As thousands of security professionals descended on Olympia London for the first day of Infosec this week, vendors were busily announcing fresh research into the state of the threat landscape. We’ve rounded up the key highlights.
The insider threat is even greater than we thought
Security companies have been warning customers about the risks their employees pose for years, but new research commissioned by Deep Secure reveals the true scale of the threat. A survey of 1,500 people carried out on behalf of the vendor found that nearly half of British workers would be willing to sell corporate data to external parties and one in four would do so for just £1,000. “The insider threat is far greater than many businesses would have believed,” Deep Secure chief executive Dan Turner told NS Tech. “We were quite shocked [by the findings].”
Insiders use a number of simple methods to extract data from their networks, from printing, handwriting and photography through to email, cloud hosting and USB drives. But the use of more sophisticated techniques, such as steganography and encryption, also appears to be increasingly common. Eight per cent said they had used some kind of covert cyber tool, but this rose to 13 per cent in the IT and telecoms industry and 15 per cent in HR.
Dark net vendors are targeting FTSE 100 companies
Criminals who lack the technical expertise to hack into major British businesses can now buy their way in instead. According to a study commissioned by Bromium and carried out by Dr Mike McGuire, a criminologist at Surrey University, four in 10 dark net vendors are now selling targeted hacking services aimed at FTSE 100 and Fortune 500 businesses.
“Almost every vendor offered us tailored versions of malware as a way of targeting specific companies or industries,” said McGuire. “The more targeted the attack, the higher the cost, with prices rising even further when it involved high-value targets like banks. The most expensive piece of malware found was designed to target ATMs and retailed for approximately $1,500.”
Downtime is costing big business tens of millions a year
Poor data management can have a dramatic impact on business revenues, according to research by the cloud backup specialist Veeam published this week. The vendor surveyed around 1,500 business and IT leaders working at enterprise-level companies in 13 countries for its latest cloud data management report. It found that downtime costs big British businesses $26m annually in terms of lost revenue and productivity, significantly more than the global average of $20.1m.
“The major finding of the research is just how unprepared most businesses are for unplanned outages,” said Veeam’s Mark Adams. “Up-skilling and having people capable of fixing these issues is vital.”
Security professionals are more stretched than ever
The cyber skills shortage has been a common theme at Infosec in recent years, but despite industry and government initiatives to address the issue, security professionals are more stretched than ever. A survey of 300 security workers in British organisations employing more than 500 people found that 70 per cent have considered quitting their jobs because they do not have enough resources to stem the tide of attacks. One in two warned that staff shortages were the biggest threat to their defences.
“It’s no secret that companies of all sizes have been having a hard time finding qualified personnel to manage their often-overwhelmed security operations,” said Ed Macnair, the chief executive of Censornet, which carried out the research. “We can hardly be surprised that 74 per cent of cyber security professionals describe themselves as ‘very busy’, but it is worrying that technology isn’t yet helping to solve the problem.”
The low level of cyber maturity in the UK critical infrastructure sector is going to “take time to resolve”
It’s just over a year since the EU’s Network and Information Systems (NIS) Directive was incorporated into UK law. So what impact has it had so far and how is it set to change the UK’s critical infrastructure in the years to come?
“There is no doubt that the directive has positively impacted organisations awareness and willingness to invest in cyber resiliency,” says Tony Atkins, regional director for Northern Europe at Nozomi Networks. “However, there remains a degree of naivety within the industry regarding the scale of the problem and the resources required to implement and maintain an OT cyber security program.”
Atkins adds that many organisations “with large distributed estates, varying technology and architectures that have grown organically over time are tending to struggle with NIS compliance”. They simply do not, says Atkins, have “sufficient budgets, timescales, skills and resources to be able to deliver a security program into these environments”.
To compensate for this, businesses should “assign roles and responsibilities” for cyber, says Atkins, and provide “dedicated resources to develop a cyber security management system” to what needs most urgently protecting.
The public wants the police to do more to fight cyber crime
Despite a number of high profile takedowns in recent years, the public wants police to do more to catch cyber criminals. A YouGov survey of 2,000 Brits commissioned by Palo Alto Networks in collaboration with Dr Jessica Barker, an expert in the human nature of cyber security and the co-founder of Cygenta, found that 40 per cent of people would feel safer if more cyber criminals were caught and punished. “Because cyber crime is global it’s really hard to deal with that on a state-by-state level,” Barker told NS Tech.
The issue has to be dealt with globally, and yet police forces often lack the resources they need to catch hacker. One of the key issues, said Barker, is that that law enforcement agencies can’t keep up with industry pay scales. “The private sector,” Barker added, “is very attractive if you’re a cyber security professional.”
New legislation could improve connected device security
In May, the government unveiled plans for new legislation designed to improve the security of connected devices. The law would establish a voluntary labelling scheme, make unique passwords mandatory and provide a public point of contact for vulnerability disclosures.
Laurie Mercer, a security engineer for the bug bounty platform HackerOne, welcomed the move. “Security experts have been warning for years about the security risks introduced by insecure [connected devices],” he told NS Tech. “Knowing about security vulnerabilities through a Vulnerability Disclosure Policy (VDP) is an important way to identify and rectify security vulnerabilities within products and services as part of the product security lifecycle.”
Older people feel confident in their ability to protect themselves online
While seven in 10 people told YouGov they are “confident they are doing all they can to protect themselves from data loss”, the figure rises to 76 per cent for those aged 45 and over and falls to 57 per cent for those between 18 and 24.
Barker proposed a number of possible explanations. “Younger people may have more accounts and more to manage online, while older people are more likely to have been through training and awareness at work. Or it could be that young people know more about what they should be doing and they’re conscious they’re not doing it.”