Wave Systems Corp. (fka WAVXQ)

[jakes_dad]

PwC Global State of Information Security survey exposes network fragility

November 30th, 2011 by Tim Greenhalgh

The Pricewaterhousecoopers (PwC) ‘2012 Global State of Information Security Survey’ is an astonishing document – a searchlight on the fragile state of network defence.

It reveals telling contradictions between the confidence of organisations in their network security strategies and the actual state-of-play in the rapidly evolving commercial hacker culture.

There is a clear subtext in the survey. Every organisation across the globe is looking for the “silver bullet” that will solve their network security problems. The hard truth is that there is no single, complete solution to the threat of cyber-attack. And, currently, there is only a system of belief.

Network security specialists have been slouching towards Bethlehem for the past 20 years, reactively pinning their strategic and tactical hopes on ever-increasing software layers, with some success. But, to be honest, this is a “deploy and pray” strategy, only as good as the next agile hacker assault seeking to use the network security code to penetrate the system.

We have seen more than enough successful network attacks this year, from the RSA to Lockheed Martin, from Mitsubishi Defence to the Japanese Parliament, and from a US water utility to UK government minister laptop access, to understand that the threat and danger is clear, present and growing at an alarming rate.

The PwC survey, developed with media partners CIO Magazine and CSO Magazine included more than 9,600 CEOs, CFOs, CIOs, CISOs, CSOs and other executives responsible for their organization’s IT and security investments in more than 138 countries.

The survey identifies that the majority of executives across industries and markets worldwide are confident in the effectiveness of their organisation’s information security practices and that they have an effective strategy in place.

There is a lacuna in the executives’ minds. They consider their organisations are proactive in executing network security strategies and their insights into the frequency, type and source of security breaches has leapt dramatically over the past 12 months, according to the survey.

But, significantly, the survey says: “Yet all is not in order. Some evidence points to a “crisis in leadership” and dangerous deficits in strategy. Capabilities across security domains are degrading. And security-related third-party risks are on the rise.”

Further, the survey provides the top-line statistic, that 72 per cent of respondents worldwide have confidence in security practices may seem high but it has declined markedly since 2006.

Worryingly, some of the statistics, in the words of the PwC survey, suggest a “reluctance to commit scarce funds to the information security mission, even at the risk of degradation in security-related capabilities”. This, PwC says “pulls the curtain back on a trend in global information security practices and cyber-crime prevention that has persisted since 2008”.

The survey highlights one of the most dangerous cyber threats - the Advanced Persistent Threat attack and identifies that few organizations have the capabilities to prevent this.

Only 16 per cent of respondents said their organisation’s security policies addressed APT. More than half of all respondents reported that their organisation did not have core capabilities directly or indirectly relevant to countering the strategic APT threat—such as penetration testing, identity management technology or a centralised security information management process.

The APT is just one of a legion of commercial hacker projects but it is the most significant advance in cyber-attack. If 84 per cent of organisations globally have no deflective security policy in place now, then the global networks are wide open in 2012.

While we know that there will never be a “silver bullet” solution and that the Cyber Wars will define the next decade, we do have a more secure way forward. This starts in the device. We have spent too many years developing software security layers while ignoring the obvious point – that if you secure the device, then you can build trusted and known security.

And the only way to secure the device is to embed security in the hardware. Enter, Trusted Computing. The Trusted Computing Group has developed standards that should be adopted by every organisation because they focus first on the device and then the software.

The standards have led to the production of the Trusted Platform Module (TPM), a chip that is embedded in the motherboard of PCs, laptops, notebooks. This chip holds the security keys that enable network connection and validate the device and the user. What’s more, the TPM cannot be cloned through any software process.

Allied to this robust device security is the Self Encrypting Drive, the most secure method of protecting stored data on PCs and laptops. Computer Weekly chief reporter Warwick Ashford has written the definitive articles about the SED and they are well worth reading, SED1 and SED 2.

If organisations are committed to their vision of data protection and their strategies of network security, then they must adopt the leading standard. And that is Trusted Computing. In this case, ignorance is not bliss.

http://www.liberatemedia.com/blog/pwc-global-state-of-information-security-survey-exposes-network-fragility/