An overwhelming 80% of companies say that “end user carelessness” constitutes the biggest security threat to their organizations, surpassing the ever-present peril posed by malware or organized hacker attacks .
Additionally, 65% of businesses do not calculate the cost or business impact of security-related downtime and over 30% of firms are unable to detect or defend against a security breach in a timely manner when one does occur.
Those are among the top findings of the ITIC/KnowBe4 “2013 – 2014 Security Deployment Trends Survey.” The joint independent Web-based survey polled 500 organizations during October/November 2013 on the leading security threats and challenges facing their firms and their top priorities over the next 12 to 18 months. In order to maintain objectivity, ITIC and KnowBe4 accepted NO vendor sponsorship and none of the respondents received any remuneration for participating.
The data indicates that IT departments are hard pressed to stay abreast of myriad security issues which represent just one portion of their overall job responsibilities. Some 44% of survey respondents said their IT departments and security professionals spend less than 20% of their time on daily operational security. Another 32% said they devote 20% to 40% of their time on security. Only 20% of participants dedicate a significant portion of their daily and weekly administrative activities to securing their systems and networks.
The ITIC and KnowBe4 survey also went beyond statistics to delve into companies’ most pressing security issues and challenges via essay comments and first person interviews with C-level executives IT and security administrators. Those conversations revealed that organizations, particularly small and midsized businesses (SMBs), are especially anxious about the dearth of resources to secure their environments at a time when hacks are becoming more pernicious and the hackers more proficient.
The anecdotal data also suggests that IT and security administrators find themselves in unenviable and frustrating position of being caught in the middle between upper management and end users. They have difficulty convincing upper management to allocate the necessary monies and resources to secure the network. At the same time IT and security managers find it increasingly challenging to safeguard the network against end users. Many users unwittingly make the network vulnerable to malware, viruses and phishing threats via the “bring your own device” (BYOD) trend by falling for scams or clicking on bad links.
Without the appropriate level of security controls, the adoption of security awareness training and the implementation and enforcement of strong computer security policies and procedures organizations’ data is at increased risk of malware invasions, cyber attacks and litigation.
To reiterate, the biggest survey revelation is that organizations view their end users as a bigger threat than malware, phishing scams or deliberate internal or organized external hackers! The 80% of survey participants that said the“carelessness of end users” poses the biggest threat to organizational security far outpaces the 57% who cited malware infections as the largest potential security problem. Among the other survey highlights:
- Top security priorities: 55% of users cite “Ensuring adequate and robust security for the business’ needs;” 44% cited the need to provide security awareness training.
- Some 65% or a two-thirds majority of businesses do NOT calculate hourly security downtime costs compared to 21% of participants that said they did estimate the cost/impact of security downtime.
- Of the 21% of organizations that claim to track downtime costs only 38% of respondents were able to provide specific cost estimates of hourly losses due to security breaches. In reality, only 5% to 8% of the total number of 500 respondent businesses is able to provide specific cost estimates related to security breaches/hacks.
- Some 35% of firms expressed fear/concern about the threat posed by external, organized hackers.
- Malware & viruses remain the most common type of security breach according to 56% of survey participants.
- A seven percent minority of IT departments spend a 60% to 100% majority of their time on security-related endeavors.
- Just three percent of firms indicated they had experienced more than 10 security breaches during the last 12 to 18 months.
Corporations do realize strong security is essential. When asked about their organization’s top security priorities in the immediate and intermediate future, a 55% majority indicated “ensuring robust and adequate security” followed by 44% who cited the need to obtain security training for “IT staff and end users” while 43% of respondents said their companies must “update and enforce security policies.”
There is no such thing as a 100% secure environment, security is a process and an ongoing work in progress. Organizations must be ever-vigilant and assume responsibility for their system and network security.
The joint ITIC/KnowBe4 2013 -2014 Security Deployment Trends Survey findings emphasize the need for corporations, C-level executives, IT and security administrators and end users to be aware of, proactively identify and thwart the innumerable potential existing security risks.