For non security professionals to not do anything to safeguard systems is one thing, but for the experts to tell senior executives about the great potential for a breach and then not do anything about it is quite another.
But that is exactly what is happening if you believe the survey of attendees at the Gartner Security & Risk Management Summit that Tenable Network Security independently conducted there.
Over 90 percent of respondents said they spoke with upper management about the latest attacks, but only 23 percent made any changes to their security infrastructure or took any additional steps.
“It’s a lot easier to keep running your traditional security tools. People have a comfort with their tools even though they know something is out there,” said Ron Gula, chief executive and chief technology officer at Tenable. “They’ve got some technical footprint, a compliance program … and they feel they are okay.”
Gula said the difficulty with reacting to the next big threat wave is that it’s often not realistic to make any major changes to an organization’s infrastructure. “Changing access control for employees, changing the technology” or enacting draconian security measures just isn’t realistic every time news of a new breach comes out, he said.
Close to half of the organizations surveyed said they have suffered some sort of insider threat incident. Even so, one in three of the security professionals said they had violated some internal security policies in the interest of productivity or convenience.
“As a security practitioner, it surprised me that one third had violated their own policies,” Gula said. It could be minor things like a non-connected fully patched Windows machine without antivirus, for example, he said. Or worse-case, it could be bypassing the VPN or other controls.
Meanwhile, insider threat wasn’t at the top of their information security priority lists. The number one security priority for the second half of 2011 is securing mobile devices, followed by “neutralizing advanced persistent threats (APTs),” and then keeping ahead of zero-day attacks.
Around 85 percent of the respondents said APTs are a worry for them, while 28 percent say it’s one of the top concerns.
Advice to organizations: focus on the difference between detecting attacks and bad insiders versus preventing them.