Global Survey: Top 10 Security Risks of 2014

Data Breaches Highlight Continued Lapses, Human Fallibility

In 2014, attackers struck at retail point-of-sale systems, causing a spate of high-profile breaches. eBay was roiled by a data breach after attackers infiltrated the company's corporate network and stole passwords used by several key employees, exposing account information on 145 million users. Attacks targeting Yahoo and AOL webmail impacted tens of thousands of users. And a lost thumb drive at Variable Annuity Life Insurance Company resulted in a data breach affecting more than 774,000 people.

The scale and breadth of data breaches in 2014 highlight many of the inadequately addressed security risks that have tormented businesses for years, according to Trustwave. The company's "2014 State of Risk Report" due out next week assesses a global survey of IT and security professionals conducted on behalf of the vendor over a 16-month period between July 2013 and November 2014. The study sheds light on the top risks that have plagued organizations over the past year and a half and recommends ways to adequately address the risks.

Data Management Risks

The survey found that most organizations store sensitive financial data, with 81 percent indicating that their organization either stored or processed financial information. A key risk is the lack of a designated person to oversee compliance with financial data regulations and ensure that policies and adequate controls are in place. Nearly half of those surveyed (47 percent) indicated that their organization stored or processed payment card data. Yet many organizations lack a program designed to proactively maintain PCI compliance. Intellectual property was identified as a key asset stored or processed by 67 percent of those surveyed. Batch processing was used broadly for data management, an automated process that opens up organizations to increased risk, Trustwave said.

Business Partner, Outsourcing Risks

Many organizations work or process sensitive business-to-business data, with more than half of those surveyed indicating it as key assets at their organization. The data represents a significant risk, but it can be mitigated by addressing service-level agreements and having a strong grasp of roles and responsibilities in the B2B relationship, according to Trustwave. Nearly 60 percent of survey respondents said their organization outsourced some data management activities to a third party, which also poses an increased risk, according to Trustwave. Contracts and other agreements should be reviewed regularly and addressed during contractual discussions, according to the report.

Corporate Governance Pitfalls

Only 40 percent of those surveyed indicated that the corporate board played an active role in security management. That number is expected to rise, say security experts. The high-profile breach at retail giant Target resulted in the departure of senior-level executives. About 52 percent said senior-level management played an active role in security matters, an area that opens up risk by limiting communication between business units and IT teams, according to the report. Security experts point out that top-level executive buy-in results in stronger security programs and a helps establish a strong security culture and awareness about risks throughout the entire organization.

Weak Business Continuity, Disaster Recovery Planning

Nearly three-quarters of those surveyed said they had a business continuity plan in place in the event of a disruption. But far fewer have tested the plan and regularly update it to ensure key employees are aware of their responsibilities and can be contacted in the event of an emergency. Disaster recovery plans are another area that rarely gets enough attention. Only 37 percent of those surveyed said they had disaster recovery plans in place and annually test them. Best practices call for the quarterly testing of disaster recovery processes, a routine that is undertaken by only 24 percent of survey respondents.

Lack Of Incident Response Plan, Testing

The string of high-profile retail data breaches and a spate of reports about even more insidious targeted attacks that use custom malware and advanced tactics placed an emphasis on incident response in 2014. Only 36 percent of those surveyed said their organization had an incident response plan in place and tested it annually. Far fewer knew if employees knew their roles and responsibilities during incident response or had the skilled IT staff to rapidly respond to security incidents, according to the report. Testing should be conducted regularly and a person (not the CEO) needs to be designated as the leader during a breach response. Processes should also be in place for employees and third parties to report security incidents, according to the report.

Proactive Vulnerability Management

Identifying and addressing vulnerabilities and configuration weaknesses continue to be a sore spot at organizations, with annual breach analysis reports citing common errors as the source of initial compromise during a security lapse. The U.S. Postal Service breach in November resulted in the exposure of sensitive data on 800,000 employees. Investigators suspect an application security weakness was exploited by attackers to gain access to the sensitive data. Half of those in the Trustwave survey said they run quarterly vulnerability scans on in internal systems and 40 percent said the vulnerability scans are carried out on critical systems hosted at third-party solution providers. Organizations also need to prioritize the risks posed by the vulnerabilities identified in a scan and whether resources need to be allocated to address them or assume the additional risk, according to the report. Only 21 percent of organizations perform penetration testing on mission-critical systems whenever a change is made, according to the survey.

Missing Physical Security Plan

Physical access controls such as card swipes and visitor logs help investigators during an incident and establish context following a breach, according to the report. About 64 percent of those surveyed indicated that their organization had appropriate physical access controls in place to protect critical systems. Trustwave said physical security requirements need to be part of change management and compliance programs. Physical lapses can result in high-profile breaches. Coca Cola acknowledged a data breach exposing the sensitive information of up to 74,000 employees in January. The incident stemmed from a lapse in the company's asset disposal program. Data encryption is also a key security control to limit the fallout from a lost or stolen device.

Poor Security Awareness Training

Security awareness training carried out in regular intervals and sustained over time build a culture that values data protection and safeguards system resources. Only 35 percent of those surveyed said their organization performs security awareness training annually. Security experts tell CRN that the most successful training programs gain buy-in from executive leadership and are maintained by strong leader. While a training program helps establish a better understanding of corporate policies and procedures, it can also help employees learn how to spot Internet scams and phishing attacks that target their personal information or put their family members at risk.

Inadequate Network Boundaries

Firewalls and routers are a standard part of corporate networks, with more than 80 percent of those surveyed indicating that the devices play a role in managing the boundaries between the Internet and internal networks. Resources need to be in place to regularly monitor and maintain firewalls. A regular review of configuration issues and changes that might impact the environment should also be conducted, according to the report. Nearly 60 percent of those surveyed said they had configuration standards in place for all technology systems, according to the survey. Hackers regularly exploit configuration weaknesses, such as poorly implemented encryption, which can be easily bypassed, or improperly configured remote access software, enabling initial access into a point-of-sale system.

Lack OF Proactive Privilege Management

Security experts tell CRN stronger privilege management and role-based access controls could go a long way in reducing the risk of a serious security lapse. Penetration testers say they regularly find system account access available for former employees or privileges to a critical system open to an executive whose role has changed and no longer needs access to the resources. About 56 percent of respondents indicated that strict role-based access controls were in place for critical systems. Tools are available to help manage and partially automate the process, which can be complicated because it involves cooperation between business line managers and IT teams.