Hubris Precedes Regret (and Security Breaches)

Brian Wood Blog

Just when you think you’ve got it all figured out — BAM!

Intrusion. Malware. Data leak. Data loss. DARN IT!

When will we silly people ever learn what Andy Grove taught us? “Only the Paranoid Survive”

First article posted on Help Net Security and the second one is by Antone Gonsalves in CSO.

Emphasis in red added by me.

Brian Wood, VP Marketing


The risks of having a false sense of security

Organizations are overwhelmingly confident in their readiness to combat security threats, but may not be prepared for dangers linked to new technology models and increasingly sophisticated threats, according to CompTIA.

The overwhelming majority of companies (82 percent) surveyed view their current level of security as completely or mostly satisfactory.

But just 13 percent of firms say they’ve made drastic changes to their security approach over the past two years. This at a time when organizations have embraced cloud computing; enabled employee BYOD practices; and expanded their use of social tools.

The use of new technologies necessitates a change in security approach,” said Seth Robinson, director, technology analysis, CompTIA. “It’s clear why companies view security as a top priority; but what’s less clear is whether they are fully aware of which actions to take to build an appropriate security posture for a new era of IT.”

Levels of concern for a wide range of threats remains virtually unchanged from past years, too. Most companies still view hacking and malware as the preeminent threats. But a host of new dangers are quickly becoming more prevalent, including Advanced Persistent Threats, Denial of Service attacks, IPv6 attacks and mobile malware.

“To truly ‘move the needle’ on security readiness, the overall approach must be re-evaluated from the top level of the business down through all departments,” Robinson continued.

Throughout the 11 years of the CompTIA study the human element has been a major factor in both security readiness and shortcomings. This year is no different. Human error accounts for the majority of root cause in security breaches; and 51 percent of companies say human error has become more of a factor over the past two years. This may be due in part to the introduction of cloud computing, mobility and social media into the enterprise.

Yet it’s striking that few companies (21 percent) view human error as a serious concern.

“End users control powerful devices and business-class systems, often without the oversight of the IT team,” said Robinson. “While they may be able to use these devices and systems, they typically do not have the background knowledge and experience with security that allows them to recognize potential threats.”


Study: Companies are not as secure as they think

80 percent of respondents satisfied with current level of security despite only 13 percent having recently updated security approach

CompTIA, the nonprofit association for the IT industry, has a warning for companies: You are likely less prepared then you think for defending against security threats.

In a recent survey of 1,000 IT professionals and companies, CompTIA found that more than 80 percent believed their current level of security was completely or mostly satisfactory. This high level of confidence was expressed despite the fact that only 13 percent of the respondents had made drastic changes to their security approach over the last two years.

During that time, many organizations have embraced cloud computing, bring-your-own-device practices and expanded their use of social media, all of which would require new technologies and policies to secure. Without the latter changes, a company’s security is likely inadequate.

“Sometime in the past, they did a fairly thorough analysis of their security situation,” Seth Robinson, director of technology analysis for CompTIA, said Monday. “But with the large technology changes that we’re seeing today, that analysis may be a little bit stale.”

For many companies, the focus remains on hacking and malware as persistent threats. Yet, the landscape has changed dramatically with the rise of advanced persistent threats, denial of service and IPv6 attacks and mobile malware.

The survey indicates that many companies need to step back and re-evaluate their security tactics, starting with the top-level of business down through all departments.

For the 11 years CompTIA has been doing the annual survey, employee mistakes have always been a major cause of security breaches. In the latest report, more than half of the respondents said human error has become a bigger problem over the last two years.

CompTIA believes the increase is likely due to employees’ use of cloud services, such as Dropbox or Google Apps; mobile devices and social media. In the majority of cases, employees do not realize that their behavior is risky or violates corporate policies.

While acknowledging that human error has become a greater threat, only one in five of the respondents in the CompTIA survey viewed it as a “serious concern.”

This contradiction is likely due to the cause of most human error stemming from ignorance in using new technologies, Robinson said. While companies know how to bolster security against malware, they have less experience in solving problems stemming from a lack of education.

“Companies need to think about security education differently than they have before, so it’s taking some time for that to sort itself out,” Robinson said.

Companies are also struggling to find security professionals with the skills to lockdown emerging technologies, CompTIA found. The areas most lacking in talent included cloud and mobile security, data loss prevention and risk analysis.