Security is being held back by the lack of IT staff

A recent survey by Forrester Research shows that the lack of qualified security staff is one of the main reasons IT managers cannot successfully secure the enterprise. Their survey of over 2,000 IT executives in the US, UK, Canada, France and Germany found that one of the key problems behind corporate IT security is getting qualified staff to do the job.Almost half of the It managers in the US and Europe are dealing with this issue.

“Security leaders feel that they simply don’t have enough staff to carry out day-to-day tactical activities while adjusting to major business and IT shifts and changing threats,” said Forrester principal analyst Khalid Kark.

Read more

Cyber criminals change targets – small fish are easier to catch?

Security experts have their eyes turned on Europe as the number of cyber crime operations emanating from here is growing. In the first half of 2010 Europe has surpassed Asia and the Americas in producing web-based threats.

One reason for the rise of European based threats might partly be due to the fact that the Chinese Government has forced it’s local ISP’s to curve illegal activities there. This politics are apparently one of the reasons for the migration of cyber criminals to Eastern Europe. Read more

UK cost cutting trend affects information security spending

Although C-level management recognizes the importance of information security, companies all around the UK plan to reduce their information security costs. This rumour is backed up by a survey released by PricewaterhouseCoopers (PwC), which states that budget increases for information security costs is a priority for less then one third (31%) of the UK-based companies. The international average is 52%.

The real cost of a security breach: 1 to 53 million USD per year

If you had any doubt that security breaches cost companies a lot, it is all clear now – the damages companies have to deal with after one breach are overwhelming! According to recent reports by te Ponemon Institute, organizations get hit by at least one successful attack per week, and the annualized cost to their bottom lines from the attacks ranges from1 million to 53 million USD per year. The reports were based on the analysis of 45 U.S. organizations hit by data breaches.

Ponemon Institute’s released two separate reports,  ”The First Annual Cost of Cyber Crime Study” (PDF), which was sponsored by ArcSight, “The Leaking Vault” (PDF) released today by the Digital Forensics Association, both showing troubling findings for companies’ finances: Read more

SMBs start taking security seriously

Tired of being the main target of cybercriminals and other mean characters of the virtual world, SMBs are reconsidering their stand of security and starting to seriously apply it to their corporate infrastructures. These are the finding of a new survey conducted by Applied Research and published by Symantec. The new report shows that SMBs views have drastically changed over the past year, leading to more spendings on IT security and giving security policies a higher priority.

“Last year when we conducted this survey, a lot of SMBs were very confident in their security posture, but they weren’t always clear on the threat,” says Monica Girolami, senior product marketing manager at Symantec, who worked with Applied Research on the study. “This year they realize that they have gaps in their security stance, and they’re getting more serious — in fact, they rated data loss and cyberattacks as their top risks, even above natural disasters.”

Read more

Data breaches cost more in the US

Companies, beware! Data breaches do cost a lot if you’re operating in the US. A recent study conducted by the Ponemon Institute shows that a data breach occuring in the US could cost twice as much as a similar incident from a different country with less stringent disclosure and notification laws. Yet the US is not alone in this, as all countries that have strict rules related to data security and what should be done in case of a breach makes the total cost go up.

After comparing data breach costs in five countries, the United States, the United Kingdom, Germany, France, and Australia, the study concluded that in the U.S., due to the fact that 46 states have introduced laws that require  organizations to publicly disclose the details of breach incidents, the cost per lost record was 43% higher than the global average. The second most expensive country is Germany with a cost per lost record 25% higher than the worldwide average. Australia, France, and the U.K. have no data breach notification laws  thus the costs were all below the average.

“A big reason for [the high cost of churn in the U.S.] is that U.S. companies are required to notify customers of their breaches, even if they only suspect that the customers’ records might be affected,” Ponemon says. “That sort of notification doesn’t happen anywhere else in the world.” Notification accounts for $500,000 of the $6.75 million that the average U.S. company spends on a breach, according to the study; the average French company spends only $120,000 on notification.

The Ponemon study breaks breach costs into five components: detection, escalation, notification, post-breach response, and customer churn (losing customers after the breach and replacing them with new ones). Of the five components, customer churn is the highest cost, accounting for 44% of breach costs worldwide.

Study by KPMG sees “Business crime on the rise in Germany”

As many as 37 percent of German companies were the victim of economic crime in the last three years, a new study has found. Internet fraud and the theft of business secrets have become a particular problem.
The use of USB Flash Drive in high capacity has made it easy to steal even the most complex business or construction plans in just a few seconds.

