A new global survey highlights the disconnect between security expectations and security reality for many IT/security professionals.
There is an awareness of the likelihood of security attacks (45% of respondents expect one within the next 12 months). There is ongoing empirical evidence of the failure of security professionals to stop these attacks — most recently with Equifax. Despite this, 89% of survey respondent believe they are in a good position to protect themselves from attack.
The survey report (PDF), ‘Security Practices and Expectations Following the World’s Biggest Breach‘ (Equifax) was published on Monday by Varonis. Five hundred IT and security professionals with personal responsibility for security were questioned between September 28 – October 6, 2017. Two hundred are located in the U.S., with 100 in each of the UK, France and Germany. All work for companies with more than 1,000 employees from within a variety of different vertical industry sectors.
SecurityWeek asked Matt Lock, director of sales engineers at Varonis, why there should be this difference between expectation and reality. One often-quoted possibility is the Optimism Bias (Wikipedia) — the hard-coded biological instinct that bad things happen to other people, not to me.
Lock doesn’t feel that the survey sheds any light on the reasons for the disconnect, merely that it exists. From a personal stand-point he points to over-confidence and possibly a lack of visibility into their own networks. On the former, he commented, “Some really do feel they are completely prepared and have figured out how to keep their organizations safe. In 2017, many well-respected organizations, which would seem to have the resources to ward off cyberattacks, fell victim to breaches and ransomware. Was over-confidence to blame?”
For the latter, he wonders if track-record might be a contributing factor: professionals who don’t believe they have been breached might believe “that what they’re doing must be working. The reality, however, might be that they have been breached but just don’t know it.”
Nevertheless, despite the confidence in their ability to resist future attacks, around 25% of the respondents confirmed that their organization had experienced data loss, data theft or ransomware during the last two years. This was highest in Germany, where 34% of respondents reported that their organization had been a victim of ransomware.
The perceived ability to resist attacks is not the only surprising detail to come from the survey. Given the relative imminence of GDPR next year, and the common perception that many companies are still not GDPR-compliant, it would be unsurprising to see ‘compliance’ as an issue of concern.
This is not shown in practice. In the US, compliance ranks only third in concerns for 2018 (behind data theft and data loss). In the UK it ranks fifth, behind the extra concerns for ransomware and cloud issues, while in neither France nor Germany does it rank anywhere in the top five concerns for next year.
“One possible explanation,” Lock told SecurityWeek, “is that the U.S. is reacting more strongly towards GDPR because there hasn’t been a regulation quite as stringent in place save for a few highly regulated industries. The attitude in UK, France, and Germany may be that GDPR is just a new spin on the current EU Data Protection Directive (DPD).”
However, he suggests this might change once GDPR starts to be enforced. One possibility is that organizations believe that 2018 will be a bedding-in period for the regulations, and they won’t be enforced before 2019. He also suggests that top-of-mind for security professionals could be their most recent fire-fight. “In many ways,” he suggested, “security professionals are fighting the last fight; they may be focusing their attention on ransomware and wipers, rather than looking ahead to the GDPR.”
A further surprising detail comes in the rate of cyberattack experience. A common perception is that the U.S. experiences more attacks than Europe. There are two reasons — firstly, it is simply a fact because of the degree of IT reliance in North American business; and secondly, the more stringent breach notification laws current in America make breach reporting more common than in Europe; that is, Europe doesn’t report all of the attacks it experiences.
However, this perception is reversed by the survey respondents. Twenty-three percent of U.S. organizations have experienced the loss or theft of company data over the last few years; but this figure rises to 29% in Europe.
“The results are surprising,” comments Lock; “and this survey gives us a peek behind the curtain. The figures in the survey suggest there’s no correlation, and that organizations are being hit in greater numbers than we previously thought — possibly they are simply keeping that information to themselves to avoid negative publicity. We may see a notable increase in reported attacks once GDPR kicks in. The results suggest the problem could be much worse than we realize.”