2019 has seen a lot of survey data published around security and breaches. All of them make very interesting reading and may well set alarm bells ringing at some sites. Let’s take a look.
We’re probably all familiar with the IBM Security sponsored “Cost of a Data Breach Report,” which is produced annually by the Ponemon Institute and is based on in-depth interviews with more than 500 companies. This time, I want to look at some other surveys.
BMC’s 2019 Mainframe Survey
found that a whopping 77% of large organizations have reported a breach or a potential breach. I guess the question for the other 23% is whether they’ve had a breach but just haven’t spotted it yet! The BMC survey went on to look at ways that organizations can protect themselves. They found that 92% are being audited at least every two years; 33% use external services for mainframe penetration testing; 42% have privileged user monitoring; 26% have a dedicated mainframe security information and event management software (SIEM); and 36% send SIEM data to an enterprise SIEM. IBM’s “Cost of a Data Breach Report” found that it takes 279 days for organizations to identify and contain a breach. They reckoned it takes 206 days to first identify a breach after it occurs followed by an additional 73 days to contain the breach! Maybe an audit every two years isn’t enough?
At the very end of last year, Forrester Research produced its “Tackling the Unsexy Challenge Of Mainframe Modernization”
report. They found that 85% of companies say that mainframe security is a top priority. They also said that 95% of their respondents cite the most concerning ramification of mainframe security as a breach of customer data. The others, in order, were compliance, risk management, IT cost reduction/optimization and application availability.
“Don’t Let Mainframe Security Complacency Leave Your Critical Customer Data At Risk,”
a Forrester Opportunity Snapshot commissioned By Key Resources Inc found that only 33% of companies say they make mainframe decisions based on security always or often. Even allowing for Key Resources being a security company, this must be a worrying figure. I would think that having good security and being compliant with all applicable regulations marks out a company as one that will still be in business in five or 10 years’ time. They also found that 81% of companies say having the right resources to secure the mainframe environment it is critical or a high priority, which is good to see, but what about those other 19%? 65% of companies said they found it easy to find the right tools to manage mainframe security, but 61% said that it’s difficult to find the right personnel to manage mainframe security. 96% of companies use or plan to use third-party mainframe security tools, and 95% of companies use or plan to use third-party resources to review their mainframe security and compliance. They also found that 73% of sites thought the reduced risk of data breaches was a benefit they were experiencing or anticipated as a result of using mainframe security tools and resources.
Syncsort’s Annual Security Survey
found that 55% of respondents said their company had experienced at least one security breach, with more than a third of those saying a breach occurred within the past three years. That’s still more than half the sites surveyed. The survey also found that 25% of companies experiencing a breach discovered that sensitive data, such as account information or personal data was compromised. 29% said the breach was detected in less than a day and only 31% met their mean-time-to-detect goal. That figure is very different to IBM’s reported figure of 206 days to detect a breach. If we assume a bell-shaped curve for time to detect a breach, that means there must be a number of sites taking over a year to detect a breach!
Interestingly, according to the Privacy Rights Clearinghouse
, a non-profit organization that tracks publicly disclosed breaches, 807 breaches were reported in 2018, resulting in the exposure of over 1.3 billion records of sensitive data.
Syncsort’s survey went on to say that 30% of respondents conduct audits every three months, 21% every six months, 26% annually, 23% either less often or don’t know. Compare that to BMC’s survey result of 92% of sites being audited at least every two years. Syncsort found that 70% of respondents use in-house staff for compliance and security audits, 44% use independent auditors, and 39% use consulting services. Respondents could select more than one option. Although the figures are low, it’s still worrying to read that 7% of respondents had failed an internal security audit, and 5% had failed a compliance audit related to cybersecurity.
When it comes to improving security at their sites, the survey found that 34% of sites are increasing expertise and awareness through the addition of internal IT staff and/or the enhancing the skills of their staff. It also found that 19% are using third-party consultants/contractors, 19% are providing security training for rank-and-file company personnel, 23% are planning investments in a number of key technologies including data encryption, 19% are investing in configuration-change management, 18% in identity management, 17% in privileged user management, 16% in user authentication/two-factor authentication, 16% in secure file transfer, 14% in data-change logging, and 14% in SIEM solutions.
It was interesting to see that 38% of respondents had increased spending in the past three years on security-related technologies. 28% had increased spending on third-party resources to support security. 26% had increased spending on internal resources to support security. And 10% had appointed a CSO or other C-level executive to be in charge of security. Again, respondents could tick more than one box. So, overall, how confident were they in their organization’s IT security? Worryingly, 70% of respondents said that they are only somewhat confident (or worse) in their company’s IT security.
The survey results make it abundantly obvious that many sites have a lot of work to do in terms of their mainframe security and compliance. It may mean that they need to buy in software or employ more staff. But whatever they do, maintaining the security and integrity of their data has got to be cheaper than experiencing a data breach, losing personally identifiable information, and incurring fines for non-compliance with regulations, in addition to remediation costs and loss of reputation.