“Organisations are taking positive steps toward improving their information security; most notably in terms of budget and resources,” said Mav Turner, director of security, SolarWinds. “It’s important, however, to never fall into the trap of over-confidence. IT pros should do everything they can to ensure the best defences possible, but never actually think they’ve done everything they can. This approach will ensure they are proactively taking all the steps necessary to truly protect their organisations’ infrastructures and sensitive data.”
Fielded in October 2014 in conjunction with Enterprise Management Associates, the survey* yielded responses from 168 IT practitioners, managers, directors and executives in the UK from small and midsize enterprise companies.
“The survey brought out many interesting and disturbing trends,” said David Monahan, research director, risk and security management, Enterprise Management Associates. “The general over-confidence demonstrates why we are seeing more breaches. Much of this appears to come from the concept that compliance is equivalent to security. Knowing that all of the major retailers that have experienced breaches in the last year have been considered compliant, we know that is not true.”
Survey Findings
1.IT professionals are confident in their organisations’ security measures and processes.
In fact, 76 percent of those surveyed said they consider their organisations to be very secure, falling within at least the 30th percentile of the most secure organisations, with 10 percent of those believing their organisations are in the top 10th percentile. In addition, 79 percent said their IT departments currently have sufficient resources to keep their organisations secure.
2.Increased budget, man-power and integration between security and other IT processes and operations, such as network and system administration, are likely driving this confidence.
For example, 61 percent of those surveyed reported their departments’ security budgets increased from last year to this year. Moreover, only 1 percent said their organisations do not have at least one staff member responsible for security, and 99 percent said they have more than one. This man-power could explain why 54 percent said they are able to test their defenses at least monthly. Finally, 35 percent said their IT departments tightly integrate security and other IT processes and operations, while all others reported at least some level of interaction.
3.Widespread adherence to security best practices is lacking and damaging attacks continue to plague organisations, potentially indicating this high level of confidence is a false sense of security.
Though 31 percent of respondents do not believe their organisations are a target for an attack and another 21 percent said they feel they are at low risk of a successful attack, 84 percent reported their organisations have experienced a significant attack, with 35 percent reporting that it took at least one month to discover the attack. Furthermore, 39 percent also said it took at least one month to recover from the attack (get the affected systems/applications back online/operating and the security hole mitigated).
Underscoring this is that 39 percent said their organisations either do not have defined security best practices or if they have them, do not regularly follow them.