Bit9 Security Survey: Nobody Wants To Be A Headline

Security Survey Says ...

Bit9, a developer of advanced threat protection security software, conducted a worldwide survey of 1,861 IT and security professionals in businesses and government agencies in March and April. The survey covered such topics as the biggest perceived threats and vulnerabilities, the effectiveness of security practices and legislation, and the amount of information IT organizations should disclose when a cybersecurity breach occurs.

The survey found that nearly two-thirds (64 percent) of the respondents think their companies will be targeted by a cyberattack within the next six months. And two-thirds attributed the increased threats to the growing number of hackers and better-organized criminal groups -- not media hype or weaknesses in their own defenses.

Likely Attackers

You might think businesses would be most worried about cybercriminals trying to steal credit-card numbers and other valuable data. But, when asked to rank the top three threats, 61 percent of survey respondents cited Anonymous and other hacktivists as the kind of attacker most likely to target their company.

"Last year we saw an explosion of hacktivist activity," said Harry Sverdlove, Bit9's CTO, explaining the surprisingly extensive worries about these groups.

Not that cybercriminals were far behind: Fifty-five percent said professional criminals were a likely threat. That was followed by threats from nation-states such as China and Russia, disgruntled employees and corporate competitors.

Cyberattack Methods

Given that security professionals fear cybervandals the most, it's not terribly surprising that malware is far and away considered the most likely means of cyberattack. Second on the list was spear phishing, a devious way to deliver targeted attacks at savvier computer users who no longer fall for old-school phishing efforts.

Security professionals, generally, were more concerned with stealthy, pernicious attacks rather than more publicly obvious incidents such as distributed denial of service attacks, said Sverdlove.

Security Breach Disclosures

One of the biggest controversies is how much a company should publicly disclose when it has been the victim of a cyberattack. Nearly all agreed the attack should be publicly disclosed. Roughly half thought disclosure should be limited to reporting only that the breach occurred and what, if anything, was stolen. And, 6 percent don't even think that basic information should be released.

The real disagreement comes over whether information about how the attack occurred -- the methods used and the vulnerabilities exploited -- should be made public. Only 29 percent of survey respondents were willing to reveal such information. Such disclosures "protect the rest of the industry because that's how other companies learn what types of attacks are occurring," said Sverdlove. But do they also help cybercriminals by making them aware of vulnerabilities?

And there is, of course, the embarrassment factor for the disclosing company. "Nobody wants to be a headline," Sverdlove said.

Is It Safe?

Security professionals don't appear very confident about the effectiveness of their security efforts. Only 40 percent felt their current cybersecurity strategy was highly effective in protecting infrastructure servers -- the IT crown jewels for most businesses and government agencies.

That confidence level drops when asked about other types of servers, and it reaches a low of 26 percent when asked if cybersecurity for laptop and desktop computers was highly effective. Other endpoint devices such as point-of-sale systems also got low security grades from security managers in retail, food service and hospitality industries.

With the rise of cloud computing and the explosive proliferation of mobile devices, security professionals were feeling even less sure about the effectiveness of their security efforts.

What's The Fix?

It's clear IT security professionals are looking inward to better protect their organizations against cyberthreats rather than counting on more advanced security technology from vendors and more effective laws and regulations from government.

More than half (58 percent) said it's up to them to develop and implement the best security policies and practices. Another 29 percent went even further and put the onus on individual employees to keep the bad guys out. Fifteen percent were counting on better security through technology, and only 6 percent thought government regulation and law enforcement were the key to solving the cybersecurity dilemma.

More Security Coverage From CRN

The Latest Security News:
The Daily App: Net Scan For Android
Attackers Targeting Mac Users With Another OS X Trojan
HP Ships Virus-Infected Flash Card