Yes, the NSA remains in the news along with Edward Snowden, but security professionals are living in the here and now and are more concerned with everyday issues like external threats from the bad guys, a new survey said.
“While the debate over the NSA and its authority does carry importance, this survey clearly demonstrates that IT security pros are more concerned with cybercriminals than government action,” said Fred Touchette, senior security analyst at software-as-a-service provider, AppRiver. “These are the people who deal with security every day, whose jobs depend on keeping networks secure, and who see threats as a practical problem, not a theoretical or philosophical issue.”
More than 110 attendees at RSA Conference 2014 took the survey, conducted via in-person interviews by AppRiver, a provider of email messaging and Web security solutions.
When asked to name the most dangerous threat to the security of their organization, the response breakdown follows:
• 56.2 percent of respondents report cybercrime from external sources as most problematic
• 33 percent said insider threats with non-malicious intent give them the most trouble
• 5.3 percent blame malicious insiders for causing the biggest security headache
• 5.3 percent point the finger at external threats from government as chief offender
Malware, including email-borne and web-based threats, topped the list of most concerning threat vectors followed by personally identifiable information (PII) and social engineering. The majority of respondents, 71.4 percent, cited people as the most frequent (or most likely) point of failure for IT security. 21.4 percent faulted process and 7.2 percent labeled technology as the weak link.
“As a new breed of cybercriminal gets more sophisticated, IT security pros believe employees are not prepared for the more serious threats,” Touchette said. “This chasm demands a comprehensive security strategy that takes into account all threat vectors from technological and human standpoints. Organizations need a layered security approach that includes technology, training, awareness and enforcement to keep both inadvertent and intentional attacks from happening.”
Despite the Snowden incident, more than two thirds of respondents do not think it is time to ask employees to take psychometric tests to determine their honesty. When asked if IT security pros themselves would be willing to take such a test as a condition of employment, more than 65 percent said yes.