A majority of organizations believe they will be more secure against data breaches in 2016, despite the fact that nearly three-quarters of organizations experienced a security threat last year.
Why the seeming disconnect? A growing number of organizaations are investing in more advanced security solutions and are ramping-up end user training around data security best practices.
Those are among the findings of the recent study “Battling the Big Hack” from Spiceworks, which looked at IT professionals’ perceptions of the biggest IT security threats and the steps they’re taking to prevent security incidents and breaches within their organizations.
The study found that while 80 percent of organizations experienced a security incident in 2015, 71 percent of IT professionals expect their organizations to be more secure in 2016.
“The results show that IT professionals feel responsible for the security of their organization’s data, and in a world where technology is getting more complex and organizationally distributed, their jobs aren’t getting any easier,” said Sanjay Castelino, vice president at Spiceworks. “In reaction to these challenges, they’re being more proactive about preventing security incidents and breaches by learning about new threats, regularly educating employees about risks, and investing in more advanced security solutions.”
Bracing for external security threats in 2016
According to the study, the growing frequency and duration of security threats is “forcing IT professionals to evaluate their exposure to common and not-so-common issues they may face in 2016.”
IT professionals were surveyed on the most common security incidents their organizations experienced in 2015 and compare them to the security challenges they expect in 2016. Among the findings:
“Malware attacks were reported by 51 percent of IT professionals in 2015 followed by phishing and spyware incidents at 38 and 34 percent respectively. This aligns closely to the percent of organizations that are concerned about these incidents in 2016. However, 53 percent said they’re concerned about ransomware in 2016, but only 20 percent of organizations experienced a ransomware incident in 2015.”
“Thirty-nine and 37 percent of IT professionals also expressed concern about data theft and password breaches respectively, but only five percent of organizations experienced an incident of data theft in 2015 and only 12 percent experienced a password breach.”
The study also asked IT professionals to disclose their concerns regarding individual hackers or groups. Forty-nine percent said they’re concerned about independent hackers; 36 percent cited rogue employees; and 25 percent said organized crime groups. Only 12 percent said they’re concerned about cyber-terrorist groups and state-sponsored hackers, and 10 percent indicated concern for hacktivist groups.
Internal threats a top IT security challenge
Confirming what some other recent IT security studies have reported, the Spiceworks report noted that end users represent the biggest challenge when it comes to IT security due to a limited understanding of security issues and resistance to security solutions and policies. Indeed, a large majority (80 percent) of respondents cited the threat of end users to data security.
So-called ‘Shadow IT’ -- the deployment of technology by employees without approval from the IT department -- is also a risk to their organization according to nearly half of respondents (cited by 48 percent).
IT professionals are also concerned about devices that have access to company data but provide less control to protect end users from breaches, such as mobile devices.
When asked which network-connected end points are at risk of a security breach in 2016, 81 percent of IT professionals indicated laptops and 73 percent indicated desktops, but smartphones and tablets weren’t far behind at 70 and 62 percent respectively. Nearly 50 percent of IT professionals are also concerned about network-connected IoT devices.
There is also good news in the study. “In order to protect end users from breaches on various devices in the workplace, 73 percent of IT professionals are enforcing end-user security policies and 72 percent are regularly educating their employees through lessons on topics such as ‘how to avoid malware’ and ‘how to spot phishing scams,’ the study noted.
More importantly, many organizations are focusing on data security awareness programs and on IT security training for IT staff.
“IT professionals are also focused on their own education and ensuring they’re up-to-speed on the latest security issues. In fact, 66 percent are taking the time to learn about new threats and 60 percent are regularly evaluating new security solutions,” the study concluded.