Businesses in Denial When it Comes to IT Security Breaches
The majority of businesses appear to be all talk and little action when it comes to combating security breaches, according to a new survey.
Findings from a Tenable Network Security study show thatmore than 90 percent of IT security professionals surveyed discussed large-scale, high-profile breaches such as those at RSA, Citigroup and Sony with senior management — but only 23 percent did anything beyond that.
"It would be impossible and impractical to make changes, updates or company-wide announcements for every data breach reported,” Ron Gula, CEO and chief technology officer at Tenable Network Security, said in a prepared release. “But with record-breaking exposures like what we’ve seen this year, there’s an opportunity for us to learn and to educate employees about the implications of a security breach and reinforce existing policies and information security practices."
It’s not just outside security breaches that businesses are potentially facing. Nearly half of those surveyed reported experiencing some form of an internal threat while at their current company, and they’re not alone.
According to a recent Verizon Business Data Breach Investigations Reports, insider threats are one of the leading sources of data leakage and theft for businesses. Findings indicate that nearly one in three breaches over the past two years came as a result of an insider attack, and, in 2010, 93 percent of insider breaches were considered deliberate or malicious attacks.
Yet despite the large number of internal issues, those surveyed ranked preventing insider threats as the second-lowest information security priority for the next six to eight months, with mobile device security being the top priority.
IT security professionals themselves also are to blame for the security breaches, according to the study. One in three security professionals admitted they had violated internal security policies they created in order to complete a work-related task more quickly or easily.
“The productivity versus security battle continues to create problems for enterprises,” Gula said. “Employees, including privileged security professionals, are going to do whatever it takes to get the job done, regardless of policies or security risks.”
The survey of IT security professionals from several industries – including financial services, government, retail and health care – was conducted at the 2011 Gartner Security and Risk Management Summit.