans
About 60% of organizations are moving to a recovery time objective of four hours or less, Witty said.
Doing so successfully involves extensive planning.
First, determine what business operations are mission critical.
Then, consider factors that impact recovery time requirements, such as revenue loss, safety, and brand reputation, and build your recovery infrastructure accordingly.
As more companies outsource data operations, a key consideration should be the third party’s ability to meet your recovery requirements, she added.
Crisis management practices, such as the procedures Delta used to notify management and deal with customer fallout, usually get exercised every quarter. “The more you practice your crisis management procedure and communicating with your workforce, customers, suppliers, and partners, the better off you are,” Witty said. “A plan that hasn’t been exercised is not a workable plan.”
The 3 big takeaways for TechRepublic readers
– Delta experienced a massive networked service stoppage Monday morning after a power outage in Atlanta, which offers a lesson in disaster preparedness and recovery for other businesses and data centers.
– About 57% of small and mid-sized businesses have no recovery plan in the event of a network outage, data loss, or other IT disaster, but these plans are key for mitigating natural and manmade disasters and keeping business operations running smoothly.
– Companies should build crisis management and proper communication into all new projects and management changes to ensure consistency.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=529f1eef55&e=20056c7556
Homeland Security shares initiatives for securing government services from emerging cyber threats
“The Department of Homeland Security (DHS) has a very involved cybersecurity mission,” he says. “We do three things in the cybersecurity realm.
First of all, we work across our federal government with 125 different departments and agencies to better prepare to defend their network.
We also work with state, local and territorial governments.
We have over 300,000 different government entities across our 54 states and territories that include counties and municipalities.
Finally, our role in cyber is not complete without working with the communications sector to make sure that the pipes, the different mechanisms for ensuring ones and zeroes up operating for our public”.
Touhill says DHS shares information with over 200 CERTs around the world.
One of the focus areas for DHS is raising the bar for all partners and agencies across the government according to Touhill.
This includes the ability to detect, react and prevent cyber events.
The analysis conducted by DHS has identified 16 critical pieces of infrastructure. 95% of those are held in the private sector.
Touhill called these a kind of cyber “neighbourhood watch” with lots of information sharing including machine-to-machine exchange of data such as IP addresses, hashes and numeric information.
An important element of that response is declassifying information as quickly as possible and making it available to the private sector so they are in a position to pre-emptively act to the changing threat environment.
One of the barriers to information sharing, says Touhill, comes when victims are identified.
The focus, he says, is on sharing everything he can about the assailant and the attack.
When the victims are identified, “that’s when information sharing dries up,” says Touhill.
He also noted that cyber-risk management needs to move from the server room into the board room – something we’ve been hearing for the last few years.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c7c9f2d27d&e=20056c7556
Australia to regulate bitcoin under counter-terrorism finance laws
Jakarta: Australia is moving to become one of the first countries to regulate e-currencies such as bitcoin under its anti-money laundering and counter-terrorism financing laws.
The statutory review of the Anti-Money Laundering and Counter-Terrorism Financing Act, which Mr Keenan tabled in Parliament on April 29, recommends the act be amended to regulate activities relating to digital currency.
It also recommends the definition of e-currency be broadened to include digital currencies such as bitcoin that are not backed by a physical asset.
“While digital currencies have undoubted legitimate uses, the transfer of convertible digital currencies can occur without passing through the formal financial sector,” it says.
In 2014, Canada became the first country to regulate bitcoin and other virtual currencies under its anti-money laundering and counter-terrorism financing laws.
Last month a Florida judge dismissed a money-laundering case involving an alleged illegal sale of bitcoins on the grounds the digital currency was not real money under the laws of the state.
In 2014 the Australian Tax Office designated bitcoin as an “intangible asset” rather than a currency, making it subject to GST.
This led to several bitcoin start-ups leaving Australia.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9fd6926911&e=20056c7556
What next for cyber resilience?
The World Economic Forum lists cyber attacks as among the top five risks in terms of a combination of probability and impact.
And in 2015, PWC reported that cyber risk is the top concern for insurers in Australia.
In addition to detection problems, a further difficulty in measuring the incidence of cyber crime is that due to the sensitive reputational issues surrounding a data breach or cyber attack, many cyber attacks go unreported: As Una Jagose, acting head of New Zealand’s Government Communications Security Bureau recently said, it is concerning that in a recent survey of major businesses in Australia, 43% of respondents said they did not report cyber incidents as they saw no benefit in doing so.
It can be inferred that published data are probably a significant underestimate of the true prevalence and cost of cyber events.
The Australian Government recommends four key mitigations for businesses, which it says may reduce vulnerability to cyber attack by up to 80%:
Application ‘white-listing’: Allow only a defined list of applications to run on a network.
