If you are an IT professional, what do you think is the biggest threat to your company's network? If you said a hack by Anonymous or a similar group, you are with the majority. The 2012 Bit9 Cyber Security Research Report found that 61 percent of IT professionals are concerned about a high-profile attack from a hacktivist group. This is followed by attacks by cyber criminals (although, I wonder at what point we begin thinking of hacktivism groups as criminals, but that's a story for a different day) and nation-state attacks.
The survey had a lot of other interesting findings. An almost-identical number of IT folks who worry about Anonymous are also worried about a targeted malware attack (62 percent) and only 26 percent think their endpoint security is effective.
Personally, I think it is a no-brainer to be worried about Anonymous and malware attacks, and if I were an IT professional, I'd be thinking a lot about those things, too. It seems like the Anonymous concern is what is snatching the headlines about this survey. But here is what caught my eye:
Seventy-seven percent of respondents-a vast majority-believe companies and employees are in best position to improve security-58 percent of respondents said companies implementing best practices and better security policies are in the best position to improve enterprise security, and 19 percent believe individual employees play an important role in improving the state of security. Despite current plans to implement cyber security legislation, only 7 percent believe that government regulation and law enforcement will best improve security.
If I'm reading this right, the point of this question is more about who gets to make the decisions about security for a company, and by this answer, companies don't want to see a lot of government interference on the matter.
Another response that got my interest was this:
Ninety-five percent of respondents believe cyber security breaches should be disclosed to customers and to the public-Almost half of respondents (48 percent) feel that breached companies should not only disclose the breach, but they should also provide a description of what is stolen, while nearly a third (29 percent) believes a description of how the attack occurred should also be shared. Only 6 percent felt that nothing should be disclosed.
Interesting because it was Bit9's own CTO, Harry Sverdlove, who was the victim of the recent credit card breach, and he spoke extensively about his experience. Maybe all of those professionals believe they should disclose breaches to their customer base, but Sverdlove's experience shows that how you approach that disclosure is absolutely vital. I wish these results included not just what should be disclosed but how soon that information should be shared with potential victims. Is two months or two years too late? Too soon?
Sverdlove's take on the survey results? He said in a release:
The survey results put a spotlight on an interesting contradiction: on the surface, people are most afraid of embarrassing, highly publicized attacks from hacktivist organizations like Anonymous, but they recognize that the more serious threats come from criminal organizations and nation states.
An interesting contradiction. Yes, I think that describes it just right.