By Allie Philpin
According to a recent study of malware analysts by Opinion Matters and ThreatTrack Security, as many as 57% of security analysts are failing to disclose the data and security breaches their company is investigating, and it’s the ‘big boys’, those with over 500 employees, that are the worst culprits with a massive 66% not disclosing a data breach! Could that be because they have more to lose, or do they feel that they don’t have to? Trouble is, if these data and security breaches aren’t reported, customers and even a company’s partners are then exposed to potential security risks that linked with proprietary and personal data loss – not really acceptable, is it?
40% of respondents gave the lack of skilled security personnel as a reason why under-reporting was occurring; and it doesn’t help when IT and security personnel’s time is taken up dealing with malware issues that can be avoided and often originate from the echelons of the organisation! The study’s results show that devices that have been allocated to and are used by senior team members/managers become infected due to the following reasons:
• 56% caused by clicking on a malicious link that is sent within a phishing email.
• 45% caused by family members using company-owned devices.
• 40% the visiting of adult content websites.
• 33% by installing malicious mobile apps.
Scary reading, isn’t it? If these are the reasons, no wonder it’s not being disclosed! Unfortunately, in the US, laws regarding the reporting of data and security breaches are not as stringent as they are within the European Union. Certain industries are less likely to report breaches than others; 79% of utility and manufacturing companies failing to admit a problem, followed by 57% of IT/Telecom companies, and 56% in the healthcare industry.
The study also revealed that there is definitely a need for an increase in automated malware analysis tools in the marketplace, for example, sandboxes, and 35% of respondents did give this as a key reason why they are struggling with malware attacks, particularly as malware is becoming far more complex and on the increase!
Respondents cited a number of reasons as to why it is difficult to defend their organisation’s networks from sophisticated malware attacks:
• 67% say it is the complexity and volume of malware attacks.
• 58% cited the ineffectiveness of anti-malware solutions.
• 40% just don’t employ enough highly-skilled security personnel.
• 35% say little to no access to automated malware analysis solutions restricts their defense.
• 21% don’t get enough support from the organisation’s executive leadership.
• 18% do not have the budget in which to invest in the right tools.
But it’s not all bad; defense against malware attacks has improved over the past year with 38% of malware analysts claiming that it’s now easier to defend an organisation’s network, in comparison to just 27% that claim it is harder, with a further 35% finding little difference in the level of difficulty.
With the amount of pressure on IT departments, security and malware analysts to protect an organisation’s network from external threats, the last thing they need to be dealing with is the challenge of protecting their networks from internal threats which do nothing but hinder their efforts! Just because they are senior executives of an organisation doesn’t mean that they are above reproach, they’re not! They’re activities, they’re lack of responsibility in their actions, leads to the under-reporting of data breaches, and that just places extra pressure and risk on not just internal personnel, but also external customers and partners.