Survey raises questions about corporate cybersecurity
Are companies prepared to handle the increasingly prevalent risk from hackers? A new survey shows many security professionals aren't as confident as they used to be.
According to the survey, 2015 saw a sharp 12-point dip -- from 87 to 75 percent -- in the percentage of security professionals who said they were confident in their team's ability to pinpoint and respond to cybersecurity "incidents." Within that 75 percent, 6 in 10 respondents did not believe that their own staffs could handle anything beyond a "simple" incident. Fifty-nine percent said that less than half of their job applicants were "qualified upon hire" to handle cybersecurity matters.
The study is particularly startling given the escalation of high-profile hacks in recent years. From a ransomware attack on a Los Angeles hospital just last month to the infamous 2014 Sony Pictures hack, calls for governments and businesses to bolster their cybersecurity capabilities have been ringing loud and clear.
The joint study from nonprofit ISACA, which helps companies deal with ever-evolving IT demands, and the RSA Conference, the annual cybersecurity event being held this week in San Francisco, draws focus to concern that businesses across the board are not prepared to safeguard against attacks.
"The first takeaway from this study is that the cybersecurity skills gap is getting worse," Rob Clyde, ISACA international vice president, told CBS News. "People are less prepared and it's incumbent on us as an industry to develop our cybersecurity forces through skills training."
The study also pinpoints a disconnect between corporate management and the technology staff actively working to safeguard against attacks. While 82 percent of cybsersecurity and information security professionals reported that their company executives are concerned about security threats, only 14 percent of chief information security officers report directly to their CEOs. This may reveal a gulf between a company's knowledge of threats from the top-down and its actual preparedness to stay secure against those threats.
Even those "in the know" admitted being in the dark about some aspects of cybersecurity. The study found 24 percent of security professionals did not know if any of their company's user credentials were stolen in 2015, while 24 percent also reported that they did not know which "threat actors" compromised their companies' privacy. About 23 percent said they did not know if their company experienced a recurring advanced persistent threat (APT) attack. Additionally, 20 percent didn't know if any of their corporate assets were stolen by hackers for botnet use, which refers to Internet-connected computers that are compromised to forward viruses or spam to other connected computers.
Companies need to be vigilant given that 74 percent of security professionals say they expect to face a cyberattack in 2016, while 30 percent said they experience phishing attacks on a daily basis, according to a separate report from ISACA and the RSA Conference.
"The complexity in attacks is increasing. You have new technologies, the rise of the Internet of Things, machine-based learning, big data -- a lot of new technology that people have to think about. They have to think about the implications and the potential risks as well as the accelerating skill set among the attackers, themselves," Clyde asserted. "The attackers are continuing to improve their skills and they are better-funded by national states and organized crime, for instance. There's a lot of money at stake now."
The increasing level of sophistication among attackers is in stark contrast to the lack of "competence" among staff at combatting hacks at companies nationally and around the world, he said.
Discussion about the need of companies to rise to confront growing cyber threats was a focus of RSA Conference speakers. Brad Smith, Microsoft's president and chief legal officer, said it is crucial for businesses to keep in mind that protecting users' data is the top priority.
Smith cited four key principles that he said are at the center of Microsoft's mission: keeping user data secure, making sure that data is private and under user control, making sure data is managed in accordance with the law, and being transparent by letting users know what is being done with their data.
"We need to put them in practice as companies and as an industry," he told the RSA audience."We are truing to do that and focus on doing that every day."
Smith also said companies need to "evolve" as threats become more damaging and sophisticated.
So, what can companies do to ensure they are better prepared to handle threats? Clyde said presenting companies with real-world hacking scenarios is one of the most effective way to prepare them for attacks. ISACA provides cybersecurity nexus (CSX) training, which can give people in the industry real-environment training to know how to handle a hack. This kind of training is not widespread, and Clyde said it would greatly help companies if they had more immersive preparation.
Clyde stressed that it's important for businesses to remember that no company is too small to be a target.
"Smaller organizations do have particular challenges in that they can't have huge cybersecurity staffs," he said. "If you have 100 employees, you're lucky to have one or two cybersecurity staffers. That's the real challenge for smaller companies to have a basic understanding of cybersecurity and access tools that they need to keep themselves safe."