Not to be alarmist, but WAKE UP, PEOPLE! Our information security is, in many ways, failing. In our sixth year of conducting the Global State of Information Security survey with PricewaterhouseCoopers, we got an earful about the challenges, worries and wins in security technology, process and personnel
Quantifying returns on information security projects can be a struggle, often because it’s hard to put a dollar value on a crisis that was averted. This year, a weak economy means decision makers will have squinted even harder at ICT proposals.
Even so, the survey results show companies are buying and applying technology tools that include software for intrusion detection, encryption and identity management, at record levels. That’s pretty good news.
However, too many organisations still lack coherent, enforced and forward-thinking security processes, our survey shows. While 59 per cent of respondents said they have an “overall information security strategy,” that’s up just two points from last year and it’s not enough, says Mark Lobel, advisory services principal at PricewaterhouseCoopers. Two elements, Lobel says, correlate with lower numbers of security incidents: Having a C-level security executive and developing the aforementioned security strategy. But disappointing numbers piled up this year.
For instance, 56 per cent of respondents employ a security executive at the C level, down 4 per cent from 2007. You comb network logs for fishy activity, but just 43 per cent of you audit or monitor user compliance with your security policies (if you have them). This is up 6 per cent from 2007, but still “not where we need to be”, says Lobel.
As a result security is still largely reactive, not proactive. More sophisticated organisations will funnel data from network logs and other monitoring tools into business-intelligence systems to predict and stop security breaches. So, along with encryption fanatics and identity management experts, an infosec team needs statisticians and risk analysts to stay ahead of trouble and keep the company name off police charge sheets.
With our survey pinpointing the problems we also see a path to securing data safety for companies that apply technology, as well as develop processes and make them part of the everyday work of all staff. So it’s not all grim. What we have to do now is examine where companies are failing, then act.
The big picture: Technology reigns
Money really is power, isn’t it? When asked to indicate any sources of funding for information security, 57 per cent of survey respondents named the IT group and 60 per cent cited functional areas such as marketing, human resources and legal as major providers. Just 24 per cent indicated a dedicated security department budget.
With the IT group a strong force, technology becomes the answer to many security questions. ‘To someone with a hammer, everything looks like a nail’, as the saying goes. Divert potential phishing attacks with spam filters. Stymie laptop thieves by encrypting corporate data.
If there’s a security tool out there, our survey pool uses it.
Companies now realise they must do a better job disposing of outdated computer hardware, for example ensuring disks are wiped of data and applications. Sixty-five per cent of respondents now have tools to do that, up from 58 per cent last year. More organisations than in previous surveys are now encrypting databases (55 per cent), laptops (50 per cent), backup tapes (47 per cent) and other media. Use of intrusion-detection software also is up: 63 per cent this year compared with 59 per cent in 2007. And installing firewalls to protect individual applications, not just servers and networks, increased to 67 per cent from last year’s 62 per cent.
That’s a good result.
However, despite these technology-oriented gains, disturbing trends continue in the areas of security processes and personnel — while some negate any protection an IT budget can buy. For example, encrypting sensitive data makes good sense, yet such technology can’t stop an employee from flouting policies concerning how that data should be handled.
If the goal is to secure information, to make it truly safe, you’d better develop processes and procedures for putting your ‘nails in the right place before whacking anything with a technology hammer’.
Technology must be part of a larger plan to secure information, says Dennis Devlin, chief information security officer at Brandeis University in Massachusetts, US. He reports to Brandeis’ vice-president and provost for libraries and information technology.
Criminal activity is the focus of a lot of what Brandeis University does in information security. Lock down the wi-fi to keep out the bad guy Devlin says, though well-meaning people who make bad decisions do inflict untold numbers of security incidents upon the university.
For example, employees sometimes fall for email scams and open attachments unleashing malicious software such as key-stroke loggers that record passwords or rootkits that take control of operating systems.
Devlin says the job of security managers is to teach self-defence. Rather than warn employees to watch out for the latest email scam bearing a specific subject line, for example, the idea is to teach people broader lessons about the risks of clicking on unfamiliar URLs, opening attachments or handing over Social Security numbers to anyone online, he says.
“It’s not possible with technology to protect every individual from every possible security risk,” he says. “Our job is to teach people to think the way we think.”
Like Brandeis University, more organisations seem to be trying that. This year, 54 per cent of survey respondents said they provide employees with security awareness training, up from 42 per cent last year.
