Survey: 2015 Black Hat Survey – Poor Employee Training a High Risk
The 2015 Black Hat Survey results are in and, as we enjoy doing with security surveys and studies, MediaPro digs through the findings and gives you the most important discoveries. This year, during the Black Hat USA Conference, attendees were surveyed to measure the outlook and plans common among this highly experienced and trained cybersecurity audience.
Nearly three quarters (73%) of survey respondents believe it’s likely their organization will face a major breach within the next 12 months. Sadly, they also believe that they won’t have the time, the budget, or the training to effectively handle said breach (Yikes!).
Breaking our hearts further, nearly a quarter of respondents (22%) referred to their security departments as being “completely underwater.” Not exactly the feeling of confidence we’d like from the folks protecting the security of our businesses.
These are just some of the key takeaways from Black Hat’s 2015 survey which snapshots an industry exploding with growth, new money, and (mostly unfortunate) mainstream headlines.
What else did the Black Hat Survey of top-level security experts find?
We break it out for you below, but be warned, it’s not all sunshine and rainbows.
The Breaches Are Coming! The Breaches Are Coming!
Okay, so breaches may be imminent, but why is this happening? Why are security fears and breaches rising when security budgets are higher than they’ve ever been before (remember, Gartner told us enterprises will spend more than $76.9 billion on information security in 2015)? What are we doing wrong?
It might be a priority issue. While defending against targeted attacks is a critical worry (57% of respondents cited this), it turns out many of security pros’ fears aren’t related to outsiders at all. They’re tied to the same people with whom they share office space.
46% of survey respondents said phishing and other social engineering attacks were their most worrisome security fear, even though only 31% indicated they spend a large amount of their time on social engineering.
The Black Hat Survey indicates that we’re still not putting adequate resources to the human element to combat data security risk. It doesn’t matter if you invest in top-of-the-line security software, all it takes is one errant employee to bring business to a halt. Better corporate security requires smarter employees.
The Most Time-Consuming Security Tasks (Time & Budget)
As a security professional, you’d like to think most of your time is spent preparing for upcoming threats or even stopping malicious targeted third-party attacks! But that’s not how you’re spending your time or your budget.
According to the survey, two of the three most time-consuming tasks facing security professionals are addressing vulnerabilities introduced by internally-developed software (35%) and dealing with phishing, social network exploits, or other forms of social engineering (31%). Again, we’re spending our time fixing the issues people have created.
As far as what’s consuming the greatest portion of IT security spending or budgets…
You may have guessed it — accidental data leaks top the list.
Strengthening the Weakest Link – The Human Element
33% of security-savvy IT pros agree that the end user is still the weakest link in the IT security chain of defense—the same user who violates security policy, misclassifies data, holds the door open for unknown visitors, and is easily fooled by social engineering attacks.
This is all the more astounding because it is the one link in the chain corporations have the most control over. We’ve heard time and time again how expensive data breaches are and that employee training reduces that cost significantly, but we’re still here. We’re still talking about the need to create strong security policies, to create a security-aware culture, and to train good employees to be smart employees.
It’s time to rethink corporate security tactics. To build security confidence, we need to invest more resources into educating employees on what our security policies are, teaching them how to identify risky behaviors, and showing staff the correct way to react. By doing so, we’ll not only invite fewer vulnerabilities into our system, but we’ll free up internal security resources to deal with (what should be) more serious security concerns.
Photo: The Weakest Link by Darwin Bell