UK companies unaware of cyber-attacks or unwilling to admit breaches, study reveals
UK organisations have a distorted understanding of cyber-security risks and their ability to fight them, with many unwilling to disclose breaches, a study has revealed.
The joint study by security intelligence and analytics firm LogRhythm, traffic visibility solutions provider Gigamon and Internet of Things security firm Forescout Technologies asked a sample of 2,000 IT professionals working for UK companies about their concerns related to security of the data the company holds, past breaches, as well as their preparedness to meet the upcoming EU General Data Protection Regulation.
According to Ross Brewer at LogRhythm the claims of the companies seem frequently in sharp contrast with what industry analysts and cyber-security professionals know from their practice.
44.45 per cent of the survey’s participants expressed confidence that their company has never suffered a data breach, while 43.65 per cent admitted they have. 11.9 per cent said they did not know.
“That just doesn’t line up to the stats,” said Brewer. “The 45 per cent that say no, they are either not willing to admit the fact that they had a breach or they just don’t know because they don’t have the visibility.
“There are several reasons why we believe that what the companies claim is not in line with reality. First, we work with such companies every day and see what is going on. Second, in the UK, we have very good information about breaches in the public sector thanks to the Information Act, which covers local councils, NHS, police etc.
“We see a big gap between the public sector - how much that has been breached - versus the private sector - how much that hasn’t been breached - but we know that the actual number of breaches is in fact quite similar.”
The researchers are also doubtful about the accuracy of the companies’ understanding of how long it took for them to actually discover the cyber-attack. Almost 33 per cent claimed they uncovered the attack immediately as it happened. Over 28 per cent believed they learned about the hack within a month. However, history shows that even attacks on high-profile technology companies such as the recently disclosed Yahoo hack can go unnoticed for years.
“Many of them claimed that they were able to detect in one day one hundred per cent of the threats and attacks that they saw on that day, but the reality is that they were only able to detect those that they had seen,” said Trevor Dearing at Gigamon.
“There is a large difference between what people perceive is happening and what we know from other research and experience. This discrepancy generates a potential issue for a lot of the users because if they are too confident in their ability to defend against the threats then there is always the danger that the threat that they don’t know about is going to sneak through.”
About 29 per cent of the companies said they discovered the breach thanks to next-generation technology, while over 27 per cent said they were alerted by a third party. Another 27 per cent of companies attributed the detection to an employee. Brewer, however, says that in reality 70 per cent of breaches are actually discovered by a third party.
One of the problems, the cyber-security experts believe, is the absence of complete visibility of everything that is happening on the network and reliance on outdated defence strategies such as firewalls and antivirus.
“They don’t know what is happening in their infrastructure because they work on the perimeter-based security strategy,” Brewer remarked.
“It’s like an egg. It’s tough on the outside, but it’s a soft yolk in the middle and they don’t have the visibility over the yolk.”
However, Brewer admitted that despite the discrepancies, the cyber awareness of companies is gradually improving.
“Only a couple of years ago, if we asked companies whether they believed that their data could be vulnerable to being stolen, most of them would say that they are not a bank nor a hospital and therefore not interesting for the hackers,” Brewer said.
“Today, however, 80 per cent are seriously concerned. Organisations are certainly more open about cyber-security incidents and the matter has definitely reached the boardroom in the past year with executives of several high-profile companies being held responsible for the cyber breaches.”
The survey also revealed how many companies are not fully prepared for the arrival of the EU General Data Protection Regulation (GDPR), which will mandate private firms to disclose all cyber-security incidents or otherwise risk hefty fines.
“I think that you’ll see that what is today 45 per cent will go to 100 per cent,” remarked Dearing. “The level of people’s openness about what is actually happening will increase and a lot of it will be driven by legislation.”
Speaking about upcoming challenges, Dearing pointed to the problem of threats increasingly coming through encrypted traffic, for which there is currently no systematic solution available.