A couple of new surveys regarding cyber security issues unearthed a surprising finding: that fears regarding cybercrime far outweigh data privacy concerns a la the snooping activity by the National Security Administration (NSA) and even the nefarious theft and leakage of classified U.S. government data by former security contractor Edward Snowden.
“While the debate over the NSA and its authority does carry importance, our survey clearly demonstrates that IT [information technology] security pros are more concerned with cybercriminals than government action,” noted Fred Touchette, senior security analyst at AppRiver, which polled 110 attendees at the recent RSA Conference 2014 to discern their list of top cyber security worries.
“These are the people who deal with security every day, whose jobs depend on keeping networks secure, and who see threats as a practical problem, not a theoretical or philosophical issue,” he added. “Our survey shows that IT security professionals consider external threats from cybercriminals to be the more concerning issue facing the security of organizations’ sensitive information today.”
[Even the Federal Bureau of Investigation (FBI) recognizes the growing threat posed by cybercrime, as comments by newly-minted director James Comey at RSA’s annual meeting show.]
AppRiver, a provider of email messaging and Web security solutions, conducted its survey face-to-face with RSA attendees and asked them to name the most dangerous threat to the security of their organization:
- 56.2% of respondents report cybercrime from external sources as most problematic
- 33% say insider threats with non-malicious intent give them the most trouble
- 5.3% blame malicious insiders for causing the biggest security headache
- 5.3% point the finger at external threats from government as chief offender
Malware, including email-borne and web-based threats, topped the list of most concerning threat vectors followed by personally identifiable information (PII) and social engineering. The majority of respondents, 71.4%, cited people as the most frequent (or most likely) point of failure for IT security. 21.4% faulted process and 7.2% labeled technology as the weak link.
[The design of new computer networks themselves, particularly when it comes to “Cloud computing,” is creating a new breed of security nightmares as well; a topic discussed in the video below.]
AppRiver’s survey also found that despite the Snowden incident, more than two thirds of respondents do not think it is time to ask employees to take psychometric tests to determine their honesty. Yet when asked if IT security pros themselves would be willing to take such a test as a condition of employment, more than 65% said yes.
“As a new breed of cybercriminal gets more sophisticated, IT security pros believe employees are not prepared for the more serious threats,” AppRiver’s Touchette added. “This chasm demands a comprehensive security strategy that takes into account all threat vectors from technological and human standpoints. Organizations need a layered security approach that includes technology, training, awareness and enforcement to keep both inadvertent and intentional attacks from happening.”
One big factor in this new “recognition” of the threat posed by cybercriminals is the now-infamous theft of credit card data from big box retailed Target late last year – a massive hacking endeavor that’s forced Target to overhaul its cyber security systems as well as oust the company’s chief information officer.
[As an aside, here’s a presentation from RSA’s 2013 conference that dissects what’s being dubbed the “life cycle” of cybercrime.]
A survey conducted by Tripwire, Inc., a global provider of risk-based security and compliance management solutions, of over 150 attendees at RSA’s conference this year found that cyber-attack on Target is what’s really “opening the eyes” of many businesses to the cybercrime threat; more than the NSA snooping scandal or Edward Snowden’s illegal activities.
“It’s not surprising that the Target breach is having a significant impact on most organizations,” said Dwayne Melancon, Tripwire’s chief technology officer.. “The Target breach involved a lot of money, something enterprises understand in a very concrete way.”
The firm’s survey asked which security event, the Target data breach or Snowden leaks, had a greater impact on their budget and executive security awareness of cybersecurity and found:
- 52% of the respondents said the Target breach had a greater impact on their security budgets
- 56% of the respondents said the Target breach had a greater impact on their executives’ security awareness
- 27% of the respondents said neither the Target breach nor the Snowden leaks impacted their security budget
“The visibility of the Target breach, and the resulting financial ripple effect, has definitely gotten the attention of executives, particularly when it comes to third party security risks,” Melancon added.
“Many IT organizations will use this increase in awareness to increase security budgets, but the really smart IT security leaders will use this opportunity to engage with the organization in a more strategic, business-focused way,” he said. “Those who pursue this critical alignment of security with business goals will gain both resources and executive mindshare over the long haul, not just during this recent storm.”
And based on the scale and scope of recent cybercrime activities, a very stormy time may lie ahead.