Furthermore, what’s taught at many organisations provides only a veneer of security, namely, compliance with government or industry regulations.
Regulations in other countries, such as Sarbanes-Oxley for financial data and the Payment Card Industry (PCI) standard for credit card data in the US, ensure that executives take action. The threats of fines and jail time tend to do that. For example, 44 per cent of respondents say they test their organisation for compliance with whatever laws and industry regulations apply, up from 40 per cent last year; 43 per cent say they monitor user compliance with security policy, a healthy increase from last year’s 37 per cent. Assessing internal risks to compliance is something 55 per cent are doing, up from 49 per cent.
However, let’s not pass around ‘attaboys’ too quickly. Note that even with such positive steps, those numbers are far from 100 per cent. Many organisations aren’t doing much beyond checking off the items spelled out in regulations — and basic safeguards are being ignored, says Karen Worstell, a managing principal at the consulting firm W Risk Group and a former chief information security officer at Microsoft.
She says adhering to regulations and standards doesn’t amount to thorough security policy for many reasons. For one, organisations can sometimes pass compliance audits simply by writing up policies, without demonstrating how they adhere to them. Other times, the standard or regulation may have holes.
PCI, for example, mandates that a firewall be installed to protect cardholder data. But Worstell says the standard doesn’t address whether a company has processes to ensure that once a piece of technology is installed, it’s regularly upgraded or monitored to see how effective it is. “If security stops at PCI, that’s not enough,” she says. The US-based Hannaford Supermarkets experienced the theft of customer credit and debit card data from December 2007 to last March, a period when the grocery chain was certified compliant with PCI, “the highest security standards required by the credit card industry,” the company says.
Neither is it enough if security monitoring stops within your own four walls. But that’s exactly what is happening. A dirty secret uncovered in this year’s poll reveals companies don’t know, and apparently don’t care to know, what happens to their data once they hand it to another company. Get ready to be disturbed.
Outsourced out of sight, security out of mind
Here’s one of the most worrisome of our findings this year: A skimpy 22 per cent of respondents keep an inventory of all the outside companies that use their data.
If that isn’t enough to make you wince, we’ve got more. Just 37 per cent of our survey respondents require third parties handling the personal data of customers or employees, to comply with their privacy policies. Even fewer — 28 per cent — perform due diligence of those third parties to understand how or whether they safeguard information. Yet 75 per cent of respondents profess at least some level of confidence in the effectiveness of their partners’ security. Isn’t that rosy?
Yet due diligence on any outsiders that handle your data is more important than ever, as companies parcel out corporate work of all sorts to third parties, says Tom Bowers, managing director of Security Constructs, an industry analysis firm specialising in trade-secret protection technologies. In that respect, pharmaceutical companies can teach other industry verticals a great deal, he says.
Bowers was senior manager of global information security operations at Wyeth Pharmaceuticals for seven years before starting Security Constructs. His security group subjected potential Wyeth business partners to detailed scrutiny of their security practices. He had to. “We were responsible for protecting intellectual property no matter where it sat. Here [in the US] or with an outsourced clinical trials company in Dublin. Or wherever.”
Companies skip this security check, though, because it’s expensive and time-consuming, says PricewaterhouseCoopers’ Mark Lobel. Checking out a partner’s security and privacy practices would take at least one full-time employee at least two days for the smallest company, he estimates. “A large company may have literally thousands of partners.”
Protect information, not just systems
Where data is and where it’s going constantly worries information security managers. Thirty-eight per cent of the managers we surveyed said they experienced one to 49 security events in the past year, while another 35 per cent say they don’t know whether they have been hit. Those figures are close to last year’s results.
Among those in our survey who experienced incidents, 39 per cent found out about them via server or firewall logs and 37 per cent used intrusion detection or prevention systems. But a significant number — 36 per cent — say a colleague clued them in. These figures reflect an unchanging trend, showing that the human element is just as important as any technological one when it comes to good security. This is more evidence of the need for diligent and repeated employee training.
Investing employees with responsibility for keeping data correct and protected is the best way for a company to guard against security threats, says Tim Stanley, CISO at Continental Airlines.
Stanley wants to categorise every file in the enterprise by three variables: Owner, business value and risk level. The government has “top secret”, “secret” and “confidential” ratings, but Continental’s designations will be more granular and dynamic, using tiers and subsets of tiers. Thinking this way vaults Continental ahead of most companies. Just 24 per cent report that classifying the business value of data is part of their security policies. While 68 per cent classify their data according to risk level, in any given time frame 30 per cent don’t ever do it.
