Tag Archives: The Ponemon Institute

Thales Report: ‘More than half of businesses own up to sensitive information being ‘readable’ when stored in the cloud’

Thales’ annual global survey reveals widespread uncertainty about cloud security and a negative impact on security posture. Thales has announced that the cloud is losing the ‘scare factor’ for businesses.

In its latest report, entitled: ‘Encryption in the Cloud’, Thales reveals that more and more organisations are transferring sensitive or confidential information to public cloud services even though more than a third expect a negative impact on security posture.

In response, the use of encryption is increasing but more than half of respondents still admit their sensitive data goes unprotected when it’s stored in the cloud despite data security regularly topping the global news agenda.

Thales Encryption in the Cloud Report April 2014

The independent global study of more than 4,000 organisations was conducted by The Ponemon Institute, and reveals differing opinions over who is responsible for security in the cloud – the cloud provider or the cloud consumer – and how best to protect the sensitive data that’s sent there.

The ‘Encryption in the Cloud’ study was commissioned as part of a larger international study on Global Encryption Trends. More than 4,000 organisations were surveyed in the US, UK, Germany, France, Australia, Japan, Brazil and Russia.

The report explores the impact on security posture of moving to the cloud, the transparency of cloud providers, how organisations are treading the line between trust and control with regard to encryption and how encryption keys should be managed.

Staying in control of sensitive data

Larry Ponemon, chairman and founder of The Ponemon Institute, commented: “Staying in control of sensitive or confidential data is paramount for most organisations, and yet our survey shows they are transferring ever more of their most valuable data assets to the cloud.”

Ponemon continued: “It’s perhaps a sign of confidence that organisations with the highest overall security posture were most likely to use the cloud for operations involving sensitive data, and it’s encouraging to find significantly fewer respondents believe that use of the cloud is weakening their security posture. However, there are still concerns that many organisations continue to believe their cloud providers are solely responsible for protecting their sensitive data even though the majority of respondents claim not to know what specific security measures their cloud provider is taking.”

Richard Moulds, vice-president (strategy) at Thales e-Security, explained: “Encryption is the most widely proven method to secure sensitive data in the enterprise and in the cloud, but more than half of respondents report that sensitive data in the cloud goes unprotected. Those that are using encryption have adopted a variety of deployment strategies, but once again a universal pain point is key management.”

Richard Moulds: vice-president of strategy at Thales e-Security

Richard Moulds: vice-president of strategy at Thales e-Security

Moulds went on to state: “Very often, the way that keys are managed makes all the difference, with poor implementations dramatically reducing effectiveness and driving up costs. Key management is a critical control issue for respondents, who are increasingly focused on retaining ownership of keys as a way to control access to data. Deployed correctly, encryption can help organisations migrate sensitive data and high risk applications to the cloud, in turn allowing them to safely unlock the full potential for economic benefit that the cloud can deliver.”

Key findings of the report

Cloud security is here to stay
The use of the cloud for processing and storing sensitive data seems inevitable. More than half of all respondents say their organisation already transfers sensitive or confidential data to the cloud and only 11% say that their organisation has no plans to use the cloud for sensitive operations (down from 19% only two years ago).

Cloud confidence is on the up, but at what cost?
Although nearly half of respondents believe that their use of the cloud has had no impact on their overall security posture, those that believe it has had a negative effect (34%) on their security posture outnumbered those that experienced a positive effect (17%) by a factor of two-to-one.

Where does the security buck stop?
The perceived responsibility for protecting sensitive data in the cloud is very dependent on the type of cloud service in question. In Software-as-a-Service (SaaS) environments, for example, more than half of respondents see the cloud provider as being primarily responsible for security. In contrast, nearly half of Infrastructure-as-a-Service/Platform-as-a-Service (IaaS/PaaS) users view security as a shared responsibility between the user and cloud provider.

Visibility improves but gaps remain
The good news is that visibility into the security practices of cloud providers is increasing, with 35% of respondents considering themselves knowledgeable about the security practices of their cloud providers compared with 29% only two years ago. However, half of SaaS users still claim to have no knowledge of what steps their providers are taking to secure their sensitive data.

Encryption usage increases but data still exposed
The use of encryption to protect sensitive or confidential data stored in the cloud (data at rest) appears to be increasing. For SaaS users, the report posts an increase from 32% in 2011 to 39% in 2013. For IaaS/PaaS users, respondents report an increase from 17% to 26% over the same period, but still more than half of respondents report that their sensitive data is in the clear (and therefore readable) when stored in the cloud.

Treading a line between trust and control
There is currently an almost equal division in terms of how stored data is encrypted while in the cloud. Of those respondents that encrypt stored data, just over half apply encryption directly within in the cloud with just over 40% electing to encrypt the data before it’s sent to the cloud.

Who holds the key?
When it comes to key management, there is a clear recognition of the importance of retaining ownership of encryption keys with 34% of respondents reporting that their own organisation is in control of encryption keys when data is encrypted in the cloud. Only 18% of respondents report that the cloud provider has full control over keys.

