Despite the US national security agency NSA and Snowden controversy sparking a serious privacy debate, findings from a new AppRiver, LLC survey suggest that IT security people consider external threats from cybercriminals to be the more concerning issue facing the security of organisations’ sensitive information.
Fred Touchette, senior security analyst at AppRiver, says: “While the debate over the NSA and its authority does carry importance, this survey clearly demonstrates that IT security pros are more concerned with cybercriminals than government action. These are the people who deal with security every day, whose jobs depend on keeping networks secure, and who see threats as a practical problem, not a theoretical or philosophical issue.”
More than 110 attendees at RSA Conference 2014 took the survey, which was by in-person interviews by AppRiver, a provider of email messaging and web security software.
When asked to name the most dangerous threat to the security of their organisation, the response breakdown follows:
•56.2 per cent of respondents report cybercrime from external sources as most problematic
•33 per cent say insider threats with non-malicious intent give them the most trouble
•5.3 per cent blame malicious insiders for causing the biggest security headache
•5.3 per cent point the finger at external threats from government as chief offender
Malware, including email-borne and web-based threats, topped the list of most concerning threat vectors followed by personally identifiable information (PII) and social engineering. The majority of respondents, 71.4 per cent, cited people as the most frequent (or most likely) point of failure for IT security. 21.4 per cent faulted process and 7.2 per cent labeled technology as the weak link.
Touchette adds: “As a new breed of cybercriminal gets more sophisticated, IT security pros believe employees are not prepared for the more serious threats. This chasm demands a comprehensive security strategy that takes into account all threat vectors from technological and human standpoints. Organisations need a layered security approach that includes technology, training, awareness and enforcement to keep both inadvertent and intentional attacks from happening.”
Despite Snowden, more than two thirds of respondents do not think it is time to ask employees to take psychometric tests to determine their honesty. When asked if IT security pros themselves would be willing to take such a test as a condition of employment, more than 65 per cent said yes.