Subscribe

No organisation spared the risk of cyber attacks

By Suzanne Franco, Surveys Editorial Project Manager at ITWeb.
Johannesburg, 01 Dec 2015
Cyber security must involve investment not just in technology, but also in effective organisational processes, says RSA's Ruben Espinosa.
Cyber security must involve investment not just in technology, but also in effective organisational processes, says RSA's Ruben Espinosa.

As many industry and analyst reports show, cyber attacks are targeting organisations of every size and kind: agencies, universities, hospitals, non-profit organisations and enterprises from the largest diversified multi-nationals to the gas station on the corner to government.

However, not all attacks are as devastating in their impact, says Ruben Espinosa, regional marketing Manager at RSA - the security division of EMC, commenting on the IT Security Survey conducted during September by ITWeb in partnership with EMC Southern Africa.

The 2015 IT Security survey set out to determine the importance of information security to South African organisations.

Eighteen percent of respondents said their organisation's investment in IT security was as low as 2% of their total IT budget and 9% of respondents stated it was above 15%.

According to Espinosa, there is no ideal amount of budget for combating cyber threats.

"Every organisation, therefore, has to understand the cyber risks that it faces and allocate budget to address those risks, to whatever extent and in whatever ways are appropriate for that organisation and those risks."

Even small organisations can suffer fines and loss of reputation, he says.

"Firstly, the risks that different organisations face vary tremendously both over time for the same organisation and at any point of time across the range of organisations confronting cyber risks.

"For example, organisations that represent significant concentrations of value in attackers' eyes, including not only financial institutions but also large cloud service providers, typically face the most frequent, the most sophisticated and the best-resourced cyber attacks," he says.

Espinosa advises that organisations such as universities also face very high rates of attack, but that they are typically less well-resourced.

The resources that organisations mobilise to address cyber risks, therefore, also will vary widely, he says.

Secondly, budget is not the only, and often not the most important, means of addressing cyber risks. Improving organisational structures and processes may be the most effective way to address the security risks an organisation faces, rather than simply investing money in technology. Engaging users in security - "security is everybody's business" - may be the most effective way to reduce the risk that social engineering attacks will succeed."

Just over half of respondents (56%) cited cost as one of the reasons why investment in IT security is delayed or prevented, while 28% stated it is difficult to integrate into existing infrastructure.

"The most important way to manage costs is to understand your business, understand the risks that can damage your business, allocate time and budget to address these risks in the most effective ways. Taking this risk-based approach to cyber security will very likely indicate areas of current investment in security technologies that reflect an outdated understanding of cyber risks, outdated models of how to address those risks and outdated processes and organisational structures that are leaving the organisation vulnerable to attacks," Espinosa notes.

Thirty-three percent of respondents also cited difficulty in determining their organisation's return of investment on IT security investment.

Commenting further on this finding, Espinosa says: "Understanding the value of security investments can only be done in terms of their effectiveness in addressing the risks that the organisation faces. There are very effective risk methodologies; including asset-based risk management and loss-event-based risk management that provide a realistic estimation of risk."

Many organisations, Espinosa adds, still invest considerable budget in technologies that support a perimeter-based model for cyber security that is inadequate to organisations that have to live in a mobile, social and cloud world.

A third of respondents rated the importance of security to their business as high, and 30% stated security is a critical priority.

"In our recent announcement of RSA Archer 6.0, we at RSA have demonstrated our ongoing commitment to support this risk-based approach to managing the cost of cyber security. In that release, we have provided support for managing operational risk, including through the loss-event-based risk methodology touched on above.

Espinosa points out cyber security must involve investment not just in technology, but also in effective organisational processes - from risk management to incident response to cyber intelligence sharing - and in effective people-related considerations - from organisational structure to user engagement to development of cyber experts.

"We are confident that cyber security, when addressed in this way, becomes an enabler of the business, engaging the entire organisation in an understanding of risk that inspires innovation and effective decision-making."

Share