There was a very good chance your organization suffered a security breach this past year.
According to new research by Spiceworks, 80 percent of organizations experienced a security incident in 2015. The biggest problem, according to the research, is the end user:
IT pros are worried about the vulnerabilities created when employees don’t understand or aren’t invested in avoiding risky behavior around company data.
Again, 80 percent of the respondents admitted this concern about employees, while 48 percent said shadow IT is creating additional risks to the network and data.
The study also revealed that IT professionals believe they have to work harder and feel responsible for the security problems within their companies. It’s one piece of the puzzle, but hardly the only piece. First, employees need to do a better job at improving on their own security behaviors. Virtual-Strategy Magazine shared this quote from CJ Wood, IT director at Decorating Den Interiors, which I don’t completely agree with:
The number one source of a network breach or virus infection are end users that lack an understanding of potential security risks. We have to remember they aren’t the IT professionals. It’s our job to protect them with comprehensive security tools and make sure they’re educated on cyber threats, phishing, spam, and other security issues.
Yes, but that lets employees off the hook, don’t you think? Too often, even when employees are given security tools and education, they ignore it and go rogue for any variety of reasons. Perhaps it is time for them to take more responsibility for their role in breaches.
However, it is true that IT professionals are failing in one area, at least. According to a study commissioned by CyberArk, CEOs aren’t being briefed on security issues. Again, there is a (mis)conception that they aren’t capable of understanding cybersecurity, as eSecurity Planet pointed out:
The survey . . . also found that 61 percent believe their CEOs don’t know enough about cyber security, and 69 percent say cyber security issues are too technical for their CEO.
I’m starting to understand why so many companies are breached.
But it isn’t just people that are a problem. The Spiceworks survey did find that malware attacks were reported by 51 percent of the respondents. That’s not a surprise. But I wonder how much of that involved mobile malware, especially for businesses that rely on BYOD and Android. Mobile malware is skyrocketing. According to G DATA’s third quarter mobile malware report, security experts identified 574,706 new malware samples – that rounds out to about 6,400 new samples per day – and 80 percent of Android users have outdated operating systems that contain known security holes. G DATA’s Security Evangelist Andy Hayter explained to me in an email what can be done to better control the risks from mobile malware:
Corporations need to develop policies, procedures and enforcement for the use of an employee’s own mobile device. If policies are developed properly all mobile devices, either BYOD or corporate owned assets, will be required to have a manageable mobile anti-malware solution installed. Mobile device management (MDM) will permit the company to monitor and control access to corporate data assets, enforce the use of and update anti-malware solutions as well as react to any situation when the mobile device goes rogue.
Threats to the data and the endpoints aren’t coming from one place. The security threat puzzle has many pieces, and all of them have to be addressed.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba