It’s good to be confident in your company’s security practices. It’s another thing to be so confident that you don’t think it is necessary to re-evaluate those security practices regularly.
A new survey from CompTIA found that while 82 percent of businesses are confident in their security and ability to thwart threats, only 13 percent have made any major changes in their security plans over the past two years. Now, think about security concerns in 2011 versus 2013. I took a look at some blog posts I wrote two years ago. While I talked about the concern over smartphone security, the prevalence of BYOD was still in the future and, honestly, mobile security was still in its earliest stages. The flurry of cybersecurity bills discussed in Congress at the end of 2011 still hasn’t come to fruition. Topics like the rash of DDoS attacks and ransomware were still well into the future. I could go on, but you get the picture – the types of threats that businesses are facing today have evolved from this time two years ago, but only a minority of companies have made the adjustment to recognize the evolving security landscape.
Seth Robinson, CompTIA director of technology analysis, presented his theory on that question, quoted in an eSecurity Planet article:
Many organizations may be assuming a satisfactory level of security without truly performing the due diligence to understand their exposure and build an appropriate security posture for a new era of IT.
However, the response that such a high number of CompTIA respondents are confident in their security (and apparently confident enough not to feel the need to make changes to their security efforts) conflicts with a survey conducted by EY that found that 83 percent of respondents admit that their security functions aren’t meeting their needs and that they know they must do more to increase their security efforts.
I suspect the reality is somewhere in the middle. Yes, plenty of security decision makers (or their bosses) will think that if they haven’t been hit by some sort of threat or attack over the past couple of years, everything must be working just fine. Others haven’t made the upgrades, not because they don’t want to, but because they don’t have the budget or they may not understand the type of protection that new technology needs. Rule of thumb: Do some sort of upgrading on a regular basis as new technologies are introduced and when serious new threats are announced.