A recent study by Deloitte, titled Blurring the lines: 2013 TMT global security study, shows that 59% of Technology, Media and Telecommunications (TMT) companies suffered a data breach. 88% of these companies do not believe that they are vulnerable to an external cyber threat such as hacking. Rather, the three highest threats were employee errors and omissions, denial of service attacks and security breaches by third parties.
Awareness is a critical factor here and Deloitte lists it as one of the top three security initiatives of 2013. 70% of TMT companies responded in the survey that employee mistakes were an average of high vulnerability. The risks, as stated by Deloitte, include, “talking about work, responding to phishing emails, letting unauthorized people inside the organization, or even selling intellectual property to other companies.” To counter this, companies are conducting awareness training, often through security firms with experience in the area, and creating materials that employees will see on a regular basis to remind them of their responsibility to protect the data they work with.
Denial of Service (DoS) attacks was also rated a high threat. DoS attacks overload targeted information systems making them slow to respond to requests or taking them down entirely. Due to the relative ease of conducting a DoS and the criticality of information systems to today’s businesses, it is no wonder that DoS makes the list. These attacks are often triggered by saying something that irks a hacker group or by opposing a hacker group of their interests. Organizations can protect themselves by monitoring the messages they are sending especially through social networking and by working out an incident response plan for handing a DoS attack that includes the public relations factors in addition to the technical ones.
Breaches by third parties are at the top of the list party because the average company deals with so many third parties in the course of doing business. In fact, 79% of respondents said the sheer number of third parties they deal with would be an average of high threat. With so many third parties, it is difficult to determine if each has a sufficient level of security to adequately protect the data they work with and, as we all know, security is only as effective as the weakest link. Organizations have responded by more thoroughly screening third parties and assigning them a risk rating for the type of data they will be working with through a process called vendor risk management. The third party then needs to demonstrate security that is in line with the risk rating they have. This process is required by regulations such as Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS) and Health Information Portability and Accountability Act (HIPAA).
The threat landscape of 2013 continues to grow and companies are tasked with more responsibility to protect the data they work with. As can be seen from Deloitte’s survey, security awareness, denial of service and third party breaches are three major concerns for companies in 2013. To protect themselves, companies can conduct security awareness training, create incident response plans, and screen third parties who work with sensitive data.