Businesses are failing at the fundamentals of security

Companies are still failing to properly protect themselves from potential attacks and hackers, with security not being given enough weight of consideration – and indeed, many firms haven’t even covered the fundamentals of keeping intruders out of their networks and data.

This is according to Neira Jones, a security expert who chairs the Global Advisory Board for the Centre for Strategic Cybercrime & Security Science, who criticised businesses for failing to “fix the basics” of protecting data, and lacking sufficient “cyber-security awareness programmes”.

She told Computing: “If you're a large organisation you'll have resources and you'll have departments and there may be cyber security, but at the end of the day, you're not in the business of security.”

“So awareness programmes are a low priority and security isn't understood; staff at large have a day job to do and they don't feel that's part of their responsibility.”

She also noted that because staff are relatively uneducated and don’t think much about company security in general, more sophisticated phishing emails are having more success, because they aren’t so readily identifiable as suspect or potentially malicious messages.

Jones observed that spam mail containing links leading to malicious code is on the increase, as are phishing mails in general – which is unsurprising if they are finding greater levels of success. A recent survey from HP’s TippingPoint network security division revealed that 69 per cent of IT professionals have to deal with phishing attacks at least once a week, and the main targets are customer and financial data.

She observed: “Criminals are becoming a lot more effective at delivering their payloads. A phishing campaign of only 10 emails has more than a 90 per cent chance of getting a click and when you get users who are unaware, that's an explosion waiting to happen.”

We’ve always insisted that staff training is a massive part of security, and the more educated your employees are on malware and security risks, the better, for obvious reasons. Security is everyone’s job, not just the IT department’s.