Patching system vulnerabilities: Computer system vendors constantly release operating system versions containing new patches to address vulnerabilities as they are discovered.
Patching application vulnerabilities: Similarly, applications like Java, PDF viewers, Microsoft Office release patches which should be installed.
Restricting administrative privileges to operating systems in accordance with the user’s duties.
Lawyers play a key role in cyber resilience, which should enable them to participate actively, not merely after cyber events, but also in helping to increase the cyber resilience of the Australasian business community, and also cyber security – at least in relation to non-IT aspects of cyber security.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6ece1df5fe&e=20056c7556
FERC Takes Action on Cybersecurity in Response to Ukrainian Cyber Attacks
The Federal Energy Regulatory Commission (“FERC”) issued a Notice of Inquiry (“NOI”) and Final Rule at the end of July to address several urgent cybersecurity issues affecting the bulk electric system.
FERC is taking these actions in the face of increasingly sophisticated threats to our power grid, including in response to an actual cyber-attack against Ukraine’s electricity system last year.
In the NOI, the Commission seeks comments on possible modifications to the Critical Infrastructure Protection (“CIP”) Reliability Standards developed and managed by the North American Electric Reliability Corporation (“NERC”) pursuant to Section 215 of the Federal Power Act.
These modifications would require isolation between the Internet and certain critical cyber systems in control centers performing transmission operator functions “through use of physical (hardware) or logical (software) means.” The modifications would also require the use of application whitelisting for the same critical systems in all control centers.
Application whitelisting is a security practice in which only specifically authorized applications are able to execute on a particular computer.
In the Final Rule (deemed Order No. 829), the Commission directs NERC to develop a new or modified Reliability Standard concerning “supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations.” While the Final Rule provides NERC with flexibility as to how to meet FERC’s requirements, its new or modified Reliability Standard must meet certain minimum criteria.
This includes the creation of a plan by jurisdictional electric utilities addressing four security objectives: (1) software integrity and authenticity, (2) vendor remote access, (3) information system planning, and (4) vendor risk management and procurement controls.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9c90449b05&e=20056c7556
Healthcare cybersecurity market flooded with solutions
New analysis from Frost & Sullivan, US Hospital Cybersecurity Market: 2015-2021, finds that healthcare organizations are struggling to respond to an alarming increase in the incidence of data breaches and cyber attacks.
The industry has an urgent need to deploy new solutions and new approaches to address cybersecurity risks arising from the recent widespread digitization of health data via EHRs and the increase in the exchange of these data across dispersed care settings and computer endpoints.
Vendors serving the hospital cybersecurity market face a highly dynamic environment that offers many challenges and opportunities over the next five to six years.
Frost & Sullivan predicts that the total market for cybersecurity solutions deployed by US hospitals will grow at a CAGR of 13.6 percent between 2016 and 2021.
“Going forward, all health IT vendors serving the hospital market—and not just vendors of IT security solutions but application vendors as well—must recognize that the increased threat environment demands strong, baked-in security features,” said Fabozzi. “To ensure this capability, vendors need to innovate to survive, building or buying advanced functionality and next generation capabilities as the market moves from protecting the walled garden to protecting a vast connected perimeter.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6e1be8d99e&e=20056c7556
Cyber checklist is dead, long-live the new A-130
The requirement to reevaluate the security of IT systems every three years has been flushed from the governmentwide policy that for so long stood in front of agencies and inspector generals moving toward a continuous monitoring approach.
The Office of Management and Budget July 28 issued the update to Circular A-130.
“The revised circular also emphasizes and clarifies the role of both privacy and security in the federal information lifecycle.
Importantly, the revised circular represents a shift from viewing security and privacy requirements as compliance exercises to understanding security and privacy as crucial components of a comprehensive, strategic, and continuous risk-based program.”
The termination of the requirement to authorize IT systems every three years also finally puts to rest the challenges faced by agencies and auditors around the need to follow the existing policy of every three-year cyber reviews of IT systems while the reality of technology requires constant reviews.
“Agencies still must comply with all parts of the National Institute of Standards and Technology and that like asking agencies to comply with an encyclopedia,” he said. “If OMB, the IGs and the Government Accountability Office all read this in the same way that lets agencies made risk-based decisions, then it’s an important change.
But if auditors read this to mean agencies still must meet all parts of SP-800-53, then it continues to be a checklist exercise, and A-130 is just a statement of good intentions to move away from checklist.”
Forman said the lack of specific direction about who is in charge is the biggest concern he has about A-130.
He said the document talks a lot about bringing people together, but doesn’t clearly define the process for who has the final say or who is in charge.
