Breaches Anticipated; Budgets, Staff, and Skills Still Lacking
Infosec professionals have a relatively grim outlook when it comes to the killer B's (breaches and budgets) and the killer S's (staffing and skills):
- 67% of survey respondents said it was likely they would have to deal with a “major security breach” in the 12 months following the survey, with 13% saying there was “no doubt” they would face the fallout from a major breach. These were both modest reductions from 2016 (72% and 15%, respectively).
- 60% agree that there will be a successful cyberattack on US critical infrastructure within the next two years; only 2% felt strongly that it would not happen. (This question was not asked in 2016.)
- 58% indicated that their departments do not have enough budget to counter current threats (vs. 63% in 2016).
- 20% said they are “severely hampered” by budget restrictions (just slightly below 2016's 21%).
- 71% of respondents feel their organization does not have enough staff to defend itself against current threats (down from 74% in 2016).
- 61% (vs. 57% in 2016) said though they can manage most tasks, they could use more training to handle current threats and perform all of their required job functions.
Alignment of Goals Remains an Issue
Like last year, most of the respondents said that the lack of qualified, skilled people is the biggest reason that enterprise IT strategies and technologies are failing (though the percentage dropped to 31% vs. 37% mark). And it probably comes as no surprise that respondents said susceptible and negligent end users are the “weakest link in today’s IT enterprise defenses.” with the percentage of finger-pointers rising from 28% in 2016 to 38% in this year's survey.
But all the blame can’t be placed on the shoulders of current employees (or the lack thereof). Also of concern are the 19% of respondents who said that “a lack of commitment and support from top management” is the top reason enterprises are unsuccessful in creating a cohesive, successful cybersecurity strategy. Though there are improvements over last year's results, infosec teams are still struggling to achieve organization-wide support:
- 42% of respondents (up from 35% in 2016) said that non-security professionals in their organization understand the IT security threats that face their business.
- 33% say those who understand are supportive of security efforts, an increase from the 25% mark tallied last year.
- 13% of respondents said those outside of their department are mostly “clueless” (down from 17% in 2016).
But what is perhaps the most interesting tale of the tape can be found when evaluating the responses to three different but related questions:
- Of the following threats and challenges, which are of the greatest concern to you?
- Which consume the greatest amount of your time during an average day?
- Which are of greatest concern to your company’s top executives or management?
The charts below present the top eight answers to each of these questions in the 2017 survey, as well as comparison data from 2016. (Note: each question allowed a maximum of three responses.)
|Greatest concern to respondents
|Greatest concern to executives/management (2017, 2016)?|
|Phishing, social network exploits, or other forms of social engineering (50%, 46%)||Phishing, social network exploits, or other forms of social engineering (35%, 25%)||Sophisticated attacks targeted directly at the organization (34%, 33%)|
Sophisticated attacks targeted directly at the organization (45%, 43%)
|The effort to accurately measure my organization’s security posture and/or risk (35%, 35%)||The effort to keep my organization in compliance with industry and regulatory security guidelines (30%, 28%)|
|Accidental data leaks by end users who fail to follow security policy (21%, 15%)||The effort to keep my organization in compliance with industry and regulatory security guidelines (32%, 32%)||Phishing, social network exploits, or other forms of social engineering (28%, 24%)|
|Polymorphic malware that evades signature-based defenses (21%, 15%)||Security vulnerabilities introduced by my own application development team (26%, 27%)||Data theft or sabotage by malicious insiders in the organization (17%, 29%)|
|Ransomware or other forms of extortion perpetrated by outsiders (17%, 15%)||Security vulnerabilities introduced through the purchase of off-the-shelf applications or systems (21%, 21%)||Ransomware or other forms of extortion perpetrated by outsiders (18%, 10%)|
|Data theft or sabotage by malicious insiders in the organization (19%, 17%)||Internal mistakes or external attacks that cause my organization to lose compliance with industry or regulatory requirements (21%, 19%)||The effort to accurately measure my organization’s security posture and/or risk (18%, 19%)|
|Attacks or exploits on cloud services, applications, or storage systems used by my organization (15%, 11%)||Accidental data leaks by end users who fail to follow security policy (18%, 19%)||Accidental data leaks by end users who fail to follow security policy (18%, 20%)|
|Security vulnerabilities introduced by my own application development team (15%, 20%)||Sophisticated attacks targeted directly at the organization (16%, 11%)||Internal mistakes or external attacks that cause my organization to lose compliance with industry or regulatory requirements (14%, 16%)|
As noted in the chart, many of the top concerns remained consistent from 2016 to 2017, but there were some interesting changes to note:
- Phishing and social engineering attacks are now the most time-consuming activity for IT professionals in addition to being the top concern (up from #4 in 2016).
- Unlike 2016, ransomware and other extortion-based attacks are now a top concern for executive and management teams.
- Concerns about nation-state, espionage, and "hacktivist" activities dropped for both IT pros and executives this year.
What remains troubling is that the top cybersecurity concerns of infosec professionals are not always shared by their management teams, nor are they the focus of day-to-day activities:
- On a daily basis, respondents are unable to spend a significant amount of time addressing four of their top eight security concerns. This is a red flag for ransomware in particular, which is the #5 worry for both IT pros and executives, but is not among the top action items.
- Infosec professionals and their executive management teams are only partially aligned with regard to pressing threats. Just five of the respondents’ top eight concerns are shared by their organizations’ executives (though there was an improvement from 2016, when just four of eight concerns matched up between the two).
There is an increased risk to organizations if infosec teams, managers, and executives continue to work at cross purposes. This disconnect was cited as a "comment theme" among respondents, with the report stating, "As in past years, security pros say they continue to struggle with corporate management that sets priorities differently than they would."
The Average Consumer Is Unaware, Unprotected
This year, the survey asked infosec professionals what they feel are the greatest issues for the average US consumer, a topic not covered in prior years:
- Lack of awareness about phishing and social engineering attacks was flagged as the most significant threat.
- The "constant breach of consumer information at companies entrusted with that data" was the second-most cited IT challenge for consumers.
- Just 14% of respondents feel that the average US consumer's personal data is safer now that it was in 2016.
So...what does the average consumer's lack of awareness mean within the enterprise? The reality is that, generally speaking, those consumers are also employees. What they don't know can impact their personal security but also your organization's security posture. And their personal habits and lack of knowledge absolutely do transfer to the workplace, as is evidenced by our recently released User Risk Report.
As such, in addition to implementing technical safeguards (like whitelisting, antivirus updates, and vulnerability patches), organizations should prioritize security awareness training and deliver programs designed to raise awareness, educate users, and streamline reporting of and response to potential phishing threats. Our Anti-Phishing Training Suite offers an ideal option for organizations of all sizes as it pairs our ThreatSim® phishing tests, interactive training modules, and PhishAlarm® email reporting products to deliver a comprehensive solution for end-user risk management.