One-third (33%) of IT managers admit to successfully hacking their own or another organization. Nearly half of IT managers (45%) knowingly circumvent their own security policies. IT personnel are not following the same security protocols they’re expected to enforce. We revealed these results today in our new report, IT Confidential: The State of Security Confidence, which provides insight into the attitudes, behavior, and confidence levels of IT when it comes to the security of their organizations.
“Given that IT is the security gatekeeper for an organization, it was alarming to see such high incidents of non-compliant behavior by IT personnel,” said Stephen Midgley, vice president, Global Marketing, Absolute. “Even if these actions are being performed to validate existing infrastructure, senior leadership should be aware that this activity is occurring. It may also be worthwhile to consider third-party audits to ensure adherence with corporate security policies.”
The report reveals that while 97% of IT decision makers placed security as a top priority for executives, with an expected increase in investment in security, the current state of security is not so rosy. 38% of organizations suffered a data breach within the last year, with IT believing that employees or insiders represent the greatest security risk to an organization (46%), more than hackers (38%) and competitors (11%).
On average, 33% of security protocols are not being followed by staff. As with our survey from last year, we found that attitudes toward data security are tied to age. The report reveals that younger IT professionals demonstrate a more optimistic and confident outlook for security, but they are also the most cavalier when it comes to data security. The younger generation, aged 18-44, are the ones most likely to hack their own organization (41%) and circumvent more security protocols (38% of protocols not followed).
IT decision makers bear the brunt of responsibility when it comes to data security, with 78% of those surveyed believing IT is primarily responsible for data security. It’s clear from our survey that employees are offloading their responsibility in data security to IT, who often pay the heaviest price (65% fear a data breach would mean losing their job). Younger workers are most likely to believe that the organization is capable of containing a breach and currently has effective data security in place, perhaps accounting for their more cavalier attitude about their own personal role in protecting that data.
In order to mitigate the risks to data security, we advocate for the following:
- Use Adaptive Security Protocols – to collect reliable data and respond appropriately based on the severity of the incident
- Address Insider Risks – by understanding behavior and activities that could be precursors to a security incident, educating staff, and monitoring for non-compliant activity, particularly on the endpoint
- Gain Deeper Visibility – with persistent oversight across all your devices and the data they contain, applying a layered approach that includes encryption, anti-malware and endpoint security such as Absolute DDS to provide proactive alerts when a layer fails, allowing for remote response capabilities
The research was conducted among 501 US adults age 18+ who worked in information security as either IT Director/Executive, IT Manager, IT Administrator, IT Security, or Other IT / information security management role at an organization with at least 50 employees.