Knowledge Center > ISACA Now > Posts > Snakes in the grass
Snakes in the grass

Chris PotterThis February, as the year of the dragon turned into the year of the snake according to the Chinese calendar, we were busy surveying security breaches of UK businesses on behalf of the Department for Business, Innovation & Skills. It turns out, somewhat aptly, that this year’s survey results show many serpentine tendencies.

So, why are threats like snakes in the grass? Here are seven reasons:

  1. Security attacks are now stealthy, aiming to stay hidden from organisations. Just as snakes blend into the background, today’s attackers aim to penetrate systems and stay hidden while they gather confidential information. One example from this year’s survey was a large pharmaceutical company that took nearly a month to discover that an attacker had accessed its internal network.
  2. A small breach can cause disproportionate damage. Just as a snake’s venom can kill an animal many times its size, a serious breach can cause major disruption to organisations that are much larger than the attacker. Even breaches that cause only small financial direct losses can result in significant costs from investigating the events and making them right. For example, a disgruntled employee at a utility stole some of its sensitive data and began selling it. The value of the lost data was several hundred thousand pounds, but the impact of the investigation on the business was even greater.
  3. There are numerous different types of threats out there. Just as there are many species of snakes, there are many different types of attackers. Outsiders’ motives might be experimental (script kiddies), political (hacktivists), financial (organised crime) or industrial espionage. Insiders might be intent on committing fraud (16 percent of large respondents suffered this) or might just make a mistake (36 percent of the worst security breaches were caused by inadvertent human error).
  4. Many of the worst threats are not new. Snakes have been with us for millions of years. Similarly, many of the security threats that caught UK businesses have been with us for a long time. For example, the survey shows the Conficker worm is still causing a host of problems, despite patches having been available since 2008.
  5. Security attacks adapt to the environment. You can find snakes in many different environments, from the sea to the desert. Similarly, security attacks are not confined to traditional IT environments, but are evolving as business use of technology changes. Nine percent of large respondents had a data or security breach involving smartphones or tablets, and a further 14 percent involving social-networking sites.
  6. Small businesses are suffering most. While snakes can hurt or even kill large animals, they prey on small ones. One of the worrying trends in the 2013 survey is that the greatest increase in security breaches was for small businesses. This contrasts previous survey results, which showed that security breaches traditionally affected large organisations. Eighty-seven percent of small respondents had at least one security breach in the last year (up from 76 percent a year ago) and the median number of breaches each suffered was also up from 11 to 17.
  7. Awareness is key to addressing threats. The best way to avoid getting hurt by snakes is to be aware that they are out there. Similarly, this year’s survey shows clearly that security awareness makes a huge difference to the chance of having breaches. Ninety-three percent of respondents from enterprises where security policies were poorly understood had staff-related breaches, vs. only 47 percent where the security policies were well understood.

According to the Chinese calendar, 2014 is the year of the horse. Perhaps you want to come up with your own equine analogies.

Chris Potter
Partner, PwC

Continue the conversation…engage with your peers in the Security Trends topic in ISACA’s Knowledge Center.

Comments

Nice post

Enjoyed the analogy and nicely presented a complex message in simple terms.
Isaac Prince582 at 7/3/2013 1:50 AM

Great post

Short and sweet , nicely compared!
Victorjoshua at 7/9/2013 7:58 AM
You must be logged in to post a comment to this blog.