Too many companies screw up IT security basics


When it comes to IT security, too many organizations seem to have forgotten the basics. At least that is one of the conclusions of the recent Global Threat Intelligence Report, released by Solutionary.

This is the second annual threat intelligence report for the security firm, but the first since it was acquired last year by NTT. FierceCIO recently spoke with Solutionary's director of research Rob Kraus about the report, and what it says about the state of IT security preparedness.

"As we started to look at the data, it was clearly telling us that we needed to be talking about the basics," Kraus said. "If you do the basics well, you can avoid some of the most common threats."

Unfortunately, many companies haven't gotten the message. And it's not just smaller organizations that need to brush up IT security basics. The research report reveals that large organizations are just as guilty, Kraus says.

"Most companies are in reactive mode when it comes to security," Kraus explains. "People just aren't doing the basics well at all."

This discovery came as somewhat disappointing news to the company, which had hoped its 2014 threat intelligence report could focus on advanced threat detection and security technologies being implemented, Kraus noted. Such measures are certainly in place at some organizations, but not as wide-spread as the company had hoped to learn.

So what did the report reveal? According to Kraus, some key findings are:

  • The cost for a "minor" SQL injection attack exceeds $196,000 in just two months.
  • AV fails to detect 54 percent of new malware collected by honeypots.
  • 42 percent of malware events were directly tied to the educational vertical.
  • Botnet activity takes an overwhelming lead at 34 percent of events observed in 2013.
  • The healthcare industry has observed a 13 percent increase in botnet activity.
  • 43 percent of incident-response engagements were the result of malware.
  • DDoS attacks accounted for 31 percent of incident response engagements.
  • Organizations lacking mature Vulnerability Lifecycle Management programs are three times more susceptible to attacks via exploit kits.

Kraus says there are two main challenges facing many companies when it comes to IT security: lack of vision and lack of staff.

Staffing will continue to be a challenge throughout 2014, since security professionals are among the most in-demand IT workers right now. But staffing challenges aside, "how can you prepare your security defenses if you don't have the vision," Kraus ponders.

Perhaps the most disappointing aspect of the 2014 study, Kraus notes, is that the security preparedness picture really hasn't changed much from the 2013 study. Organizations are getting plenty of messages that they need to do a better job. But, as with insurance, it often takes a major incident to convince executives that they should buy that ounce of prevention to avoid the pound of cure.

Related Articles:
Majority of malicious bot traffic made in the USA [FierceITSecurity]
Infographic: Most firms that suffer a major data loss close down within 24 months [FierceITSecurity]
Verizon provides insights into attackers behavior [FierceITSecurity]

Filed Under