A USB Thumbdrive is all that’s required to steal valuable information.

A new study carried out by the German research institute Emnid for the financial services firm KPMG has found that criminal methods are being used more and more often in the ruthless and competitive world of business.

The survey, which took in 375 companies of all sizes, found that around one in three companies had been the victim of business crime. Two thirds of the companies surveyed also expected the level of criminality to rise.

The biggest economic crimes remain fraud, theft, embezzlement and breach of trust, but money-laundering and the forgery of accounts and financial information have all risen since the last survey was carried out in 2006.

Ignorance breeds carelessness

According to KPMG spokesman Frank M. Huelsberg, companies still need to be more aware of how crimes operate. “Despite these alarming results, small and medium-sized companies are particularly prone to underestimate the danger of falling victim to crime,” he said.

Fifty-six percent of the employees surveyed said that their company was less likely to be a victim of economic crime than a major corporation, while 76 percent believe they have made adequate security arrangements.

“Privately- or family-owned companies like to put their trust in their employees. But that makes them vulnerable,” Huelsberg said, “Experience shows that basic security mechanisms are often neglected in such companies.”

Third-party threat

In 62 percent of economic crimes involving small and medium-sized companies, employees conspired with an external third party. This figure is only 40 percent with large companies.

The theft of business or operational secrets is a growing threat, according to the study. A third of small and medium-sized companies have been a victim of such theft, the study said.

“The sale of sensitive information to competitors or criminals is particularly strong in times of economic crisis,” Huelsberg says, “Nowadays even the most complex construction plans fit on a USB stick. Data theft and industrial espionage can be child’s play if security fails, and the loss of sensitive designs or formulas can be fatal for a small, innovation-based company.”

Read the enitre article here on DW.

Security pros expected to be in high demand for hiring

With chief information officers planning to increase hiring, even if just a bit, in the first quarter of 2010, who they are looking to hire is the next big question. And according to a recent survey, they are making the right choices, as security professionals are among their high priorities, together with networking and application development personnel.

Robert Half Technology interviewed 1400 US CIOs to reach their results, which predict a net 3% increase in IT hiring activity, spread across companies of all sizes in Q1 of 2010. The net increase was reached after putting together the 7% who expect additions to their staffs with the 4% that expect reductions.

The health services industry stands out as a bright spot in the hiring report, with 16% of health services CIOs planning to expand their IT departments and just 3% planning cutbacks. Many health services CIOs pointed to increased staff needs stemming from the development of enterprise-wide applications.

I wonder if the high IT pros demands of health companies have anything to do with all the security breaches and data loss or theft of the past year or so… I bet it does!

Most employees would steal data. Companies worry, but do nothing

If any manager out there was still wondering if their employees would actually steal company data, the answer is here. Yes, they would, although they know it’s illegal. And while most companies know the main threats that can lead to data theft are insiders, they do little to nothing about it. This is the Dark Reading conclusion after putting together two separate surveys conducted by security vendors.

One of the researches surveyed over 600 employees from the financial districts in New York, USA, and London UK. A lot of respondents admitted they had no problem taking work home and then keeping it for their own benefit. While the overwhelming majority knows this would be illegal, some had already taken confidential data to a new job and others said they would share such data at any time with friends or family if that would help them get hired in a better position. There are also those who would just take the private data just in case, as a long term insurance policy. Read more

One third of federal IT security pros face cyberthreats on a daily basis

If you’re wondering how many cybersecurity threats a federal agency faces on a daily basis, a new survey has the answer to your question. At least one, each day, every day. About a third of the IT professionals employed by federal agencies say they experience at least one cybersecurity incident each day, be it external attack, malware, lost device, inappropriate employee access, or other threat.

When one thinks that of these 31% at least a few work for the same agencies. Threfore the numbers are troubling. The frequency of such problems are at the same level or slightly higher than last year for most survey respondents, and their severity has remained about the same. The top issues of this year are malware (33% of respondents), inappropriate employee activity or network use (25%), managing access for approved remote users (25%), and data encryption (23%).

As most of the participants find a solution to this problem in acquiring new, better performing cybersecurity solutions, and as many agencies already make efforts to buy such technologies, it comes to no surprise that market research firm Input, quoted by DarkReading,  says federal cybersecurity spending will increase 48% from USD 7.9 billion this year to USD 11.7 billion in 2014. And the shining stars of this future wave of inestments are a USD 1.5 billion cybersecurity data center currently being developed by the National Security Agency and a cybersecurity operations center recently opened by the Department of Homeland Security.