14 September 2011

KPMG survey: companies shunning e-crime insurance despite growing risks and threats


Over three quarters of UK IT security professionals do not have insurance (or don't know if their organisations are insured against e-crime legal costs). Brian Sims reports on the latest KPMG survey.

According to the latest research conducted by KPMG, no less than 78% of UK IT security professionals do not have insurance (or don't actually know if their organisations are insured against e-crime legal costs).
This finding is despite the fact that more than half (54%) have witnessed an increase in the threat level these last 12 months.
Just over a quarter (27%) of those surveyed say they have definitely taken out insurance against interruption of business by hackers, while only 27% state they know their organisations are insured against e-crime-related data loss.
The e-Crime 2011 Survey was completed by over 200 professionals, including a select group of KPMG clients. The results reflect the views of a cross-section of information security stakeholders working for departments that include IT, risk, audit, security, fraud, investigations and compliance.
Their responsibilities include the design and co-ordination of strategy, ensuring data is protected from internal and external threats, meeting regulatory compliance requirements and running investigations.

Cyber attacks on big corporations

Speaking about the survey results, Malcolm Marshall - the UK head of information security at KPMG - explained: “Businesses should be acutely aware of e-crime risks after various recent high-profile cyber attacks against big organisations, but they aren’t taking out insurance for a number of reasons."
Marshall continued: "Not many out there know or understand what insurance is available. Many are also sceptical about the effectiveness of current policies, and whether or not insurers will actually pay out against e-crime claims.”
As stated, KPMG and AKJ Associates surveyed more than 200 senior security decision makers from global businesses including FTSE 100 companies.
The research finds that nsufficient awareness of the increasingly unpredictable e-crime threat also appears to be hampering organisational response.
Two fifths (41%) of organisations say their lack of knowledge of potential vulnerabilities is leaving them open to attack. As a result, over half (51%) admit they don’t have - or don’t know whether their organisation has - a strategy in place for dealing with e-crime risk.
More than half (58%) of CISOs are also experiencing problems in prioritising detection, and a similar proportion (54%) are facing difficulties over the investigation of e-crime incidents.
Marshall added: “The threat landscape is changing by the day, and it looks like organisations are floundering as they try to protect themselves. You need to act fast to create strategies that enable organisations to prevent, detect, respond and learn from attacks.”

New technology exposes new vulnerabilities

Compounding the e-crime threat, the report also suggests that companies are opening up new lines of attack as they attempt to capitalise on popular new business and consumer technologies.
Despite almost a third (29%) having already invested in cloud computing and two thirds (65%) in outsourcing, 69% of those professionals surveyed agree that this activity presents the greatest security risk to their vital data.
The majority (87%) also single out Software as a Service (SaaS) as increasing their vulnerability to security risks.
Alarmingly, half also believe the Internet in its current form does not provide a sustainable platform for e-commerce and e-service delivery.
Other major 'risk-raisers' identified include employees using the same devices for business and personal use (83%) and the deployment of consumer technology (such as smartphones or tablet computers) in the enterprise (92%).
In conclusion, Marshall said: “While innovations like cloud and mobile computing deliver cost savings and efficiencies, security needs to be built-in from the start to avoid the risks destroying the benefits.”
About the e-Crime Survey and Report: further key findings
The content of the report, which was sponsored by KPMG, is based on the results of a survey conducted online and at the e-Crime Congress 2011, as well as a series of interviews involving senior security professionals working for global businesses.
  • Managing information and technology risk
Ensuring the continuity of business operations and protecting sensitive data is not just about how much you spend, but whether you understand your risk profile and spend effectively. Managing technology and information risk is now a vital part of protecting your brand and reputation.
Over the past few years, big changes have occurred in the cyber threat landscape. Recent incidents demonstrate that the emergence of ‘hactivism’ and the increased prominence of state-sponsored cyber attacks have serious implications for all industry sectors.
In the e-Crime Survey 2011, only 6% of respondents indicated that the overall level of e-crime risk their organisation faces has decreased over the past year. In addition, over 80% of respondents identified that, in the next 12 months, the use of smart phones, social networking and consumer devices use are set to increase e-crime risk for their organisations.
  • Security, governance and compliance frameworks
Despite having to deal with a constantly evolving risk landscape, information security strategies should still be based around a common framework that delivers the following core pillars of capability: prevent, detect and respond.
However, strategies must be structured so that they are sufficiently flexible and agile to adapt as circumstances change.
Threat modelling, risk assessment techniques and an understanding of the threat landscape should be incorporated to provide intelligence that can ensure available resources are targeted to the right areas.
It's increasingly difficult to predict the nature and severity of attacks: testing and updating incident response capability to make sure it's fit for purpose is therefore vital.
Put simply, there's no point in putting your seatbelt on after the crash has happened.
  • Major changes in the threat landscape
Cyber security is now on almost all Board agendas and frequently at the top. Many CEOs at large companies have been briefed by intelligence agencies and have a better understanding of the severity of the threat landscape.
It's important that cyber defence is not just thought of as a security issue or a technology issue. Rather, it's at the very heart of how a business builds trust with customers, as well as how it builds and protects brand value.
The issues at stake are sufficiently important that the definition of strategy and investment needs to sit with the Board. The level of investment needs to reflect business appetite for risk and support business goals.
This is still very rare. Heads of security and CIOs often second-guess the Board’s risk appetite and willingness to spend.
  • Reducing risk, protecting data, securing technology
Effective risk and security management frameworks need to be corporate-wide, proactive, forward-looking, closely integrated with other risk disciplines and have Board-level engagement. Approaches that attempt to measure and manage risk in silos will fail.
A successful strategy requires risk, security and technology teams to work alongside colleagues in sales, legal, fraud prevention and crisis management functions, as well as those in charge of procurement, marketing and press relations.

Solutions : www.xcyss.in    

No comments:

Post a Comment