Surveys are a bit of a red rag to a bull as far as I am concerned, so I was quite prepared to have some fun with Cyren's IT Security in the UK: 2017 Business Survey when I was invited to its presentation on HMS Belfast recently. Well, I quite like Cyren's Internet Security as a Service idea, or I wouldn't have gone, but these things are usually thinly disguised hooks on which to hang a marketing message. However, in this case, I was pleasantly surprised.
So, what are the signs of a worthwhile survey? First, was the impression that Cyren gave that this survey was for its own benefit as much as for the audience's. This was evidenced not just by what its representatives said but also by the fact that one reason it gave for not changing questions was that it wanted to get a "time series" view of attitudes to information security, which necessitates asking the same questions each year.
It was also conducted by independent specialists (Osterman Research) and even the summary report contains some information about the survey methodology and targets:
- In-depth telephone interviews were used; adding some face-to-face interviews, to confirm that the survey questions were generally understood, might be useful, but would be more expensive;
- IT and security managers at 102 UK companies with 100-5000 employees (grouped equally into 100-1000, 1001-2500, 2501-5000) were surveyed.
Of course, any survey methodology can be criticised, and one would need to go back to Osterman Research to completely validate this one, but just providing basic information in the summary adds confidence - and there is more about the survey methodology and respondent demographics in the full report.
So, what does Cyren see as the key takeaways from its survey, beyond the fact that security problems are rampant (which we probably all know, although perhaps its reminder that small companies are just as much at risk as large companies is worth highlighting). You'd better read the full survey (or Cyren's "key takeaways") for details, but here is my summary, with some of my thoughts.
People are most concerned about data breaches, ransomware and targeted attacks/zero-day exploits - and there's twice the ransomware infection rate at small companies with fewer than 1,000 employees, as opposed to larger companies. This, I'd guess, probably corresponds to smaller companies having less formal procedures than larger ones. I see ransomware as a particularly insidious and disruptive threat - and probably especially career limiting for anyone identified as introducing it. Osterman has done specific research on ransomware last year and has some good advice: "invest in good security awareness training. This is something that we've been looking at for a few years now and we've found that [companies that offer security awareness training at least once per year] are 75% less likely to get infected than companies that do it less frequently. Training is not foolproof, but it's a good first line of defence".
The greatest gaps in security, between threat and control capability, identified by respondents are:
- Targeted/zero-day attacks;
- The threat of data breaches;
- Botnet activity;
- Malicious activity from insiders (I suspect this threat may be widely underestimated too, but a survey would hardly show this); and,
- Only 19% say their web security is inspecting SSL traffic for threats.
A good sign is that IT managers seem to be more concerned about the cost of infection, rather than the cost of protection, although just spending money on ineffective protection won't help much, of course. Managers rank features of security solutions such as ease of administration, visibility, and advanced security protection highly, which is good.
IT managers care more about stopping malware than about controlling employee web behaviour (aside from preventing access to pornography). The use of "shadow IT" is only a moderate concern for larger companies, and even less of a concern for smaller companies. This is perhaps an overlooked issue - discretely managed "shadow IT" is probably a good thing (it encourages a technically literate workforce) as long as you know about it; but if you don't, "shadow IT" may facilitate, for instance, the malicious activity by insiders, which was identified as a concern.
The most important capabilities of new security tools, for respondents, are probably application control (but this is only considered extremely important by about half as many smaller companies as large ones) and Data Loss Prevention, which is popular in the UK (for both web security and email security).
Only a minority of respondents protect company-owned or BYOD mobile devices, or place gateway security on remote offices and guest Wi-Fi networks. The vast majority of respondents use endpoint protection on out-of-office laptops and to protect remote offices web access. I think that this might not be enough.
Cyren, of course, wants more people, especially smaller companies to invest in its Cyren Cloud Security platform - Internet Security as a Service - which is powered by its Globalview Threat Intelligence Cloud. Cyren claims that Globalview is "the industry's largest security network ...[processing]... over 17 billion web and email transactions generated by over 600 million users". In other words, its users benefit from more threat intelligence, from more transactions and dealing with threats that may be new to them, delivered in real time from the cloud. This is great - but always remember that security is an holistic, and largely a people, thing. Good technology solutions, such as Internet Security, are necessary but not sufficient. It is essential that you address the people and process issues around security, across the whole organisation, too.