Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Infosecurity’Survey: Cloud computing and social networking leave UK businesses exposed to cyber attacks

April 2010 by Infosecurity Europe

Business use of technology is evolving faster now than at any point in the last decade. Internet use has moved way beyond email and websites and into the realms of social networks and externally-hosted software services accessed across the Internet (often referred to as cloud computing).

These changes have increased the vulnerability of UK companies and public sector organisations to new cyber attacks. Hacking and denial of service attacks have doubled in the last two years. As a result, security remains high on management’s list of priorities.

These are among the preliminary findings of the 2010 Information Security Breaches Survey (ISBS) commissioned by Infosecurity Europe and written by PricewaterhouseCoopers LLP. The full results of the survey including details of the number and cost of security breaches in the UK, will be revealed at Infosecurity Europe in London on 28 April.

The rate of adoption of newer technologies has accelerated over the last two years and most respondents now say they use wireless networking, remote access and VoIP. Some 85% of smaller organisations said they were using wireless, almost double the use in 2008. The number of organisations allowing staff to have remote access to their systems has also increase with nine tenths of large companies now doing this.

As organisations have looked to cut their IT costs, they have increasingly turned to external providers who host applications on their behalf. These services, including Software as a Service (SaaS) and cloud computing, are now used by over three-quarters of the organisations polled and of these, 44% said they were entrusting critical services to third parties. All sectors are making use of the services, but government is least likely to release control of critical services.

At the same time that companies are increasing their dependence on other organisations for their IT services, there has been an explosion of new cyber attacks. 61% of large organisations have detected a significant attempt to break into their network in the last year, twice as many as two years ago.

Some 15% of large organisations have detected actual penetration by an unauthorised outsider into their network in the last year, and it is likely that many more were undetected. 25% of large organisations have suffered a denial of service attack in the last year, also more than double the proportion in 2008. Outsourcing IT services does not make the security risk go away, but few companies are taking enough steps to ensure their outsourced services are not vulnerable to attack.

Chris Potter, partner, OneSecurity, PricewaterhouseCoopers LLP, said:

“Very few organisations are encrypting data held on virtual storage, including the ‘cloud’. Worryingly, only 17% of those with highly confidential data at external providers ensure that it is encrypted. Virtualisation and cloud computing seem to be set to follow the trend, established over the last decade, of controls lagging behind adoption of new technologies. Given the increased criticality and confidentiality of information held on virtual storage, organisations need to respond quickly to close this control gap.”

Responding to the data leakage threat

The increasingly inter-connected business environment and prevalence of externally provided services is reflected by a growing data leakage threat. That threat is driving an increased demand for assurance over third parties. ISO 27001 is becoming a common standard for compliance; 40% of large organisations are being asked to demonstrate compliance with the standard.

ISO 27001 and PCI (Payment Card Industry) standards are also driving adoption of some specific security mechanisms. PCI, in particular, is driving more encryption of website transactions and sensitive data fields in databases. However, organisations that need to meet government requirements are more likely to encrypt data transfers and removable media.

Andrew Beard, director, OneSecurity, PricewaterhouseCoopers LLP, said:

“It seems that organisations will respond to specific requirements mandated by government or other authorities, but when the requirements are less explicit, adoption of good practice is lower. Assurance reporting appears to increase organisations level of comfort. However, as adoption of the assurance reporting standards remains low, it seems likely that some organisations have a false sense of security.”

s

Staff postings to social networking sites pose a new data leakage risk. Yet, at the same time, social networking is increasingly important to businesses. Organisations are reassessing their approach to controlling staff access to the Internet. The trend, established between 2006 and 2008, of allowing more staff to access the Internet has been reversed. Nearly half of large organisations now restrict which staff can access the Internet; less than a third did so in 2008.

Organisations want to allow effective use of the Internet, but reduce inappropriate use. Use of software to block access to inappropriate websites is slightly up on two years ago. Web access logging and monitoring is relatively static. However, more sophisticated use is being made of these tools than in the past. Organisations are one and a half times as likely to monitor postings to social networking sites if social networking is considered very important to their business.


1. Survey methodology

The survey findings are based on responses from security professionals in over 500 organisations spread across all industry sectors, of which roughly a quarter were from the public sector. Although the methodology is somewhat different from that of previous surveys (the last of which was in April 2008), many of the same questions were asked and so comparisons are valid. The survey was completed online on a self-select basis. The Department for Business, Innovation and Skills (BIS) allowed PricewaterhouseCoopers to draw upon past questionnaires and findings of previous surveys which it and its predecessor departments (the DTI and BERR) commissioned and funded every couple of years until 2008


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts