In 2016, information security continues to be a critical topic for organizations of all types to address. In its 2016 Annual Security Report that discusses cybersecurity trends and threat intelligence, Cisco drives this point home. The report points out that only 45 percent of organizations worldwide are confident in their security measures as today’s cyber attackers are more persistent in launching increasingly sophisticated campaigns. Although a large percentage of organizations appear to question their security capabilities, 92 percent of the executives agree that regulators and investors will expect companies to manage cybersecurity risk exposure which should place it high on their priority lists.
The Cisco report further identifies key factors that are contributing to the risk exposure. The factors include:
Aging infrastructure: Between 2014 and 2015, the number of organizations that said their security infrastructure was up-to-date dropped by 10 percent. The survey discovered that 92 percent of Internet devices are running known vulnerabilities. Thirty-one percent of all devices analyzed are no longer supported or maintained by the vendor.
Shifting server activity: Online criminals have shifted to compromised servers, such as those for WordPress, to support their attacks, leveraging social media platforms for nefarious purposes. For example, the number of WordPress domains used by criminals grew 221 percent between February and October 2015.
Browser-based data leakage: While often viewed by security teams as a low-level threat, malicious browser extensions have been a potential source of major data leaks, affecting more than 85 percent of organizations. Adware, malvertising, and even common websites or obituary columns have led to breaches for those who do not regularly update their software.
While many organizations focus their attention on the security of customer data, IT security firm Sophos explains in its report, The State of Encryption Today, that employee, company and cloud data are not protected to the same degree. After surveying 1700 IT decision makers in the U.S., Canada, India, Australia, Japan and Malayasia, Sophos made some eye-opening discoveries.
Thirty-one percent of the companies surveyed that store employee data admit that employee bank details are not always encrypted. Forty-three percent of the companies holding sensitive employee HR files don’t always encrypt them, and nearly half of those that store employee healthcare information (47 percent) fail to consistently encrypt these records.
“Data breaches happen to large and small companies every day, and the last line of defense against that breach turning into a corporate crisis is a comprehensive data encryption policy,” commented Dan Schiappa, senior vice president and general manager of Enduser Security at Sophos. “While it is the customer data breaches that hit the headlines, companies have the same obligation to protect sensitive employee data, and they should not overlook it.”
Company data remains at risk as well. Nearly one-third (30 percent) of all organizations surveyed fail to always encrypt their own corporate financial information, and nearly half (41 percent) inconsistently encrypt files containing valuable intellectual property.
Cloud data security is also an issue. More than eight in ten companies (84 percent) expressed concern about the safety of data stored in the cloud. Nonetheless, while 80 percent are using the cloud for storage, only 39 percent encrypt all files stored in the cloud.
Companies can do more to ensure information security, but so can employees. Even something as simple as passwords still need some work. SplashData announced the 2015 edition of its annual Worst Passwords List that highlights the insecure password habits of Internet users, and “123456” and “password” once again are the most commonly used passwords. These passwords have held the top positions since SplashData’s first list in 2011. Although some new and longer passwords made their debut, the longer passwords are so simple that it makes their extra length virtually worthless as a security measure.
Given the findings from Cisco, Sophos and SplashData, it is clear that information security is an ongoing challenge for which all stakeholders from companies to employees can make improvements. Hopefully, the remainder of 2016 will bring more focused efforts to do so.
———–
Ryan Lahti is the founder and managing principal of OrgLeader, LLC. Stay up to date on Ryan’s STEM-based organization tweets here: @ryanlahti
(Photo: Dollar Photo Club)