IT security more critical now than executives expected two years ago

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cso.com.au/article/535495/it_security_more_critical_now_than_executives_expected_two_years_ago/

Business executives realise information security has significantly become a
higher priority over the past two years than anticipated back then – and
will continue to do grow in importance over the next two years as new
technologies and human factors continue to bite, recent survey results have
revealed.

The 11th Annual Information Security Trends report, published recently by
industry group CompTIA, found that 28 per cent of respondents said
information security was a significantly higher priority now than it was
two years ago, with 37 per cent saying it would be a significantly higher
priority over the next two years.

Fully 51 per cent of respondents said information security had become a
moderately higher priority in the past two years, while 44 percent said it
would be a moderately higher priority over the next two years.

By contrast, just 18 per cent said there had been no change in their focus
on information security in the past two years, with 17 per cent saying they
did not anticipate such a change in the next two years.

“Larger companies tend to display an even greater sensitivity to security
concerns than their smaller counterparts,” the report adds, noting that 35
per cent of large companies rate security as a significantly higher
priority today than two years ago – and that 47 per cent expect this
priority to increase in the next two years.

Malware was the largest source of serious concern, having been cited by 53
per cent of respondents, while human error among general staff was named by
55 per cent of respondents as a moderate concern. Some 48 per cent of
respondents said malware was more critical today than in the past, with
hacking (47 per cent), social engineering/phishing (38 per cent), data
loss/leakage (30 per cent) and understanding the security risks of emerging
areas such as cloud, mobile and social (39 per cent) also seen as being
more critical today than in the past.

Interestingly, the survey found that 82 per cent of respondents found their
current level of security as being completely or mostly satisfactory – even
though small and medium firms consistently reported less use of key
security tools in areas such as data loss prevention, identity and access
management, formal risk assessment, security information and event
management, enterprise security intelligence, and external vulnerability
assessments.

“Viewpoints on threats and the usage patterns on defence mechanisms, when
taken together, suggest that many companies may be assuming a satisfactory
level of security without truly performing due diligence to understand
their exposure,” the report warns.

A particular area of exposure lay within the human factor, with human error
named as a factor in 55 per cent of security breaches and IT staff as
guilty of non-compliance as general staff.

This included cases where an end user failed to follow policies and
procedures (42 per cent of cases), IT staff failing to follow policies and
procedures (41 per cent), a lack of security expertise with websites or
applications (39 per cent), a lack of security expertise with IT
infrastructure (38 per cent).

“The issue may be that companies are unsure how to tackle the problem,” the
report suggests. “With the top sources for human error being a failure to
follow policies, the issue is one of education rather than technical
improvement.

“Companies are finding that they must shift their education to be more
interactive, ongoing, and measurable in order to raise the level of
awareness and expertise in security.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.