In order to address the question of whether or not Security Spending was actually addressing Security Threats, the Gartner Group surveyed security professionals at the Black Hat Conference. After all, organizations are working hard to combat security threats, yet data breaches continue to rise. Why is that? According to the results of the survey, there is a “disturbing gap” between the security priorities of these experts and the actual expenditure on security resources.
The 2015 Black Hat Attendee Survey surveyed 460 management and staff security professionals, predominantly at large companies. As one of the top security conferences, the survey polled many top-level security experts. These top security minds have opinions on where top threats are coming from, yet security spending seems to be going elsewhere:
- 57% of security professionals cite sophisticated, targeted attacks as their greatest concern; 26% say targeted attacks are in the top 3 spending priorities and only 20% say targeted attacks are among the top three tasks spent time on
- 46% say phishing and social engineering are a top threat, yet again addressing these threats is a lower spend / time priority (31%)
- 21% say accidental data leaks by end users not following security policy is a top concern, which is reflected in budgets (26% rank it as a top spend item) as well as time (31% rank it as a top 3 task spent time on)
According to the survey, security teams spend the majority of their time addressing security threats that are not high priority. 35% of respondents say the most time consuming task is addressing vulnerabilities by internally developed software (33% say addressing vulnerabilities in off-the-shelf software is also a top time consuming task). Although software flaws do introduce threats, they were not identified as the top threat to organizations and are thus taking up a disproportionate amount of time. Other top areas where time is spent include addressing accidental leaks and potential regulatory compliance issues.
A whopping 74% of respondents think it likely their organization will face a major data breach in the next year, yet most feel unprepared (budget, staff, training) to deal with it. Many security professionals feel a disconnect between their own perception of threats and how management / supervisors and the media portray these threats. For example, many say the media focuses too heavily on hacktivists and managers focus too heavily on malicious insiders, skewing priorities within the organization. Many professionals believe phishing and social engineering do not get enough attention, which mirrors the conclusion that people are inevitably the root cause of most data breaches. 33% of respondents believe end users who violate security policy or who are fooled by social engineering attacks are the weakest link in today’s security, followed by a reactive vs proactive security stance and mobile device vulnerabilities.
There’s a lot we can take away from this survey in terms of re-assessing security priorities, but it’s also clear that new policies, processes and technologies need to be put in place to help balance the scales. For example, to address software vulnerabilities, automated patch deployment can be deployed to reduce the time IT spends on this item. Alternatively, it’s clear that security must continue to focus on a balance of people, process and technology to address the security threats of tomorrow.
Absolute Software can help you gain visibility into each area of data protection – authentication, authorization, audit and administration – and can help you ensure that governance, risk management and compliance measures are in place. The unique persistence technology offers an important layer to any data security strategy and helps mitigate the risk ofhuman error, rogue employees, and cybercrime. Absolute Software can help organizations plug the security holes created by mobility and human error. Learn more at Absolute.com