Share

Publications

Tuesday, November 22, 2016

Tripwire Study: Retailers Overconfident in Endpoint Cyber Security Despite Point-of-Sale Threats

Are your IT professionals overconfident about your company’s cybersecurity?

We’ve all heard the phrase “you don’t know what you don’t know” used either as a cautionary tale or in a “let the chips fall where they may” sigh of resignation. While this type of thinking may encourage your team to dig in and actually seek out what they don’t know, it is far too often the hallmark of a team resigned to the status quo. This type of thinking form your IT department can be deadly to your company.

On the other hand, overconfidence on the part of your IT department, while perhaps soothing in a boardroom, can also sound the death knoll for your company.  When you query your IT department on potential threats and planned mitigation, how do you know that you are getting realistic data, as opposed to overly optimistic bravado? How much will it cost your company if they are wrong?

Overconfident IT Professionals

Acutely aware of this issue, Dimensional Research recently undertook a study to determine confidence levels of IT professionals in the retail sphere pertaining to the efficacy of seven key security controls.  These particular security controls are those that must be in place in order to rapidly detect and stop a cyber attack in progress.

The results of the study showed that participants were in fact overconfident about their ability to swiftly gather the information necessary to recognize and remediate a cyber attack. Of those surveyed, 71% were confident that they could uncover configuration changes to endpoint devices located on their network within hours. Only 51% of participants knew exactly how long this would actually take.

According to another 2016 study, cyber attackers were often able to compromise systems within less than an hour, but in 79% of those cases, it took the IT professionals weeks or months to discover the breach.

Understanding Detection and Remediation Controls

The controls that Dimensional Research focused on are security controls required by a number of compliance regulations, including:

  • PCI DSS
  • SOX
  • NERC CIP
  • MAS TRM
  • NIST 800-53
  • CIS Top 20
  • IRS 1075

You may not know what all of these regulations are, but your IT professionals certainly should be well versed.  These regulations can help guide IT and IS compliance policies and procedures. Some of the topics and recommendations include:

  • Maintaining accurate hardware and software inventories
  • Ongoing configuration management and hardening
  • Patch management
  • Vulnerability management
  • Log management
  • Identity and access management

Ensuring your IT department can quickly identify when attacks are occurring and shut them down before damage can be done is crucial to your organization’s reputation and bottom line.

Don’t Let Overconfident IT Professionals Be Your Demise

It’s true that you don’t know what you don’t know. Fortunately, our compliance attorneys do. Our compliance and counseling team advises clients and works closely with their compliance staff to assist in developing and implementing programs, policies and procedures to ensure adherence to IT and IS rules and regulations.  If you are in need of regulatory counsel, contact the attorneys at Lehman & Eilen for a consultation or call (516) 222-0888.





© 2019 Lehman & Eilen LLP | Attorney Advertising
50 Charles Lindbergh Blvd, Suite 505, Uniondale, NY 11553
| Phone: (516) 222-0888

Overview of Services | Broker-Dealers | Investment Management | Transactional and Business Law | Counseling and Compliance | Private and Public Financings | Securities Exchange Act Reporting | Regulatory Investigations and Enforcement Actions | Dispute Resolution | Special Regulatory Counsel | Our Professionals | About Our Firm

Law Firm Website Design by
Amicus Creative