The complexity of such a project explains the low numbers, Lobel says. “Doing this project is a lot of effort, and unless there’s a regulatory need for it many don’t do it.”
This takes us back to money
With security budgets averaging $1.7 million, an optimistic 44 per cent of those surveyed said their information security spending would increase this year, while 4 per cent expected a decrease. Where will the money go? We see glimmers of hope. Top priorities in the coming year include hiring information security consultants and hiring a chief information security officer. Respondents also plan to develop security procedures for handheld devices and create an identity management strategy. They expect to invest in technologies including biometrics, tighten access to sensitive data, along with considering data-leakage prevention and security event correlation tools to analyse what works and what doesn’t with security problems.
These steps, Lobel says, will get companies closer to a comprehensive security strategy. Already, he notes, 40 per cent of organisations use security as a marketing point, usually soliciting business on the grounds that they protect customer data better than their rivals. “But it’s only a competitive advantage if it works, if it’s good security.”
The New Zealand results: Making Kiwi security fly
Compared with other countries, New Zealand has fewer information security incidents involving current and former staff. But that is just one aspect of the country’s overall state of information security.
The 6th Annual Global State of Information Security Survey notes a country lagging behind, with information security not taken as seriously as elsewhere, helped in part by fewer compliance requirements and a “she’ll be right” attitude.
The survey, conducted by PricewaterhouseCoopers (PwC) in conjunction with CIO and CSO magazines, polled more than 7000 IT executives in 119 countries, including 90 in New Zealand, on more than 40 issues. Respondents came from a range of industries including defence, agriculture, finance, retail government, health and education.
The survey finds a third of New Zealand enterprises have no specialist IT security staff, and information security typically focusing on disaster recovery and business continuity.
A quarter of New Zealand respondents conduct an enterprise risk assessment once a year, with 23 per cent conducting it twice a year or more. But 22 per cent do not test them at all or test them less than once a year.
Compared with the global figures and with Asia, fewer New Zealand enterprises employ a chief privacy officer, or specialist CSO or CISO or information security consultants. For instance, only 19 per cent of New Zealand enterprises have a chief information security officer, compared to the global average of 28 per cent and the much higher 38 per cent in Asia. Thirty-five per cent of organisations have dedicated people to monitor staff internet use/information assets, compared with 44 per cent in Australia and 63 per cent in Asia.
Spending up, but just a bit
The security spend is stable (with 42 per cent of New Zealand organisations saying the figure will stay the same and only 1 per cent saying it will decrease) or growing slightly with procedures typically involving data encryption, access controls, making the web secure and monitoring for threats. Spyware, adware, intrusion detection tools and vulnerability scanning are common technologies used.
Business continuity (74 per cent) and company reputation (47 per cent) are the main factors driving security spending. (See graph B “Why companies care” on page 24 for business drivers for security spending by both New Zealand and overseas companies.)
While globally, 22 per cent of respondents outsource their overall information security strategy, the figure is lower — at 17 per cent — for New Zealand. But 38 per cent of New Zealand companies outsource their intrusion detection and half outsource their patch management.
A third of New Zealand respondents say they had no security incidents in the past year, with the biggest number (16 per cent) saying they had one to two incidents. One respondent, however, admitted more than 100,000 incidents in the past year year, with 35 per cent (the same as the global average) stating they don’t know if there were any incidents.
Almost 30 per cent of security breaches came from staff, which was slightly lower than Australia and well below the 45 per cent reported in Asia. Few attacks (below 10 per cent) came from customers, suppliers, terrorists or service providers. More than in other countries, almost half of attacks came from unknown sources (see Graph C “Ignorance isn’t bliss” on this page).
The survey also noted IT bosses saying their security breaches cost under $10,000 or zero, though one respondent said its security breach cost it over $20 million. Some 52 per cent of the local respondents to the survey (more than elsewhere) said application systems had been affected and 43 per cent (more than elsewhere) said such attacks compromised confidential data. Any downtime was either nothing or a couple of hours, and 4 per cent said their systems were taken out for more than five days.
A fifth of local respondents say the company’s security policies are “completely aligned” with the business objects, while nearly half (43 per cent) feel it is “somewhat aligned” to the business.
Jan Smolinski, PricewaterhouseCoopers New Zealand partner, points out the lower importance given by enterprises for information security, for instance citing the employment of fewer security specialists compared to the global figures.
