Security Experts:

IT Pros More Concerned About Employees Than Hackers: Survey

Despite the focus on exotic zero-day exploits and sophisticated hacking techniques, IT teams are more concerned about more mundane risks to their organizations, such as risky employee behavior and cloud security, a recent survey found.

Poor employee security behavior and greater cloud security top the list of things IT professionals worry about, according to a Sungard Availability Services survey released Tuesday. A common misconception says threats to organizations typically come from outside, but in actuality, many security breaches originate from within the organization and are driven by ignorance, Sungard AS said. Organizations aren’t doing enough to protect critical data and systems, the survey found.

“The writing is on the wall. IT professionals – beyond those who focus solely on security – are worried about internal and external threats that could put their organization in a compromising position,” said Matt Goche, director of security consulting at Sungard AS.

Insider Threats vs. HackersOnly 276 IT professionals took part in this survey in December 2014, so it's a very small sample. However, its findings echo other, larger, reports which concluded that insider threat and negligent employees pose the biggest threats to the organization's data and systems. Research firm Ovum found that 93 percent of the organizations in the U.S. in Vormetric's 2015 Insider Threat Report felt vulnerable to insider threats.

There have been recent reports of malicious insiders—such as the Morgan Stanley employee who accessed client information and publicly posted some of it on the Internet, or the rogue employee at AT&T who illegally accessed customers' personal information. Sometimes, the attackers don't have to break in—he or she is already one of you.

IT professionals said their colleagues pose the biggest threat to their overall security. But for the most part, it's ignorance—or negligence—that's the problem, not malice. When employees click on malicious links, or forget to put a secure passcode on their mobile devices, they aren't doing so because they want the organization to suffer a data breach.

Employees leave mobile phones and laptops in vulnerable places, said 62 percent of respondents, and 51 percent claimed employees share passwords, which was a direct threat to the company's overall security, the Sungard AS survey found.

Password sharing isn't the only issue, as overall password hygiene remains a problem. The two most common violations were password reuse and using strings made up of keys adjacent to each other on the keyboard (such as qwerty), the survey found. Requiring special characters and enforcing minimum password lengths were the two most important things security teams could do to improve password hygiene. Changing passwords often also made the list of good practices for password hygiene.

Security was the most overlooked factor when moving to a cloud environment, even though 54 percent of respondents felt security should be the most critical deciding factor when evaluating cloud offerings. Other factors include vendor support and cloud-based disaster recovery. About three-quarters of respondents said their organizations could do more to improve cloud security, such as asking targeted security questions to create a strong cloud migration plan, Goche said.

“People know cloud security is important but aren’t taking the necessary precautions to safeguard their organization’s resiliency,” Goche said.

Approximately half of the respondents said security planning programs should be the last thing to receive budget cuts. In fact, 60 percent of respondents said their organization needs to put more focus behind their security, by regularly testing the organization's security and resiliency.

Security is a threat from all angles, even if unintentional, Sungard AS said.  

ResourceUtilizing User Behavior Analytics to Mitigate Insider Threats

Resource: Using Active Breach Detection Against Advanced Attackers

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.