A survey amongst 250 IT security professionals, conducted during this year’s Infosecurity Europe show, has revealed that 20% of organizations believe malicious insiders pose the biggest threat to their security. A further 44% suggest employee’s ignorance could also cause defenses to crumble. Hardly surprising then that this audience firmly pointed the finger at ‘people’ (70%) as the most frequent point of failure in an organization’s IT security, with 20% citing processes and just 9% at technology.
The study, sponsored by AppRiver – a leading provider of email messaging and Web security solutions, is a repeat of a survey first conducted amongst 110 IT security professionals attending RSA in San Francisco earlier this year. That study found that, while the UK suspect internal breaches, more than 61% of US professionals cite the biggest threat to their organization’s security as cybercrime from external sources (compared to 35% in the UK) with only 33% suggesting the non-malicious insider as causing the most concern. Remarkably, just over 5% of US respondents blamed malicious insiders for breaches.
“Whilst the US blames external influences, the UK recognizes it is their own people who can act as the weakest link in an organisztion’s IT security posture – with ignorance the overarching driver. While it’s hard to plan for ignorance, the combination of education and automation would certainly help mitigate most non-malicious threats, especially as many IT professionals have faith in the technology they’re deploying,” said Troy Gill, senior security analyst of AppRiver.
When asked to name the most dangerous threat to the security of their organization, both UK and US professionals agree that malware, including email-borne and web-based threats, topped the list of most concerning threat vectors, followed by personally identifiable information (PII) and social engineering. Both are also in agreement that people are the weakest link in their system (UK 70%: US 71%), with processes next (20%:21%) and then technology (9%:7%).
Troy concludes, “We’ve seen a dramatic increase in phishing attacks since the beginning of this year, with many proving successful, which is a classic example of how an unsuspecting user can unwittingly put the organization at risk. Educating users to these types of attack vector is just one element of effective remediation. Better still is to remove suspect electronic packages automatically from mailboxes, rather than allowing someone to open the message and detonate the contained device.”
Given the recent Snowdon and NSA revelations, its perhaps a little surprising that both audiences still have faith in their governments with just 7% of UK respondents and 5% of US citing external threats from government as the biggest threat to their organization’s security.