BJ: Six out of 10 respondents thought disgruntled employees would be one of the top three most likely attackers – exceeded only by hacktivists, such as Anonymous (88%), and cybercriminals (77%). These figures emphasise the need to actively enforce security policies for internal staff, as well as securing systems, and the important data they house, against outsider attacks.
As for the likely impact of these attacks, system downtime was the biggest concern, with 77% of companies highlighting this as an issue, followed by data loss at 68%. Companies were also worried about damage to their corporate brand (52%), and financial impact (50%) – the results of which can be devastating, as seen with the Target data breach, where profits fell 46% following the theft of customer records.
TRP: How confident do companies feel in terms of their vulnerability to future cyber-attacks?
BJ: UK companies are sitting on a time bomb that's just waiting to go off, with almost two thirds (64%) of UK IT decision-makers expecting their organisations to be targeted over the next 12 months. More than one quarter (27%) expect an attack over the next 12 months, with 23% anticipating a hit within six months. And 14% were particularly pessimistic, expecting a cyber-attack within weeks.
Financial services companies are most likely to expect an attack within 12 months, with the government (72%) and technology (70%) sectors not far behind. The manufacturing sector was least concerned with 59% of companies expecting to be targeted in the next year.
TRP: What about standards compliance – are companies ready for Payment Card Industry Data Security Standard (PCI DSS) version 3.0?
BJ: Although awareness of the PCI DSS is high, with 94% of respondents familiar with the standard and 66% acknowledging that it applies to their organisations, only 21% of companies feel up-to-speed in terms of actual requirements.
Only one in eight companies, where PCI was relevant, are confident that their endpoints are compliant with PCI DSS version 3.0, despite the impending January 2015 deadline to move to this version. Almost half (46%) of those working with POS systems said they can't adequately monitor and control access to critical data on their endpoints – highlighting poor cyber-security safeguards for retail systems that process credit card payments and handle customers' personally identifiable information (PII).
A lack of readiness is reflected in the small percentage (less than 10%) of IT budget that's being spent on meeting new PCI 3.0 requirements, such as penetration testing – also known as ethical hacking. We're seeing a major lack of confidence and knowledge around PCI 3.0 with an urgent need for organisations to improve protection of endpoint systems and the credit card data they house.
TRP: What's the story with Windows XP end of life – are many companies still reliant on this operating system?
BJ: We were surprised to find that almost three quarters (74%) of respondents still had systems running on Windows XP as the OS approached end of life, with half our survey base running it on vulnerable desktops and enterprise systems.
XP migration was slow, with only 29% of organisations planning to deploy a new OS in the near term, despite support ending. One in 10 industrial systems were still running on this unsupported OS – putting industrial control processes in danger.
Budget played its part here, with almost one in three saying their companies wouldn't spend anything on upgrading from XP, and more than one in four stating there wasn't any budget available – leaving IT systems dangerously vulnerable to malicious attacks.
TRP: What have we learned from this research – in terms of organisations trying to protect themselves from attack?
BJ: The most important takeaway is that visibility is critical for effective security, yet these survey results show that far too many organisations are unaware of what's happening on their endpoints and POS systems. There's a great deal of uncertainty about whether they have been attacked, or could prevent an attack.
You can't stop advanced threats and targeted attacks if you can't see them. Prevention, detection and response require an ability to see all activity on every endpoint and server. Companies must implement processes and protection to address this endemic complacency toward security, and avoid potentially devastating security breaches.
Investing more money in security standards compliance helps by forcing companies to follow guidelines designed to protect endpoints and the data that they hold.