Black Hat Survey Shows Increased Cybersecurity Concerns, Divided Focus
Black Hat USA 2016 is occupying the Mandalay Bay end of the Las Vegas Strip this week, which means some of the savviest information security professionals in the world are entrenched in all things infosec (and, potentially, some mischievous activities) for the next few days. Wondering what these pros think of the state of cybersecurity? Well, Black Hat organizers asked…and the answers they received reflect what you’re likely already thinking: It’s a jungle out there.
In its second annual survey of Black Hat USA attendees, Dark Reading, Black Hat, and UBM worked together to “gauge the attitudes and plans of one of the IT security industry’s most experienced and highly-trained audiences.” Responses were submitted by 250 security professionals (including management and staff), the majority of which work at organizations with 1,000 or more employees.
The 2016 Black Hat Attendee Survey report compares and contrasts this year’s results with those from the inaugural 2015 report. As this year’s report states of the 2015 results, “With so many security experts holding pessimistic attitudes about the coming year, it seemed as though the cybersecurity problem could not get much worse.”
But it has.
Want to share advice about ransomware and social engineering with your end users? Check out the Wombat Vlog.
Concerns Run High, Staffing and Budgets Fall Short
When asked about the probability that they will have to deal with a “major security breach” in the 12 months following the survey, 72% of respondents said it was a likely scenario (with 15% saying there was “no doubt” they would face the fallout from a major breach). With cybercrime rapidly establishing itself as public enemy #1, it stands to reason that companies would be well-staffed and poised to respond. But that doesn’t seem to be the case:
- 74% of respondents feel their organization does not have enough staff to defend itself against current threats (an uptick from 2015).
- 63% indicated that their departments do not have enough budget to counter current threats.
- 20% said they are “severely hampered” by budget restrictions.
People and Process Affect the End Product
Though 6% of respondents said that budget shortages were the primary problem their teams deal with, most of the infosec professionals (37%) said that the lack of qualified, skilled people is the biggest reason that enterprise IT strategies and technologies are failing. And it probably comes as no surprise that respondents said susceptible and negligent end users are the “weakest link in today’s IT enterprise defenses” — though it may shock you to know that the percentage of finger-pointers decreased from 33% in 2015 to 28% in 2016.
But all the blame can’t be placed on the shoulders of current employees (or the lack thereof). Also of concern are the 22% of respondents who said that “a lack of commitment and support from top management” is the top reason enterprises are unsuccessful in creating a cohesive, successful cybersecurity strategy. Unfortunately, infosec teams are receiving less organizational backing this year than last:
- Only 35% of respondents (down from 40% in 2015) said that non-security professionals in their organization definitively understand the IT security threats that face their business.
- Just 25% say those who understand are supportive of security efforts, a decrease from the 31% mark tallied last year.
- Like last year, 17% of respondents said those outside of their department are mostly “clueless.”
But what is perhaps the most interesting tale of the tape can be found when evaluating the responses to three different but related questions:
- Of the following threats and challenges, which are of the greatest concern to you?
- Which consume the greatest amount of your time during an average day?
- Which are of greatest concern to your company’s top executives or management?
The charts below present the top eight answers to each of these questions in the 2016 survey, as well as comparison data from 2015. (Each question allowed a maximum of three responses.)
|Greatest concern to respondents
|Greatest concern to executives/management (2016, 2015)?|
|Phishing, social network exploits, or other forms of social engineering (46%, 46%)||The effort to accurately measure my organization’s security posture and/or risk (35%, N/A)||Sophisticated attacks targeted directly at the organization (33%, 40%)|
Sophisticated attacks targeted directly at the organization (43%, 57%)
|The effort to keep my organization in compliance with industry and regulatory security guidelines (32%, N/A)||The effort to keep my organization in compliance with industry and regulatory security guidelines (28%, N/A)|
|Security vulnerabilities introduced by my own application development team (20%, 20%)||Security vulnerabilities introduced by my own application development team (27%, 35%)||Phishing, social network exploits, or other forms of social engineering (24%, 27%)|
|Data theft or sabotage by malicious insiders in the organization (19%, 17%)||Phishing, social network exploits, or other forms of social engineering (25%, 31%)||Accidental data leaks by end users who fail to follow security policy (20%, 27%)|
|Espionage or surveillance by foreign governments or competitors (16%, 20%)||Security vulnerabilities introduced through the purchase of off-the-shelf applications or systems (21%, 33%)||The effort to accurately measure my organization’s security posture and/or risk (19%, N/A)|
|Accidental data leaks by end users who fail to follow security policy (15%, 21%)||Internal mistakes or external attacks that cause my organization to lose compliance with industry or regulatory requirements (19%, 30%)||Data theft or sabotage by malicious insiders in the organization (17%, 29%)|
|Polymorphic malware that evades signature-based defenses (15%, 20%)||Accidental data leaks by end users who fail to follow security policy (19%, 26%)||Internal mistakes or external attacks that cause my organization to lose compliance with industry or regulatory requirements (16%, 27%)|
|Ransomware or other forms of extortion perpetrated by outsiders (15%, N/A)||Sophisticated attacks targeted directly at the organization (11%, 20%)||Data theft, sabotage, or disclosure by “hacktivists” or politically-motivated attackers (14%, 17%)|
Lack of Unification Is a Clear and Present Danger
It’s interesting to note that, though the chart above shows that the greatest concerns for respondents remained consistent (for the most part) between 2015 and 2016, daily routines have changed significantly over the past year. More interesting is the lack of overlap between the three 2016 lists:
- On a daily basis, respondents are unable to spend a significant amount of time addressing four of their top eight security concerns.
- Infosec professionals and their executive management teams are only partially aligned with regard to pressing threats. Just half of the respondents’ top eight concerns are shared by their organizations’ executives.
As is noted in the Black Hat survey report, “[T]oday’s security pros are facing an increasing gap between the priorities they themselves set for the security department and the priorities of those who control their time, people, and budgets. While they might be lying awake nights worrying about social engineering or targeted attacks, their days are spent mostly in more mundane tasks, such as maintaining compliance or troubleshooting internally developed applications.”
If infosec teams, managers, and executives continue to work at cross purposes, organizations are unlikely to reduce the risks associated with some of the most pressing cybersecurity threats. The lines of communication need to be opened, and priorities and resources should be better aligned to address these threats.
Ransomware Is Adding to the Phishing Threat
Ransomware was nowhere to be found on the 2015 survey, but its presence was felt in several areas this year:
- #8 on the respondents’ list of greatest concerns
- #1 on the list of emerging cybersecurity threats
- #10 on the list of most time consuming daily activities
- #10 on the list of executive and management concerns
The fact that most ransomware attacks are delivered via phishing emails compounds the social engineering threat (which is already the #1 concern of respondents and the #3 concern of executives in the 2016 survey). Add that to the ever-present anxieties surrounding employee-based risk, and it’s clear that these increasingly sophisticated threats are likely to plague infosec teams for some time to come.
In addition to technical safeguards (like whitelisting, antivirus updates, and vulnerability patches), organizations should prioritize security awareness training and implement a program designed to raise awareness, educate users, and streamline reporting of and response to potential phishing threats. Our Anti-Phishing Training Suite pairs our ThreatSim® simulated attacks, interactive training modules, and PhishAlarm® email reporting products to deliver a comprehensive solution for end-user risk management.
Stop by and see Wombat Security at Black Hat Booth #466 to learn more about our Anti-Phishing Training Suite and other products related to security awareness and training.