Standards enable trust in a shared environment
The need to share keys between organisations and the cloud highlights the growing interest in key management standards – in particular OASIS Key Management Interoperability Protocol (KMIP) – where 54% of respondents identify cloud-based applications and storage encryption as the area to be most impacted by the adoption of the KMIP standard.

About Thales e-Security

Thales e-Security is a leading global provider of data encryption and cyber security solutions to the financial services, high technology, manufacturing, Government and technology sectors.

With a 40-year track record of protecting corporate and Government information, Thales solutions are used by four of the five largest energy and aerospace companies and 22 NATO countries, and secure more than 80% of worldwide payment transactions.

Thales e-Security has offices in Australia, France, Hong Kong, Norway, the United States and the United Kingdom. For more information visit: http://www.thales-esecurity.com

About Thales

Thales is a global technology leader in the aerospace, transportation and defence/security markets. In 2013, the company generated revenues of €14.2 billion (equivalent of $18.3 billion) with 65,000 employees in 56 countries.

With its 25,000 engineers and researchers, Thales has a unique capability to design, develop and deploy equipment, systems and services that meet the most complex security requirements. Thales has an exceptional international footprint, with operations around the world working with customers and local partners. For further detail visit: http://www.thalesgroup.com

Positioned as a value-added systems integrator, equipment supplier and service provider, Thales is one of Europe’s leading players in the security market. The Group’s security teams work with Government agencies, local authorities and enterprise customers to develop and deploy integrated, resilient solutions to protect citizens, sensitive data and critical infrastructure.

Drawing on its strong cryptographic capabilities, Thales is one of the world leaders in cyber security products and solutions for critical state and military infrastructures, satellite networks and industrial and financial companies.

With a presence throughout the entire security chain, Thales offers a comprehensive range of services and solutions ranging from security consulting, intrusion detection and architecture design through to system certification, development and through-life management of products and services, and security supervision with Security Operation Centres in France and the United Kingdom.

Leave a comment

Filed under IFSECGlobal.com News

BCI Report: ‘Counting the cost of ineffective business continuity’

Coinciding with Business Continuity Awareness Week 2014 (which runs from 17-21 March), The Business Continuity Institute has published an excellent and detailed report designed to highlight the cost of common threats (such as IT and telecommunications outages, data breaches, cyber attacks and adverse weather conditions) to organisations.

Entitled: ‘Counting The Cost: a meta analysis of the cost of ineffective business continuity’, the report demonstrates why it’s so important for organisations to have a business continuity plan in place that can help prevent a drama from becoming a crisis.

As highlighted by the new report, an effective business continuity management programme can spell the difference between organisational resilience and financial ruin.

Put simply, a single incident can cost an organisation millions of pounds and rapidly demolish its reputation.

Key findings of the new report

Some key findings contained within the BCI’s latest report are as follows:

• According to a recent IBM study on professionals dependent on high-availability IT, the cost of an IT/telecommunications outage can vary from US$1.04 million to US$14.25 million over 24 months. On average, minor incidents cost US$53,210 per minute of downtime. Further losses due to reputation-related costs can add up to US$5.27 million for substantial incidents.

• Analysis by The Ponemon Institute reveals that the average cost of data breach and cyber attacks stands at an average of US$11.6 million on an annual basis. Organisations report costs ranging from US$1.3 million to US$58 million to resolve these incidents. Case Studies reveal staggering losses of up to US$4 billion due to severe incidents of data breach and cyber attack.

• A Munich Re report shows that combined household and corporate insurance payouts for weather-related damage in the United States alone cost US$12.8 billion in 2013. Extreme weather phenomena have increased the severity of damage and value of insurance claims.

Business Continuity Awareness Week 2014 runs from 17-21 March

Business Continuity Awareness Week 2014 runs from 17-21 March

Business continuity: a focus for everyone

Patrick Alcantara, research associate at the BCI and author of the report, commented: “The aim of the report is drive home the message that business continuity is not the sole domain of an organisation’s business continuity specialist. Ensuring an effective, robust business continuity programme is also the responsibility of management, budget holders and the rest of the staff.”

Alcantara added: “At a time where cutting budgets is the norm, it’s important to be reminded of the cost of being caught flat-footed in an incident. The false economy created by cutting down on business continuity may create bigger problems that may impact on both organisational resilience and viability.”

Copies of ‘Counting The Cost: a meta analysis of the cost of ineffective business continuity’ can be obtained by visiting the BCI’s website.

It’s important to note that, as the figures are rough estimates of the actual cost of disruption, organisations are highly encouraged to think about their specific context in order to arrive at more appropriate data.

The ultimate aim is to start a conversation among organisations and budget holders using readily understood and comparable data in order to maintain business continuity investment.

Leave a comment

Filed under IFSECGlobal.com News

SMBs need help to better understand cyber attack threats

Research by The Ponemon Institute reveals that over half of SMBs globally do not see cyber attacks as a significant risk.

Many small and mid-size businesses (SMBs) are potentially putting their organisations at risk because of uncertainty about the state of their security and threats faced from cyber attacks.

