Security Posture Mixed As Feds Say ‘Shields Up’
January 14, 2019 Alex Woodie
“Raise your shield.” That’s the message the Federal Government sent to American businesses last week as part of a new cybersecurity awareness campaign. But according to a recent survey of security professionals by Syncsort, the majority of enterprises, including IBM i shops, are confident in the security protections that are already in place. The big question: Have they actually done enough?
The National Counterintelligence and Security Center (NCSC) kicked off a new security awareness campaign last week called “Know the Risk, Raise Your Shield.” The NCSC says that foreign intelligence entities are actively targeting information, assets, and technologies” that are vital to U.S. national security and competitiveness.
“Increasingly, U.S. companies are in the crosshairs of these foreign intelligence entities, which are breaching private computer networks, pilfering American business secrets and innovation, and carrying out other illicit activities,” the NCSC says.
While it’s true that major cybersecurity incidents do continue to happen on a regular basis, the data do not indicate there’s been any kind of spike in activity. According to a search of Privacy Rights Clearinghouse, there was a total of 807 breaches of all types made public last year, involving 1.3 billion records.
That figure was down slightly from 2017, when PRC recorded 862 breaches impacting 2.0 billion records, and 2016, which had 826 public breaches that impacted 4.8 billion records. 2015 saw 547 breaches impacting 318.8 billion records, according to the database, while 2014 saw 869 breaches with 1.3 billion records, nearly identical to 2018.
The “Raise Your Shields” campaign may help raise awareness of security vulnerabilities, but they have been happening for some time, says Terry Plath, a senior vice president of support and services with Syncsort (formerly Vision Solutions).
“In the last few years, as we’ve learned more about some of these breaches, it’s probably raised the awareness,” Plath says. “But I have to believe it’s been going on for quite some time. I don’t know that there’s any particular uptick, other than more awareness of it than there was before.”
The NCSC’s warnings coincided with the release of Syncsort’s 2018 Security survey, in which it queried the security posture of 319 IT professionals (including 106 with knowledge of IBM i) across a variety of industries and government agencies. The survey generated a few eyebrow-raising statistics, including:
- 85 percent of respondents said they were “very confident” or “somewhat confident” in their organization’s security program.
- 3 percent said they were “somewhat unsure” or “very unsure” about their security program.
- 74 percent said their organization conducts audits annually or more frequently.
- 41 percent said their organization has experienced a security breach.
- 39 percent said their organization has not experienced a security breach.
Plath said the fact that 85 percent of respondents displayed confidence in their security postures, and yet 41 percent say they have experienced some type of security breach, represents a disconnect between how organizations view their own security posture and the reality of the situation.
“That definitely was one that surprised us,” Plath tells IT Jungle. “It’s not unlike what we see in high availability, which is a lot of people feel like they’re ready for a switch, but they don’t test it, and when the time comes to actually do it, they’ll run into an issue if they haven’t tested it. It’s probably similar to security, a false sense of being ready.”
On the surface, the fact that three out of four organizations conduct audits at least yearly should provide some reassurance that organizations are looking for signs of hackers, malware, and disgruntled employees. However, that could provide a false sense of security because many problems don’t show up in audits, Plath says.
“You can have the processes in place, and audit processes,” he says. “But if you don’t also have the tooling in place and the right security technology, even if you’re doing an audit and feel good about things, there’s always an opportunity for people to get in and access data that may go undetected
For example, despite the fact that IBM i shops are being audited as often as organizations that rely on other platforms, there are longstanding security problems related to how the systems are configured, Plath says.
“In the IBM i world, very often there can be default settings that allow people, especially with the IT or technical application knowledge, to access data that shouldn’t be accessed,” Plath says. “And if you don’t have a tool in place that monitors who’s accessing those, where that access is coming from, and making sure that user privileges are set up correctly, there can be those gaps, and we’ve seen companies that have those gaps.” (Syncsort sells exit point monitoring software as a result of Vision’s acquisition of Enforcive Solutions a year ago.)
Pearl River, New York-based Syncsort collected several other IBM i-specific data points for the survey, which was finalized in December. For example, the survey found that 94 percent of IBM i users are relying on in house staff for security. “In the broader space, more organizations have third-party consultants from the outside coming in.”
The survey also found that 25 percent of IBM i breaches involve theft of sensitive data. Plath says that figure is likely higher than in the general population because of the business critical nature of the applications running on IBM i.
Syncsort also asked organizations how long it took them to discover security breaches. Nearly 40 percent had no breaches, but about 21 percent of the full sample said it took them less than a day, 12 percent said it took them a week or less, and about 4 percent reported a month or less. However, around 8 percent said it took them longer than 31 days to find the leads, and it took some over a year to discover the breach. Judging from the sample size, it’s quite possible there are companies in Syncsort’s sample that have breaches that haven’t been discovered yet.
Plath admits that these figures concerned him as a consumer. “Roughly half of those who had breaches were identified in less than a day, which is good, and I’m guessing that’s through automation and technology,” he says. “It took 26 percent [of those who had breaches] less than week, which means you have 24 percent who weren’t identified within a week’s time, and those are the ones we’re reading about in the newspaper, like Marriott, which went on for several years before it was discovered.”
In previous years, Vision Solutions has released a State of Resilience report around the first of the year that focused predominantly on high availability and disaster recovery issues. That survey effort has morphed into security, where Syncsort is making significant investments.
Last year’s State of Resilience survey pegged security as the number one priority of IT professionals, followed by HA/DR, cloud computing, and upgrading applications, in that order. This year’s survey also finds that security is the number one priority, followed by cloud computing, application upgrades, and HA/DR.
Syncsort/Vision Solutions has made three IBM i security acquisitions in the past 18 months. That includes Enforcive (formerly BSafe), Cilasoft, and Townsend Security‘s AES/400 encryption software.
Syncsort, which also has plays in the Hadoop analytics and data quality markets, is quite keen on security at the moment. “With GDPR, the whole data protection space – masking, encryption – is a super hot space,” says Plath, who formerly was an executive at Lawson Software. “Those are some of the highest growth spaces that we’re playing in right now. We’re bullish on the future.”