In the circular, agencies can ask the OMB director for a waiver from meeting the requirements of certain sections of the policy.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ae90d46d8e&e=20056c7556
Threat Modeling in the Enterprise, Part 1: Understanding the Basics
There are several widely used definitions for threat modeling.
I prefer the one provided by Adam Shostack in his brilliant book, “Threat Modeling: Designing for Security.” He said, “Threat modeling is the use of abstractions to aid in thinking about risks.”
Threat modeling can help you generate a list of prioritized threats applicable to the system you are analyzing.
It can also inform the risk management process.
In addition to this obvious benefit, there are some not-so-obvious advantages you can draw from threat modeling.
In our practice, we often find that the clients are trying to implement commonly prescribed security controls without taking into account the specific enterprise context.
Penetration testing, for example, is a commonly misunderstood and prescribed assurance activity that will add little value in certain enterprise contexts.
Ultimately, threat modeling output supports the enterprise risk assessment initiative.
A well-developed threat model informs the control selection process and puts it in the context of the system-specific threats.
Threat modeling provides solid ground to build a better understanding of the possible attack vectors.
While no threat model is complete, it can be a good foundation for planning and executing different assurance activities (such as vulnerability assessments, penetration tests, etc.) if devised properly.
Devising a threat model of your enterprise system can be daunting.
Here are some tips to save yourself some pain.
Establish a work group composed of subject-matter experts — experienced people that design, use, support and manage the system.
Threat modeling a complex system is a time-consuming exercise and requires a lot of planning and coordination.
Don’t get disheartened; remember that your work group probably includes people with no formal threat modeling training, and they likely have their own workloads and operational priorities outside of the threat modeling effort.
Give everyone enough time to consider the discussion and support wherever necessary with the appropriate amount of guidance.
Keep your eyes on the scope, because it could very easily creep.
Make sure that you have the level of detail you want to address in advance.
If you have reached it, do not go further.
Moderate the work group discussions accordingly to save time and keep all participants focused.
There are different ways to build your threat model, and there is no magic, one-size-fits-all solution.
I would encourage you to follow your common sense and trust your experience.
No one else knows your environment and its peculiarities better than you do.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=33a79effa5&e=20056c7556
* Best practices in cyber vulnerability assessment
* Are Healthcare CISOs Suffering from Cybersecurity Solution Fatigue? An Expert Probes Some of the Issues
* Will Faster Payments Mean Faster Fraud?
* Accenture : Data theft, malware infection big threat to digital businesses
* Ponemon Institute: External Cyber Attacks Cost Enterprises $3.5M/year, 79% of Businesses Lack Comprehensive Strategies to Manage these Risks
* 2016 Malware Levels Now Stand at Nearly Four Times 2015 Totals
* Twitter Hacking and Social Media’s Risk to Executive Security
* Beyond Data: Why CISOs Must Pay Attention To Physical Security
* $2.7 Million HIPAA Penalty for Two Smaller Breaches
* Using compliance as a tool for change
* In the Breach War, File Protection Is Just as Important as Data
* Data security and breach notification in Finland
* ISO compliance in the cloud: Why should you care, and what do you need to know?
* Federal Privacy Commissioner Provides Submission on New Data Breach Notification and Reporting Regulations
* Breach notification reporting can be complicated without proper skills, tools
* Banks must do better on cyber security: KPMG
* Australia gets one-quarter of a minister for national infosec
* The Case for Continuous Security Monitoring
* Arbor Networks Releases Global DDoS Attack Data for 1H 2016
* 5 Best Practices for Outsourcing Cybersecurity
* Most CISOs and CIOs need better resources to mitigate threats
Best practices in cyber vulnerability assessment
Here are the best practices for cyber vulnerability assessment.
First and foremost you should have a very clear understanding of why you need a cyber vulnerability assessment.
Research other companies in your industry.
To know exactly which parts of your business structure need an assessment, you need to research your company’s processes with a focus on the systems that are critical to keeping your business running.
Once you’ve identified the systems that need an assessment, you should rank them according to both their importance to your overall business model and to the sensitivity of the information they contain.
Now that you know exactly which systems and software need an assessment and how they rank in terms of priority, you should make sure you’re aware of the security systems you already have in place.
f you’ve completely mapped out both your vulnerabilities and your already-in-place security, and your inter-departmental security task force is in agreement on what’s needed, you’re ready to perform your vulnerability scans.
f you did your homework on what you needed to assess and also on the vulnerability assessment tool you chose, then you should fully trust the results of your cyber vulnerability assessment and act on them.
Don’t wait.
Don’t second guess.