According to the ‘Risk of an Uncertain Security Strategy’ study conducted by The Ponemon Institute, senior management is failing to prioritise cyber security which, in turn, is preventing them from establishing a strong IT security posture.

Of 2,000 respondents surveyed globally, 58% confirmed that management does not see cyber attacks as a significant risk to their business. Despite this, IT infrastructure and asset security incidences, as well as wider security-related disruptions, were found to have cost these SMBs a combined average of $1,608,111 over the past 12 months.

Sponsored by Sophos, the research has also identified that the more senior the position of the decision-maker in the business, the more uncertainty there was surrounding the seriousness of the potential threat.

SMBs need help to better understand cyber attack threats

SMBs need help to better understand cyber attack threats

Three main challenges to strong security

“The scale of cyber attack threats is growing every single day,“ said Gerhard Eschelbeck, CTO for Sophos, “yet this research shows that many SMBs are failing to appreciate the dangers and potential losses they face from not adopting a suitably robust IT security posture.”

According to the research, there are three main challenges preventing the adoption of a strong security posture: failure to prioritise security (44%), insufficient budget (42%) and a lack of in-house expertise (33%).

In many SMBs there’s also no clear owner responsible for cyber security, which often means it falls into the purview of the CIO.

“Today in SMBs, the CIO is often the ‘only information officer’ managing multiple and increasingly complex responsibilities within the business,” said Eschelbeck. “However, these ‘OIOs’ cannot do everything on their own. As employees are demanding access to critical apps, systems and documents from a diverse range of mobile devices, it would appear security is often taking a back seat.”

The study reveals uncertainty around whether Bring Your Own Device (BYOD) policies and the use of the cloud are likely to contribute to the possibility of cyber attacks. Some 77% of respondents said the use of cloud applications and IT infrastructure services will increase or stay the same over the next year, yet a quarter of those surveyed indicated they did not know if this was likely to impact security.

Similarly, 69% said that mobile access to business critical applications would increase in the next year, despite the fact that half believe this will diminish security postures.

“Small and mid-size organisations simply cannot afford to disregard security,” said Larry Ponemon, president of The Ponemon Institute. “Without it there’s more chance that new technology will face cyber attacks, which is likely to cost the business substantial amounts. CIOs are under pressure to implement new technology that informs agile and efficient ways of working, but this should not take precedence over security. The industry needs to recognise the potential dangers of not taking cyber security seriously and create support systems to improve SMB security postures.”

Key findings of the research

The study targeted SMBs in the United States, the United Kingdom, Germany and the Asia-Pacific Region (Australia, India, China and Singapore) to better understand how such organisations are managing security risks and threats.

Key findings of the study include:

• 58% of respondents say management does not see cyber attacks as a significant risk

• One-third of respondents admit they are not certain if a cyber attack has occurred in the past 12 months. 42% of respondents said their organisation had experienced a cyber attack in the past 12 months

• Respondents in more senior positions have the most uncertainty about the threats to their organisations, indicating that the more removed the individual is from dealing on a daily basis with security threats, the less informed they are about the seriousness of the situation and the need to make it a priority

• CISOs and senior management are rarely involved in decisions regarding IT security priorities. While 32% say the CIO is responsible for setting priorities, 31% say no one function is responsible

• 44% of respondents report IT security is not a priority. As evidence, 42% say their budget is not adequate for achieving an effective security posture. Compounding the problem, only 26% of respondents say their IT staff has sufficient expertise

• Respondents estimate that the cost of disruption to normal operations is much higher than the cost of damages or theft of IT assets and infrastructure

• Mobile devices and BYOD are much more of a security concern than the use of cloud applications and IT infrastructure services. However, these concerns are not preventing extensive use and adoption of mobile devices, especially personal devices

• Uncertainty about their organisations’ security strategy and the threats they face varies by industry:
o Respondents in financial services have more confidence, which can probably be attributed to the numerous data protection regulations
o The technology sector is also more security aware, which is probably due to the IT expertise that exists in these organisations
o Retailing, education and research and entertainment and media have the highest level of uncertainty about their organisations’ security strategy and the threats they face

Recommendations emanating from the research findings

• Organisations need to concentrate resources on monitoring their security situation in order to make intelligent decisions. While assessing where they stand on the security continuum, organisations need to focus on monitoring, reporting and proactively detecting threats

• Establish mobile and BYOD security Best Practice. Carefully plan and implement a mobile strategy so that it doesn’t have an impact on the overall security posture

• Organisations should look for ways to bridge the gap created by a shortage of information security professionals. Consider ways to free-up time for in-house resources, including a move to cloud technologies, security consulting and easy-to-manage solutions

• Measure the cost of cyber attacks, including lost productivity caused by downtime. Work with senior management to make cyber security a priority and invest in solutions that restore normal business activity more quickly for a high return on investment

• Organisations in all sectors are regularly breached and regulations are often simply the beginning of properly securing a network. Consider consolidated security management to gain a more accurate picture of threats that will help focus on problem areas

Leave a comment

Filed under IFSECGlobal.com News