Careless, Reckless Staff Are Corporate Security's Biggest Threat
There is no such thing as a 100-percent secure environment. Security is a process and an ongoing work in progress. Organizations must be ever-vigilant and assume responsibility for their system and network security. Corporations, C-level executives, IT and security administrators, and end users need to be aware of, proactively identify, and thwart the innumerable potential security risks.
Feb 7, 2014 5:00 AM PT
We have met the enemy and he is us.
Pogo's philosophical observation perfectly describes the way IT and security professionals view their end users' attitude toward data security.
An overwhelming 80 percent of corporate security professionals and IT administrators indicated in a recent survey that "end user carelessness" constituted the biggest security threat to their organizations, surpassing the ever-present peril posed by malware or organized hacker attacks.
Users' cavalier attitude toward security was further exacerbated by corporate executives who failed to support their security administrators by enforcing computer security policies.
Sixty-five percent of business respondents did not calculate the cost or business impact of security-related downtime, and more than 30 percent of firms were unable to detect or defend against a security breach in a timely manner when one did occur.
Leading Security Threats
These are among the top findings of the ITIC/KnowBe4 "2013 -- 2014 Security Deployment Trends Survey." The joint independent (non-vendor sponsored) Web-based survey polled more than 550 organizations during November/December 2013 on the leading security threats and challenges facing their firms.
The survey asked security professionals and IT departments to identify their top priorities over the next 12 to 18 months.
IT departments are frustrated by the careless disregard many end users have for safeguarding their BYOD and mobile devices, the results indicate.
IT and security administrators expressed anger regarding users' lack of concern for the consequences of a laissez-faire attitude toward security.
Particularly in small and mid-sized businesses with limited budgets and IT resources, IT and security administrators are hard-pressed to stay abreast of the myriad security issues that represent just one portion of their overall job responsibilities, the survey found.
Some 44 percent of respondents said their IT departments and security professionals spent less than 20 percent of their time on daily operational security. Another 32 percent said they devoted 20 percent to 40 percent of their time on security. Only 20 percent of participants dedicated a significant portion of their daily and weekly administrative activities to securing their systems and networks.
The inclusion of essay comments and first-person interviews with C-level executives, as well as IT and security administrators, allowed the ITIC and KnowBe4 survey went beyond statistics to delve into companies' most pressing security issues and challenges. Those conversations revealed that organizations -- particularly small and mid-sized businesses -- are especially anxious about the dearth of resources to secure their environments at a time when hacks are becoming more pernicious and hackers more proficient.
Security Pros Frustrated by Carelessness
IT and security administrators find themselves in the unenviable and frustrating position of being caught in the middle between upper management and end users, anecdotal data also suggests. They have difficulty convincing upper management to allocate the necessary monies and resources to secure their networks.
At the same time, IT and security managers find it increasingly challenging to safeguard their networks against end users. The Bring Your Own Device, or BYOD, trend has resulted in many users unwittingly making corporate networks vulnerable to malware, viruses and phishing threats by falling for scams or clicking on bad links.
"The first rule of security is that you cannot trust your end users; they will click yes to anything and damn the consequences," fumed an IT manager at a local municipality in the survey's comments.
"Fully 100 percent of our security issues involve dealing with the consequences of users clicking on bad links or downloading dodgy files, no matter how many times they are warned against it," observed the security administrator at an East Coast law firm.
"Employees remain the biggest single threat to any organization, including ours, and we are very aggressive about increasing employee awareness," said a security manager at a Midwestern firm. In addition to mandatory security training, this firm proactively sends out monthly secure newsletters and hosts monthly security-focused meetings complete with speakers and videos.
"Despite our efforts, we still have end users that click on bad emails and fall for phishing messages and infect their computers," she added. "UGH!"
Without the appropriate level of security controls, the adoption of security awareness training, and the implementation and enforcement of strong computer security policies and procedures, organizations' data is at increased risk of malware invasions, cyberattacks and litigation.
Other Survey Highlights
The survey's biggest revelation is that organizations view their end users as a bigger threat than malware, phishing scams or deliberate internal or organized external hackers! The 80 percent of survey participants who said the "carelessness of end users" poses the biggest threat to organizational security far outpaces the 57 percent who cited malware infections as the largest potential security problem.
Among the other survey highlights:
- Top security priorities: 55 percent of users cited "ensuring adequate and robust security for the business' needs;" 44 percent cited the need to provide security awareness training.
- Some 65 percent, or a two-thirds majority of businesses, did NOT calculate hourly security downtime costs, compared to 21 percent of participants who said they did estimate the cost/impact of security downtime.
- Of the 21 percent of organizations that claimed to track downtime costs, only 38 percent of respondents were able to provide specific cost estimates of hourly losses due to security breaches. In reality, only 5 percent to 8 percent of the total number of 500 respondent businesses were able to provide specific cost estimates related to security breaches/hacks.
- Some 35 percent of firms expressed fear/concern about the threat posed by external, organized hackers.
- Malware and viruses remain the most common type of security breach, according to 56 percent of survey participants.
- A 7 percent minority of IT departments spent a 60 percent to 100 percent majority of their time on security-related endeavors.
- Just 3 percent of firms indicated they had experienced more than 10 security breaches during the last 12 to 18 months.
Corporations do realize strong security is essential. When asked about their organization's top security priorities in the immediate and intermediate future, a 55 percent majority indicated "ensuring robust and adequate security," followed by 44 percent who cited the need to obtain security training for "IT staff and end users." Forty-three percent of respondents said their companies must "update and enforce security policies."
There is no such thing as a 100-percent secure environment. Security is a process and an ongoing work in progress. Organizations must be ever-vigilant and assume responsibility for their system and network security.
The joint ITIC/KnowBe4 2013 -2014 Security Deployment Trends Survey findings emphasize the need for corporations, C-level executives, IT and security administrators, and end users to be aware of, proactively identify, and thwart the innumerable potential security risks.
Cooperation among all parties -- including upper management, IT and security administrators, and most of all, the end users -- is crucial. A chain is only as strong as its weakest link. As the hacks grow more pernicious and the hackers more proficient, they almost invariably will find a way to exploit even the smallest vulnerability.