The assessment will produce recommendations for remediation that you should act on right now.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=217dab6362&e=20056c7556
Are Healthcare CISOs Suffering from Cybersecurity Solution Fatigue? An Expert Probes Some of the Issues
A recent Institute for Critical Infrastructure Technology report provided some intriguing thoughts about the pressure facing chief information security officers (CISOs) to keep their organizations secure and how they are combating information and vendor solution overload.
“Due to the plague of APTs, malware, ransomware and other malicious initiatives by invisible adversaries, few C-level executive positions are as critical as the CISO,” Scott writes.
In a recent report, James Scott, a senior fellow at the Institute for Critical Infrastructure Technology (ICIT), a Washington, D.C.-based cybersecurity think tank, points out that a well-informed CISO can improve the engagement of the C-suite and improve the cyber posture of the organization.
While the report offers a cross-industry perspective of the CISO role and the challenge of vendor solution overload, the report author does spend moments focusing on healthcare organizations, specifically in a section detailing how CISOs can assess the return on investment of cybersecurity solutions.
The report provides an interesting perspective about the need for CISOs to ignore the hype surrounding “silver bullet” solutions in order find the most effective cybersecurity solutions and strategies for their particular organizations, but at the same time, the report author also highlights the part that the vendor community plays in this problem.
“In many cases, CISOs operate under the unrealistic expectation that they should be able to prevent every breach with a finite budget.
They are expected to have enough technical expertise to develop a strategy to protect the business and enough business acumen to convince the board to adopt that strategy because it aligns with the goals of the organization,” he writes.
And, he asserts that modern CISOs tend to function more as Chief Information Risk Officers, managing the risk to data and technology.
According to the ICIT report, there is rapid burnout among CISOs, as the average turnover rate is 17 months.
“Vendor attempts to offer silver bullet solutions undermine the community at large and poisons the vendor-customer relationship.
The culture promoting these inadequate solutions distracts CISOs, technical personnel and solution developers from the risks and threats in the threat landscape and it distracts them from designing the right solutions to address the market needs.”
In the report, the author offers strategic recommendations for calculating a cybersecurity solution’s ROI and uses a healthcare organization as an example.
The ROI of security solutions can be equated to the fiscal component of the impact that the organization would assume if an adversary exploited the vulnerability that the solution addresses, the author writes.
The report concludes with statistics sourced from the Economist Intelligence Unit that indicates proactive CISO-led strategies can cut the success rate of cyber-breaches by more than 50 percent, hacking successes by 60 percent and ransomware infections by 47 percent.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1af4b297d4&e=20056c7556
Will Faster Payments Mean Faster Fraud?
Crowe contends that to ensure global payments interoperability, faster payments are a necessity.
The U.S. will soon be at a competitive disadvantage if it does not enable faster payments, she argues.
Parry says the most fundamental risk to payments is poor identity management.
And it’s a legitimate concern.
After all, poor identity management apparently enabled hackers to steal $81 million from the central bank of Bangladesh in February, as part of a fraudulent transaction that was approved by the Federal Reserve Bank of New York.
And in a real-time or near-real-time environment, once the money is gone, it’s gone.
Unlike in the United Kingdom, Australia and other economically advanced parts of the world, faster payments are not the norm in the U.S.
Crowe declined to touch the interchange issue. “Cost is not the No. 1 worry for the Fed when it comes to faster payments,” she noted during the summit.
The top concern, she says, is “a faster process that is still secure for business.”
The Secure Payments Task Force’s goals differ from the goals of the Faster Payments Task Force.
And the Secure Payments Task Force has identified four areas that must be addressed to ensure the ongoing security of the payments system in the U.S. going forward.
Faster payments will be part of that, but not all.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5546e3be25&e=20056c7556
Accenture : Data theft, malware infection big threat to digital businesses
The new report from Accenture and HfS Research say that 69 percent of respondents experienced an attempted or successful theft or corruption of data by insiders during the prior 12 months, with media and technology organizations reporting the highest rate (77 percent).
This insider risk will continue to be an issue, with security professionals’ concerns over insider theft of corporate information alone rising by nearly two-thirds over the coming 12 to 18 months.
The survey, “The State of Cyber security and Digital Trust 2016′”, was conducted by HfS Research on behalf of Accenture.
More than 200 C-level security executives and other IT professionals were polled across a range of geographies and vertical industry sectors.
The survey examined the current and future state of cyber security within the enterprise and the recommended steps to enable digital trust throughout the extended ecosystem.
The findings indicate that there are significant gaps between talent supply and demand, a disconnect between security teams and management expectations, and considerable disparity between budget needs and actual budget realities.
Despite having advanced technology solutions, nearly half of all respondents (48 percent) indicate they are either strongly or critically concerned about insider data theft and malware infections (42 percent) in the next 12 to 18 months.
When asked about current funding and staffing levels some42 percent of respondents said they need more budget f