According to Bussiere, both of these sectors are at the top because they are highly regulated. "By necessity and law, they are very "tight" in terms of security. They have a slew of law and guidelines surrounding it, punishing those that fail to comply," said Bussiere.
He cited an instance whereby a fire broke out at a Singtel telecom exchange in Singapore in 2013, which caused damage to the fragile fibre optic cables. Many of its users were affected, and they suffered a network downtime for an unprecedented three days. Consequently, Singtel was fined because such security breaches violate personal information and cause availability problems, he added.
In contrast with these two sectors, the education industry was found to be the most neglected in terms of security, scoring an unremarkable 'D' grade (63 percent). It trails the pack with overall lowest score, lowest Security Assurance Index score, and second-lowest Risk Assessment Index score. Challenges with assessing risks in the cloud and detecting transient mobile devices placed education at the bottom of the class.
To illustrate this finding, students in Hong Kong who supported the Umbrella Movement actually led to an increase in Chinese attackers on their university networks.
Three common areas of weakness across sectors
The survey respondents consistently cited cloud applications (D+) and cloud infrastructure (D) as two of the three most challenging IT components for assessing cybersecurity risks. Specifically, the most challenging IT component for assessing security risks is cloud infrastructure such as Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS).
"Cloud has been around for a while now, but there has been a recent spike in interest because the cloud savings tied to it are irresistible. Despite this increased interest, there is a lot of discomfort with being able to feel adequately secure in the cloud. You lose the comfort when you have to just trust that your data is sitting in some mysterious building that you can't enter. However, a lot of the risks are perceived risks, and not real risks," said Bussiere.
"For instance, if I maintain my own hardware in my own data centre, I can physically smash the server with a hammer when I decommission it. That's how I know that I've completely erased the data. But when I migrate to a cloud, I simply have to trust that my cloud service provider is doing the same thing," he added.
Rounding out the bottom three, mobile devices (D) were also reported as being particularly challenging when assessing cyber risks. The inability to even detect transient mobile devices in the first place (C) was another big challenge for the respondents.
Touching on the concept of BYOD (Bring Your Own Devices), Bussiere said there are two aspects to it: enterprise-owned devices, and personally-owned devices. For the former, IT security professionals can simply enforce security policies on the mobile devices through a mobile device management software.
Sign up for CIO Asia eNewsletters.