According to the newly released Sophos Security Threat Report 2012, at the end of 2011, 67 percent of those surveyed were focused on the rise of malware, while 61 percent felt that the biggest threat on the Internet is users not doing enough to protect themselves.
We can't control the volume of malware out there. But users can do more to protect themselves - and, in turn, the company network. But I think the problem of user-based security is going to be a bigger issue as we move deeper into 2012. Why? The increase of the bring-your-own-device (BYOD) trend in businesses. As the Sophos blog pointed out:
An Epidemic of Security Worst Practices
A majority of enterprises are failing to apply IT security best practices, significantly increasing their security and compliance risks.
The rapid inflow of consumer-owned smartphones and tablets is causing significant security challenges for many organizations. IT departments are being asked to connect devices to corporate networks and secure data on these devices, which they have very little control over. ... The unique nature of modern form factors (in terms of processing power, memory, battery life) requires rethinking of security and defense mechanisms.
Let me repeat that last bit: All of those mobile, personally owned but business-used devices are going to require IT and security personnel to rethink security and defense mechanisms. I totally agree with that thought, but what was the original security plan and was it ever truly implemented in the first place?
For the 61 percent who felt that users weren't doing enough to protect themselves, I'm going to assume that security policies are in place, but individuals aren't following them. Now, if the 2012 predictions are correct, we are going to see more blurring of the lines that separate business from personal.
Yes, security for BYOD does need to be redefined. But security also needs to be reinforced. That means good security education and even better security enforcement. Security departments also need to come up with a plan on how much control they can have over BYOD and work closely with employees to make sure there is some compromise in place. While you can't tell an employee that they are forbidden from downloading particular apps on their personal device, companies can take steps, like providing security software, if the devices are to be used for business purposes.
Another area that Sophos sees as a security threat for 2012 is also another area where users have control over their own security:
The web will undoubtedly continue to be the most prominent vector of attack. Cybercriminals tend to focus where the weak spots are and use a technique until it becomes far less effective. We saw this with spam email, which is still present but less popular with cybercriminals as people deploy highly effective gateways. ... Social media platforms and similar web applications have become hugely popular with the bad guys, a trend that is only set to continue.
How many times have you just clicked on a link without thinking about it? Or believed an email was legitimate when it was spam? Cyber criminals depend on user mistakes to do their job.
Wouldn't it be great if next year's survey saw a huge drop in user-caused security problems? All it takes is everyone using the Internet a little smarter and ensuring that the security policies are followed.