A recent Ponemon Institute study may hold some clues as to why cybersecurity is still lacking across industries and organizations today, despite all of the high-profile breaches and threat-related news over the past couple of years.
In a nutshell, too many security professionals don’t think their company is going to be the victim of an attack.
Thinking your organization is immune to a cyberattack isn’t new, but usually that attitude comes from those outside of IT – the small business owner who thinks his company is too small for anyone to go after or the executives who think cybersecurity isn’t worth the line item in the budget. But for half of security professionals, which is the number that the survey revealed, to admit that is both surprising and alarming. I’m not the only one who had this reaction to the study’s results. Larry Ponemon, chairman and founder of the Ponemon Institute, responded to these results in a prepared statement:
This research reveals some major disconnects that IT professionals seem to have between perception and reality. While even circumstantial evidence points to the increasing volume and severity of cyberthreats, it’s shocking to learn that half of security pros don’t even view themselves as a target.
And yet, more than a majority of the respondents don’t have confidence in their security system’s ability to address potential threats, as eSecurity Planet explained:
Fully 60 percent of respondents said they believe poor threat intelligence had resulted in an inability to stop at least five security breaches in the past two years. Six percent said poor threat intelligence had resulted in an inability to stop more than 10 breaches in the same timeframe.
So, let’s see if we have this correctly. Half of those surveyed don’t think their organizations will be targeted for an attack but more than half said they don’t have good enough tools in place to stop the attacks that happened.
Confused yet? I certainly am. An InfoSecurity Magazine article said this:
… respondents expressed a surprising disconnect in their urgency to make changes that would address these issues.
Disconnect is a good word because there seems to be a lot of disconnect here in the way security professionals view cybersecurity overall. I have to wonder if the attitude of “this can’t happen to me” is a way of compensating for the lack of faith in security systems and the ability to stop attacks. In any case, we know the threats are there and attacks are almost inevitable today, no matter the size or type of organization, and it is downright scary that not all security professionals are willing to accept that.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba