Most security pros don’t think a breach will happen to them
New findings from a Tenable Network Security study have uncovered an “It Won’t Happen to Me” mentality amongst security professionals.
According to the study, more than 90 percent of attendees surveyed at the 2011 Gartner Security & Risk Management Summit discussed large-scale, high-profile breaches like RSA, Citigroup and Sony with senior management, yet only 23 percent did anything beyond that.
“It would be impossible and impractical to make changes, updates or company-wide announcements for every data breach reported,” said Ron Gula, CEO and CTO at Tenable Network Security. “But with record-breaking exposures like what we’ve seen this year, there’s an opportunity for us to learn and to educate employees about the implications of a security breach and reinforce existing policies and information security practices. This is also a clear sign that the majority of security pro’s have been getting by on “just good enough’ security practices that help them pass an audit, but don’t truly secure their business.”
Nearly half (46 percent) of attendees surveyed had experienced some form of insider threat while at their current company, but surprisingly “preventing insider threats’ was ranked the second-lowest information security priority for the next six to eight months by the field. Even more surprising, one in three security professionals admitted that they had violated internal security policies they created in order to complete a work-related task quickly and/or easily.
“The productivity versus security battle continues to create problems for enterprises,” added Gula. “Employees, including privileged security professionals, are going to do whatever it takes to get the job done, regardless of policies or security risks.”
According to recent Verizon Business Data Breach Investigations Reports, insider threats are one of the leading sources of data leakage and theft. Findings indicate that nearly one in three breaches over the past two years came as a result of an insider attack, and, in 2010, 93 percent of insider breaches were considered deliberate, malicious attacks – a three percent increase over the previous year.
These statistics reinforce the critical need for real-time visibility into all network activity, policy enforcement and continuous assessment and monitoring within every enterprise.
The ubiquity of mobile devices and the continued consumerization of IT opens enterprises up to a variety of new security risks. As a result, attendees at the event marked mobile device security as their top information security priority for the second half of 2011.
It was closely followed by “neutralizing advanced persistent threats’ and “staying ahead of zero-day attacks.’ Not surprisingly, nearly 85 percent of attendees considered advanced persistent threats a real concern, but only 28 percent pegged it as one of their top concerns for their business.
“Top execs and key employees rely on smart phones, tablets and laptops to work from the road, so it’s not surprising that hackers see that transition and are increasingly targeting mobile platforms,” said Gula. “While it’s encouraging to see that the advanced persistent threat is front of mind for the majority of security professionals, it’s critically important for organizations to cut through the hype and understand the profile for these types of attacks, account for what’s at stake, and develop a strategy for protecting their most valuable digital and physical assets.”