Cyber-attacks top the list of threats to businesses information security, with rogue employees the second biggest concern, according to IT professionals polled at Cloud Expo Asia.
The poll, conducted by BSI, investigated perceived threats to information security and the measures businesses are taking to protect themselves. It found that four in 10 professionals lack confidence in their security measures, with cyber-attacks (43%), rogue employees (23%) and malware (15%) identified as the top three threats.
Reassuringly, the overwhelming majority of respondents felt that top management was committed to information security (92%), and nearly three quarters (73%) felt that the necessary resources were allocated to managing cyber risk.
John DiMaria, Global Product Champion for Information Security and Business Continuity at BSI said: “As the profile of cyber-attacks rises, it is important that organizations not only maintain vigilance over technology measures such as malware protection but also address internal risks such as rogue employees. Failing to educate individuals on how to follow basic procedures can be just as dangerous as malicious actors working against you. Simple training programmes can significantly reduce the number of insider breaches by ensuring employees understand the importance of information security and the need for them to be vigilant, as well as confident in reporting potential threats.”
Respondents agreed that cloud computing is the number one emerging threat (81%), with just over half (55%) satisfied with the privacy and security assurances of their current cloud service providers. Interestingly, the research found that just half (51%) of IT professionals felt that the recently introduced General Data Protection Regulation encouraged the use of cloud technologies.
Whilst this reinforces the potential to improve confidence in cloud security and vendor security provisions, it’s encouraging that the research also found a growing customer requirement to demonstrate information security provisions when tendering for new business: 94% of respondents felt they were now required to do so. Of the provisions requested, ISO/IEC 27001 certification topped the list (64%), followed by a copy of the information security policy (20%) and NIST (19%).
DiMaria continued: “We have found organizations that implement an ISO/IEC 27001 Information Security Management system (ISMS) can better identify threats to their information security and put in place appropriate controls to manage and reduce risks, and this is certainly borne out by the findings of this research. It’s encouraging to see that cyber security provisions are now forming a formal part of supply chain relationships, and frameworks such as NIST, which originated out of the US, are also being recognized in Asia as an information security provision to bolster the strong foundation an ISMS provides. The implementation of internationally recognized best practice frameworks allows businesses to put themselves in the strongest possible position.”
在亚洲云博会(Cloud Expo Asia)接受调查的IT专业人士表示,网络攻击是企业信息安全面临的最大威胁,不良员工是第二大威胁。
BSI针对信息安全面临的威胁进行了一系列调查,以及提出了企业为保护自身而需采取的措施。调查发现,40%的专业人士对现存的安全措施缺乏信心,其中网络攻击(43%)、不良员工(23%)和恶意软件(15%)是排在前的三大威胁。
令人欣慰的是,绝大多数(92%)受访者认为,最高管理层正致力于信息安全工作,近四分之三(73%)受访者认为,管理网络风险所需的资源得到了合理分配。
BSI全球信息安全和业务连续性产品专家约翰•迪马里亚(John DiMaria)表示:“随着网络攻击的增多,组织不仅要对恶意软件防护等技术措施保持警惕,还要应对内部风险,比如潜在的不良员工。” 如果不培训员工如何遵守基本的制度,就如恶意的黑客与你对峙一样危险。简单的培训便可确保员工了解信息安全的重要性,以及了解如何保持警惕,并对发现潜在威胁充满信心,从而大大降低恶性攻击从内部蔓延的机会。
多数受访者(81%)认为云计算是头号新生威胁,大半的受访者(55%)对其目前的云服务供应商的隐私安全保护感到满意。有趣的是,研究发现,只有一半(51%)的IT专业人士认为,最近出台的通用数据保护法规是鼓励了云技术的使用。
人们对云数据安全和供应商的资质充满信任,令人鼓舞的是,研究还发现,客户在投标新业务时,越来越多地要求展示其保护信息安全的能力:94%的受访者认为他们被要求提供相关资质证明,在投标中所需考量的因素中,ISO/IEC 27001认证资质名列榜首(64%),其次是信息安全政策副本(20%)和NIST(19%)。
DiMaria表示:“我们发现,实施ISO/IEC 27001信息安全管理系统(简称ISMS)的组织可以更好地识别信息安全威胁,并对信息安全防御系统进行及时调控,以降低管理风险,这一研究结果也确实得到了证实。”网络安全条款正在充当供应链关系的正式组成部分,而NIST等框架(起源于美国)在亚洲也被视为信息安全准则,作为加强ISMS的坚实基础。国际公认的最佳实践框架的实施保证了企业能够把自身始终放在最有利的位置。
BSI始终致力为客户提供管理新风险的最佳实践和标准,以助力企业有效管控“互联网+”带来的风险与机会,为商业发展保驾护航。ICT产品群还有诸多可被广泛应用的标准系列,如下图所示: