Cyber-attacks top the list of threats to businesses information security, with rogue employees the second biggest concern, according to IT professionals polled at Cloud Expo Asia.
The poll, conducted by BSI, investigated perceived threats to information security and the measures businesses are taking to protect themselves. It found that four in 10 professionals lack confidence in their security measures, with cyber-attacks (43%), rogue employees (23%) and malware (15%) identified as the top three threats.
Reassuringly, the overwhelming majority of respondents felt that top management was committed to information security (92%), and nearly three quarters (73%) felt that the necessary resources were allocated to managing cyber risk.
John DiMaria, Global Product Champion for Information Security and Business Continuity at BSI said: “As the profile of cyber-attacks rises, it is important that organizations not only maintain vigilance over technology measures such as malware protection but also address internal risks such as rogue employees. Failing to educate individuals on how to follow basic procedures can be just as dangerous as malicious actors working against you. Simple training programmes can significantly reduce the number of insider breaches by ensuring employees understand the importance of information security and the need for them to be vigilant, as well as confident in reporting potential threats.”
Respondents agreed that cloud computing is the number one emerging threat (81%), with just over half (55%) satisfied with the privacy and security assurances of their current cloud service providers. Interestingly, the research found that just half (51%) of IT professionals felt that the recently introduced General Data Protection Regulation encouraged the use of cloud technologies.
Whilst this reinforces the potential to improve confidence in cloud security and vendor security provisions, it’s encouraging that the research also found a growing customer requirement to demonstrate information security provisions when tendering for new business: 94% of respondents felt they were now required to do so. Of the provisions requested, ISO/IEC 27001 certification topped the list (64%), followed by a copy of the information security policy (20%) and NIST (19%).
DiMaria continued: “We have found organizations that implement an ISO/IEC 27001 Information Security Management system (ISMS) can better identify threats to their information security and put in place appropriate controls to manage and reduce risks, and this is certainly borne out by the findings of this research. It’s encouraging to see that cyber security provisions are now forming a formal part of supply chain relationships, and frameworks such as NIST, which originated out of the US, are also being recognized in Asia as an information security provision to bolster the strong foundation an ISMS provides. The implementation of internationally recognized best practice frameworks allows businesses to put themselves in the strongest possible position.”
在亚洲云博会(Cloud Expo Asia)接受调查的IT专业人士表示,网络攻击是企业信息安全面临的最大威胁,不良员工是第二大威胁。
BSI全球信息安全和业务连续性产品专家约翰•迪马里亚(John DiMaria)表示:“随着网络攻击的增多,组织不仅要对恶意软件防护等技术措施保持警惕,还要应对内部风险,比如潜在的不良员工。” 如果不培训员工如何遵守基本的制度,就如恶意的黑客与你对峙一样危险。简单的培训便可确保员工了解信息安全的重要性,以及了解如何保持警惕,并对发现潜在威胁充满信心,从而大大降低恶性攻击从内部蔓延的机会。

人们对云数据安全和供应商的资质充满信任,令人鼓舞的是,研究还发现,客户在投标新业务时,越来越多地要求展示其保护信息安全的能力:94%的受访者认为他们被要求提供相关资质证明,在投标中所需考量的因素中,ISO/IEC 27001认证资质名列榜首(64%),其次是信息安全政策副本(20%)和NIST(19%)。

DiMaria表示:“我们发现,实施ISO/IEC 27001信息安全管理系统(简称ISMS)的组织可以更好地识别信息安全威胁,并对信息安全防御系统进行及时调控,以降低管理风险,这一研究结果也确实得到了证实。”网络安全条款正在充当供应链关系的正式组成部分,而NIST等框架(起源于美国)在亚洲也被视为信息安全准则,作为加强ISMS的坚实基础。国际公认的最佳实践框架的实施保证了企业能够把自身始终放在最有利的位置。