He says security should not be seen as a business expense, but a business enabler. Making sure what they have works also counts more than the newest technology, he notes.
Security is not just part of the IT function but the wider business, needing involvement from other departments like HR to update security policies and learn lessons from any incidents. “It’s not about increasing the security spend, but increasing security as part of the business initiative. Security is part of the project, not an add-on,” he says.
Though fewer New Zealand companies outsource their information security compared to the other regions, Smolinski advises heads of ICT to clearly stress what they expect from the provider in terms of security, with the ability to audit or check the partner.
DMZ Global, the security division of TelstraClear, is one such partner. General manager Adrian van Hest says India surpassing US companies on security efforts is not surprising, as it has driven the growth of technology in the region. (According to Mark Lobel, a principal in the advisory practice of PricewaterhouseCoopers, companies in India have reported strong, consistent, double-digit gains across virtually every security domain and have taken a strategic approach to security. This trend is expected to continue as the Indian companies report a rise in security spending over the next 12 months.)
New Zealand lags through lack of exposure, a do-it yourself mentality scarce resources, says van Hest. But, he points out, New Zealand’s global position means it can be the first to suffer dated threats.
Fortunately, New Zealand’s relative isolation and small community fosters co operation rarely seen elsewhere, be it within industries or between industry and government. Thus New Zealand has botnet taskforces, anti-spam programmes with the Department of Internal Affairs and the annual Cyber Storm exercise (an international cyber-security exercise that is coordinated by the US Department of Homeland Security).
“It’s not impossible to get the people in a room and talk,” says van Hest. “Channels develop, as you know the right person to talk to in future. There’s a sense of working together for the greater good.”
The government in New Zealand has a greater role than elsewhere, as it owns players like Kordia, the KAREN network, and has funded initiatives on information security. These government initiatives drive awareness of security as an issue, he states.
Van Hest says security is a matter of economics, compliance should be seen as a business requirement and process counts as much as technology.
“It’s about the information assets and what they are worth to a company. There are tools that quantify that. They are your key process and how your business runs. You should associate a value to that asset. Once you can do that, you can spend appropriately,” he says.
Systems integrator Gen-i agrees, saying security is an investment to protect business assets, like information, and more need to realise the value of secure online trading as a core business function.
Ron Murray, Gen-i head of outsourcing, confirms fewer compliance regulations means New Zealand companies lack the more mature, more measured, clearly defined goals security has among overseas businesses.
“All security decisions are a trade off. The challenge is, how fine do you cut it? Security is a weakest-link problem. You only need one weak link for the attacker to exploit,” notes Gen-i principal consultant David Hunter.
Murray warns impending tougher times will increase the risk of white collar crime, fuelling a need for improved logging and auditability of staff transactions and interaction. Such auditing might need outside skills, he says.
Richard Feist, managing director of security specialist Blue Secure, says security should be seen in risk terms, and is about people and processes. “We need to start measuring security with a proper well thought out set of metrics. Until we do this, we have no way of understanding what’s happening or if what we are doing is making a difference.”
Feist says security needs C-level responsibility and warns further compliance is coming. “Develop a strong method of gathering governance, policies, processes and metrics. Develop a strong method of gathering business requirements and feeding it through the governance to deliver the security controls your business requires, while being able to report continuously as to why and how effective you are,” he advises.
Identity management, network access control, governance and metrics are the most common issues facing IT bosses. While identity, authentication and access control needs are becoming stronger and more pervasive, e-crime is increasing, helped by more use of social networking technologies and SOA that don’t fit traditional controls, says Feist.
Out in the marketplace, what do we see? For ASB Bank’s Peter Mugglestone, group manager of online business, it is about looking at systems, processes and technology, and seeing security as a key enabler for many products and services.
“ASB operates a comprehensive defence in depth strategy involving security management frameworks, sophisticated back-end controls, monitoring tools, customer facing tools such as encryption and two-factor authentication and awareness and education for our customers,” says Mugglestone.
“The bank continues to update its security to meet the changing demands and threats. The threats have broadened to include remote, electronic attempts to defraud as well as the traditional types of fraud that people have tried ever since money was invented.”
Mugglestone declines to discuss specifics, though he confirms the bank has a specialist information security team and an operational security team, adding that security is well understood and supported by ASB executives. “We are constantly monitoring new and emerging threats in order to keep our customers safe.”
Fairfax Business Research New Zealand prepared the graphs for this article using data from IDC.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.