CISOs anxious about possible data breaches, employees not so much

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://net-security.org/secworld.php?id=16788

If you are a Chief Information Security Officer, chances are you may not be
getting much sleep lately according to a recent survey of IT security
executives at companies of 500 or more employees.


The survey, conducted in March 2014 by Courion, revealed that 78 percent of
respondents are anxious about the possibility of a breach at their
organization.

What's more, IT security executives are increasingly aware that they are on
the front line, maintaining brand equity and protecting customers' privacy
and personal data.

58.8 percent identified "protecting the privacy of our customers" as their
primary goal in addressing a significant security breach, and 62.7 percent
admitted they most fear "negative publicity affecting the company brand,"
should a breach occur within their organization.

"Our recent survey confirmed what we've been hearing from many customers
over the past few years, the role of the senior IT security executive is
constantly changing," said Christopher Zannetos, president and CEO of
Courion. "Not only are they thought of as the front line defense for
protecting sensitive company and customer information, they also feel
responsible for brand image and customer satisfaction. IT security cannot
tackle all this alone, however. We believe, and this survey confirmed, that
better employee education and management of user access can provide much
needed support for the security team."

Respondents cited "managing user access" and "communicating or enforcing
company policies" among top security priorities in 2014, but also believe
other stakeholders may not consider the careful control of user access an
important issue.

For example, respondents said that while 95 percent of their IT security
team considers preventing security breaches a serious issue, they believe
only 45 percent of the employee base feels the same.

Indifference at the employee level, lack of knowledge and malicious acts by
trusted insiders can present a challenge for IT security, as evidenced by
the 2014 Verizon Data Breach Investigations Report, which included "insider
misuse" as one of the nine basic patterns that all breaches can be
described by. Within this pattern, "privilege abuse" was the top threat
action observed in 88 percent of security incidents.

This is meaningful, since "Account Monitoring and Control", "Controlled
Access Based on the Need to Know" and "Controlled Use of Administrative
Privileges" are three of the Top 20 Critical Security Controls recommended
by the SANS Institute, one of the largest sources for information security
training and security certification in the world.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!