London, February 10 - According to a new cyber security study and white paper from Protiviti (protiviti.com), the global consulting firm, companies operating in Europe should be doing more to protect themselves adequately from cyber threats.
Within enterprises, privileged IT accounts with elevated levels of access represented a particular cause for concern. The study of IT and security practices of businesses across Europe reveals a high level of complacency about the risks associated with privileged access, in particular in relation to privileged accounts used for IT support. Seventy percent of firms interviewed in the study place other security priorities higher or – despite acknowledging cyber risks – decline to take action.
Danger from within
In addition to privileged IT user access management, the study found that most organisations have severely underdeveloped security solutions for data loss prevention, cyber security incident management and response. Such solutions will typically have a critical role to play in managing authorised access. Over 60% avoid ‘mature’ solutions (those with proven effectiveness) and instead rely on trust for privileged IT user security.
In spite of the associated enterprise-wide risks, none of the companies in the study operated a fully protected, highly mature, privileged user access management structure. The findings are even more alarming given the study included a number of organisations in higher risk industries making significant investment in security and that are accountable for protecting sensitive financial information and personal customer data.
Other key findings: Complacency and poor planning
- Only approximately 30% of participants had invested in the technologies that help improve security across each of the major security solution domains
- Less than 10% of organisations were making significant use of the functionality that these solutions can provide to manage the risks associated with authorised access
- Nearly 90% had not implemented a privileged IT user access management solution or were making very limited use of the available functionality, even though privileged accounts are often targeted and used in high-impact cyber attacks
- Over 50% of organisations have no active data loss prevention solution in place and 80% of organisations have limited active monitoring of potential data loss incidents
- Only 7% of respondents had an optimised security incident management process in place with half (50%) not having dedicated incident management personnel
White paper highlights need for firms to invest intelligently
Commenting on the results of the study, Jonathan Wyatt, Global Leader of Managing the Business of IT at Protiviti said:
“Cyber security is now on the board agenda for many organisations. Those organisations that acknowledge the risk, for the most part, believe that they have considered the risk and taken or are taking necessary steps to mitigate it. Most organisations we interviewed indicated that their tolerance for security or business continuity incidents is low. However, almost all of them behave as though their risk appetite is much higher.”
“The roles that authorised access and the insider play in security incidents is regularly understated and not managed effectively. The combination of poor risk analysis and in sufficient communication of business impact of risks in non-technical language that is accessible to the board and senior executives, leads to a lack of understanding of the true business risks at executive committee level. This can result in the wrong investment decisions being taken, with the potentially catastrophic consequences of inadequate preparation against cyber threats. Organisations must recognize that threats can emerge from within – either through negligence or malice – and prepare accordingly. Relying on trust alone is clearly not enough.”
Ryan Rubin, Managing Director and Regional Lead for Managing Security and Privacy (EMEA) adds:
“We found that firms are wasting significant resources – and exacerbating their cyber security risks by not making full use of security systems that they already have in place. Unfortunately, many are still trying to get the basics of cyber security right and, as such, are being left vulnerable to newly emergent or asymmetrical threats.”
“Organisations must increase the attention paid to developing their security posture in both a surgical and tactical manner. Otherwise, businesses run the risk of chronically underutilising existing systems, being left vulnerable and spending far more than they need to in order to ‘fix’ the intractable problem that cyber security presents. This only adds to the misconception that adequate protection is only possible at high cost – a view held by 90% of respondents in our European study. By leveraging solutions that focus on the management of internal threats targeting high risk areas of their business, many firms have significant potential to boost security and cut costs.”
About the Study
This study comprised detailed interviews of select IT and security leaders in a cross section of leading European businesses (majority are multinational) covering several industries, different IT operating and governance models and functions of different sizes.
The study included numerous organisations that would be perceived to have a significantly higher than average risk profile and, in many cases, significantly higher than average investment in and dependence on technology. It also included a number of much smaller and lower profile organisations to balance the perspective.
The study considered in detail the following security solution domains: Privileged Access Management; Data Loss Prevention; and Security Incident Management.
The study also explored how well technology offerings in these areas were aligned to business risks and integrated with operational processes, skills and governance models. The results are presented in Protiviti’s white paper in a custom set of maturity models, built specifically for this study in order to profile actual and realistic maturity levels.
For the full set of results and to download a complimentary copy of the Protiviti white paper, please visit: www.protiviti.com/en-UK/Documents/Organisations-need-to-be-doing-more-cybersecurity-studyF.pdf
For more information please contact: Jonathan Wyatt at firstname.lastname@example.org or Ryan Rubin at email@example.com