TechBeat: Information security – perception and risk
10 April 2015 | 0
The survey asked whom did IT users see as being mainly responsible for minimising cyberattack and/or IT security risks.
Nearly half (42%) said that it was entirely the IT department’s responsibility. This was followed by nearly a third (30%) who said it was mostly the IT department, with a quarter saying it was shared responsibility between the user and IT. Just 2% thought it was mostly the user’s responsibility and a miniscule 1% who felt it was all down to the user.
“Just 25% of respondents said the user believes IT security is as much their responsibility as the IT departments’. We believe this figure should be higher, as information security is something every IT user should care about,” said Keating, illustrating with an example.
“If you take an office, there are fire safety measures in place, such as alarms, fire doors and extinguishers, but the onus is still on us to raise the alarm if we smell smoke,” he argues. “Information security is similar. The IT department can have security measures and processes in place, but the user still needs to be aware of, and be made aware of, a risk so that they can flag it to the IT department.”
Keating continued, saying that if a user receives a malicious email or document, they should be aware of the factors that make it a cybersecurity risk.
“The language might be a bit off,” suggests Keating. “If the user can flag a cybersecurity concern, then IT can step in. There are tools that IT can use to assess the intent of the email and whether it is malicious.”
The survey asked if users do not take enough responsibility for information security, whose fault they thought that was, which resulted in a fairly even split with just over half (55%) saying it was the company’s fault for not providing enough IT security information, and with the rest agreeing it was the users’ fault for not being careful enough.
But education was also probed, with nearly half (46%) saying that the company did provide non-IT staff with sufficient education on information security, just less (44%) disagreeing and one in 10 saying they did not know.
The survey asked about the most likely group to be the source of a breach, specifying some that may have malicious intent.
The insider threat was perceived as the highest by far with nearly two thirds (64%) citing staff with their highest single preference. Taking the net positives, the highest was still an organisation’s staff (39%), but 20% agreed that former staff would be the likely source. Criminals were cited by 14% and suppliers were listed at 9%, with just 5% considering customers in this case. However, another 14% net positive was for ‘others with malicious intent’ outside of these groups.
The survey also asked about suppliers and their security implementations. Almost half said that suppliers had information security policies in place that would in turn protect their organisation from security breaches, but a very significant 46% did not know.
Where there are doubts, organisations need to ask questions, warned Keating. “Companies should check for key points such as whether a supplier has a firewall in place, how they authenticate log-ins and if they have a system to check unsolicited email.”
The top five specific threats were data loss and disclosure, data destruction, insider data misuse, phishing and web application borne attacks. However, the next most feared attack was from compromised third parties.