Mark Birmingham, Director, Global Product Marketing, Kaspersky Lab
Every day, Kaspersky Lab talks to IT managers and C-level executives about the state of their business security. Our conversations have a lot of the same recurring security themes, but just like the businesses themselves, no two stories are ever the same. But what surprises me the most is how the knowledge of fundamental security realities can drop off once you get outside of the IT department. Below are five examples of common security realities, based on research from Kaspersky Lab and other expert resources, which any executive should take into consideration when building and maintaining a secure IT network.
Targeted attacks are real, but don’t lose focus on the basics
Even though targeted attacks are highly publicized and a predominant topic of conversation among corporate IT security staff, the majority of attacks on businesses originate from cyber criminals conducting mass-malware campaigns. These campaigns are often simplistic in nature and lack any high level of technical sophistication. Nevertheless, they account for the largest number of corporate IT security incidents. According to Verizon’s “2013 Data Breach Investigations Report,” 78 percent of initial intrusions were a result of these types of simplistic attacks.
So make no mistake: not all businesses will encounter sophisticated attacks aimed squarely at their business. However, they will absolutely encounter thousands of mass-distributed malware attacks that can wreak financial havoc if basic steps to secure the business aren’t properly implemented. Businesses can gain immediate value by implementing basic security practices, such as automated patching and application control combined with a reliable endpoint protection solution. In addition, educating employees about social engineering and phishing campaigns will strengthen your company’s security awareness, which will assist in decreasing your infection vector overall.
Vulnerabilities can remain open long after they are discovered
Software vulnerabilities are a huge source of opportunities for cyber criminals to breach a network, and the IT industry is in a constant struggle to discover and patch the unknown “zero-day” vulnerabilities. Though the number of zero-day attacks is on the rise, cyber criminals still make extensive use of known vulnerabilities. Kaspersky Lab has found that critical vulnerabilities can remain unpatched in businesses for months after they’ve been discovered and publicly announced. The average company takes 60-70 days to fix a vulnerability–plenty of time for attackers to gain access to a corporate network.
In fact, a security audit of European organizations conducted by Kaspersky Lab and Outpost24 found the window of vulnerability could be open much longer. A common baseline is for all critical vulnerabilities to be resolved within three months. But 77 percent of the threats that passed this three-month deadline were still present a full year after being discovered. The team even found known vulnerabilities in companies that had remained unpatched for years, in some cases up to a decade! This is akin to locking your front door but leaving windows open, and once again shows that even unsophisticated attacks on corporate networks can succeed without sophisticated zero-day exploits.
Employees Missteps–a Top Cause of Data Theft
Let’s take cyber-attacks out of the discussion for a moment, and focus on employees. Sometimes we get so focused on what’s outside our walls, we forget that a well-trained and well-educated workforce is a vital component of IT security. In fact, we’ve found that employee error is one of the main causes of internal IT security incidents which lead to the leakage of confidential corporate data. According to the findings of the Global Corporate IT Security Risks 2013 survey, conducted by B2B International in collaboration with Kaspersky Lab this past spring, approximately 32 percent of businesses reported data leaks that took place as a result of employee mistakes.
What types of mistakes are occurring? One-third of employee-caused security issues were caused by simple mistakes such as sending emails to the wrong address or opening malicious files. A similar number of incidents were caused by the loss or theft of an employee-owned mobile device. A slightly lower rate, 18 percent, was caused by employees making mistakes with their mobile devices, such as inadvertently texting or emailing documents.
The result? An average of 7percent of respondents admitted that employee actions were the root cause of leaks that exposed critically confidential information pertaining to company operations. Most often, leakages of critically sensitive data occurred when employees were at fault over the loss or theft of mobile devices—9 percent of respondents reported leaks stemming from improper use, loss, or theft of mobile devices.
Mobile Devices – Barely on the Radar
The previous section illustrated that mobile devices are a common source of security woe for IT administrators. Despite the frequent data loss associated with mobile devices, when coupled with the precipitous rise in mobile malware, our Global IT Risks Survey found that only 1 in 8 companies have fully implemented security policy for mobile devices. Even more alarming, we found that nearly half of the companies surveyed had no policy at all.
The use of IT security policies—internal corporate rules governing their use—for mobile devices, could greatly reduce the business risks associated with smartphones and tablets. Nearly half of businesses who did report having a mobile device security policy in place said that insufficient extra funds had been allocated for the project, with another 16 percent stating that no additional funds had been allocated at all. This data segues nicely into the final point.
Underfunded and Underpowered
The same survey found that 60 percent of IT decision makers feel that not enough time or money is allocated to develop IT security policies. As a result, barely half of the companies feel that they have highly-organized, systematic processes to deal with threats.
Fortunately, corporations have been spared the worst of this uncertainty. For example, in the perpetually-underfunded educational industry, only 28 percent of organizations are confident that they have sufficient investment in IT security policies. What is even more critical, only 34 percent of the government and defense organizations surveyed all around the world, claim that they have enough time and resources to develop IT security policies. The remaining two thirds are in constant danger of losing confidential governmental information.