Some IT security managers are struggling to keep up with threats such as Heartbleed and aren’t sure if they have been the victim of an attack, according to the latest Ponemon Institute report.
The report is based on surveys of 4881 IT and security managers in 15 countries including Australia, Brazil, Canada, China, France, Germany, Hong Kong, India, Italy, Mexico, the Netherlands, Singapore, Sweden, the United Kingdom and United States during November 2013.
There were 200 respondents from Australia. According to the findings, 43 per cent of Australian respondents said they had a “good understanding” about the threats facing their organisation while 33 per cent admitted that their company had lost confidential information due to an attack.
Thirty per cent of those Australian respondents who had lost sensitive or confidential information did not know exactly what data had been stolen.
- Securing the Internet of Things in a connected world
- Heartbleed : GE Capital says no customer data compromised
- Securing your data in a BYOD world
According to Websense Australia and New Zealand country manager Gerry Tucker, part of the problem is that cyber criminals are usually one step ahead of security professionals.
“If the security manager went to a [security threats] conference six months ago, that data is out of date. he other issue is that security professionals are so busy doing their day job which is trying to keep the lights on,” he told Computerworld Australia.
According to Tucker, when threats like Heartbleed hit the headlines it “drives awareness” with executives.
“The challenge for security professionals is how they continue that level of awareness priority over time and have a program in place to deal with threats.”
To keep ahead of the cyber criminals, he suggested that IT managers look at security technology that is real-time based and can analyse the contents of data flowing in or out of an organisation.
“The areas that technology vendors need to be looking at is advanced malware, advanced persistent threats [APTs] and data security. They need to make sure they have solutions that are integrated.”Read more: Akamai admits its OpenSSL patch was faulty, reissues keys
The report also found a disconnect between security managers and executives over the value of the 'crown jewels' — confidential data.
For example, 82 per cent of Australian respondents said their company’s executives did not equate losing data with a potential loss of revenue. However, according to the Ponemon Institute, the average cost of a data breach is US$5.4 million.
Centre for Internet Safety director Alastair MacGibbon said he was saddened by this statistic.
“If these [executives] don’t understand that a data breach is going to be causing harm to their organisation, they clearly don’t understand what it is going to be doing to the customers whose data it is. What saddens me is that we have had this discussion for such a long time.”
MacGibbon, who is based in Canberra, said that some security professionals ask him, “Why would anyone want our stuff?”
His response: “Are you serious”? If we are having this conversation in 2014, that figure of 82 per cent of executives not equating loss of data with potential loss of revenue strikes me as a bit low.”
“I think the vast bulk of companies and public enterprises do not understand the value of the information they are holding. The crooks understand the value of the data quicker and more effectively than we have as the good people meant to be holding it,” he said.
According to MacGibbon, this disconnect extends to bugs such as Heartbleed.
“There are still some companies using OpenSSL software that have done nothing in terms of messaging to their consumers and trying to establish what the impact would be on their consumers,” he said.
“I see something like Heartbleed as an opportunity to remind businesses and consumers about good security.”
Follow Hamish Barwick on Twitter: @HamishBarwick