Security professionals cite mobile devices and spear phishing as the most concerning topics in a recent survey from CyberEdge.
The survey also revealed another unsettling new detail – for the first time, more than half (52 percent) of security professionals said they believe their organizations are more likely to be compromised than not. In addition, more than 70 percent of respondents said that their organizations had experienced a successful cyber attack in the last year, up from 62 percent the previous year.
“[Organizations] need to get better at preventing and detecting those attacks, to “quarantine and mitigate those attacks before a lot of damage is done,” said Steve Piper, co-founder of CyberEdge, during a recent webinar.
The uptick in cyber events may be due to the difficulty in securing end-user devices rather than servers, Piper noted. Mobile devices represent the weakest link, he said, and spear phishing attacks are far likelier to succeed when employees haven’t been trained to avoid them.
However, organizations may be recognizing the importance of improving their security posture – 70 percent of respondents said they would devote more than 5 percent of their overall IT budget to security. And they are realizing that requires more advanced technology, as the survey showed that security analytics and malware analytics have increased in popularity. Advanced persistent threats (APTs), the threats that get in a system and keep trying to crack it, pose more of a problem and frequently won’t be detected by less sophisticated technology.
“The security industry has realized that traditional signature-based defenses are not enough,” said Piper. “They’re mission critical, they knock out a lot of the low-hanging fruit.”
That still leaves the problem of securing the systems against employees, from the point of view of security professionals. Only 23 percent of respondents expressed confidence in their organization’s ability to monitor the activities of “privileged users” using a system. Piper explained that tracking activity can halt malicious insiders, but also to identify where problems arise in the event of mistakes.
With spear phishing attacks and mobile devices worrying security professionals, Piper recommended investing in solutions that augment traditional email security solutions and training users of mobile devices regularly. BYOD implementation has doubled over the last year – it’s here to say, according to the CyberEdge report.
“I think what you’re seeing now is the evolution of smoke to fire,” said Piper. Mobile devices have been an area of concern for some time, and cyber incidents in 2014 showed the worry was well-founded. The survey showed that 59 percent of respondent experienced an increase in mobile device threats over the last 12 months. File-sharing applications such as Dropbox, Google Drive or Microsoft OneDrive also spark concern – most respondents are more concerned with inadvertent exposure of confidential data than attack on this point.
Holding organizations back from boosting their security posture is not entirely budget, as one might expect, Piper commented. Respondents cited low security awareness among employees as the number-one barrier to cybersecurity success. Piper recommended investing in training and even performing simulated spear phishing tests – then gently alerting the employees who fail the test of the mistake. Less than 20 percent of respondents feel they’ve invested enough in spear phishing education.
“Your users are your orgs last line of defense,” said Piper. “You need to invest in your human firewall.”
He also advised organizations to scan their network frequently, or employ outside vendors who offer continuous monitoring. A few respondents revealed that their organizations scan their networks just once a year.
“This honestly scares the hell out of me,” said Piper. Orgs are not paying enough attention to scanning their network. Allow you to uncover vulnerabilities on a much more frequent basis. “Shame on those respondents.”
There are positive notes, Piper added. European security professionals are “leading the charge” in automated remote remediation – a way of salvaging malware-infected systems. And nine out of 10 security budgets are staying the same or increasing.
Piper offered this advice to security professionals – “Work smarter, not harder.”