According to a recent survey of cybersecurity professionals by AT&T Cybersecurity entitled “Confidence: the perception and reality of cybersecurity threats,” phishing and cloud security threats are keeping them up at night.
The survey polled 733 cybersecurity professionals attending the RSA conference, and asked the respondents about what they perceive to be the biggest internal and external threats to security. When it came to internal threats, almost one-third of the respondents listed phishing attacks as the biggest threat. The concern is fueled in part by the worry that technology cannot prevent a user from clicking on the malicious link or attachment, as well as a lack confidence in users’ ability to detect sophisticated phishing emails.
The second biggest internal threat perceived by those surveyed was ransomware and the reputational damage in its aftermath, followed by social media threats, once again because the recipients are unable to control or manage employees’ use of social media. According to the survey, “[A]ny mistake can impact brand and trust, expose sensitive information, or indeed become a source of entry into an organization.” It is interesting to note that the results were uniform and did not vary based on the size of the organization.
As for external threats, respondents cited cloud security threats as the number one worry. Commenting on this, the survey states that companies have every reason to be concerned about cloud security. “[T]he implications of moving to the cloud with or without a well-defined strategy are being felt today, and with so many data leaks attributed to misconfigured cloud databases, or through poor credential management, companies are right to be worried.” From this writer’s perspective, it is also worrisome from a risk perspective, as many cloud vendors are imposing difficult contractual provisions on companies despite having full access and control over the data. [See New + Now post below].
The second biggest external threat according to those surveyed was distributed denial of service (DDoS) attacks, followed by Internet-of-Things attacks and nation states. Although a majority of those surveyed were confident that they could defend against a DDoS attack, approximately one-third of respondents felt only somewhat confident that they could do so. Again, the results were not different based on the size of the organization, but small companies were a bit more concerned about DDoS and non-targeted attacks.
When asked about supply chain security, 37 percent of those surveyed believed that completing security questionnaires to supply chain companies “are an essential component of any security function.” However, organizations of all sizes said that evaluating supply chain security drained valuable resources and took them away from other essential functions.
The conclusion outlines four points for companies to consider (from AT&T’s view): 1) People—hiring the right IT personnel or consultant can assist with keeping an organization cyber-prepared; 2) Technology—“it makes sense to invest in technologies that offer a broader set of capabilities, especially those which have their own or can integrate with reliable sources of threat intelligence;” 3) Outsourcing—“in many cases, it doesn’t make sense to keep everything in-house; and 4) Insurance—“where risk can’t be mitigated or accepted, consider transferring it to an insurance provider.” Insurance providers no doubt have a different view on the fourth point and will point back to companies to shore up their security first to reduce the risk.
The results of the survey are not surprising, but confirm that phishing continues to be worrisome and effective. This is consistent with our experience, and companies continue to struggle with users’ behaviors and ability to detect phishing schemes. Addressing thatis a matter of user education and sophistication, which is a challenge for companies on a day-to-day basis. There is no silver bullet other than to increase the sophistication of users to respond to the sophistication of the intruders.