This past week I spent some time at the annual RSA convention in San Francisco as I have done for the past several years. RSA is primarily a vendor-centric event with IT security as its focus. The conference gives security professionals the opportunity to feel out where others in the industry have been and where they're headed by way of trends, techniques, and sometimes tragedies.
Before this year's event even began we all knew at least one issue was going to be first and foremost after a long year of talks about breaches and privacy. I knew going in that during the many keynote speeches, presentations, and chatter on the show floor that I would hear the acronym NSA and the name Edward Snowden ad nauseam during the week, and this year's RSA did not disappoint in that area. One thing I wasn't quite expecting however was the twist that was thrown into the mix thanks to an article by Reuters a week before the event that linked the RSA business entity and a purposefully flawed encryption algorithm with the NSA directly through a contract to distribute this reversible encryption.
This news was enough to cause many others in the security field into an uproar of sorts as the event was immediately boycotted by some and a protest conference by the name of TrustyCon sprung up directly across the street and selling out its 400 person capacity.
This made us very curious as to what people were most concerned about now that all of these other vectors of attack to both our security and our privacy seem to be popping up on all sides. We decided to do a face to face survey with conference attendees one on one to ask them a few simple questions about these issues compile the data and see what is on people's minds. These are people that deal with security every day, whose jobs depend on keeping networks secure, and who use threats as a practical problem not a theoretical or philosophical issues.
We ended up surveying just over 110 people on these subjects, and when we asked them what they felt was the number one threat to their organization, the response was more swayed than I had expected.
• 56.2% of respondents report cybercrime from external sources as most problematic
• 33% say insider threats with non-malicious intent give them the most trouble
• 5.3% blame malicious insiders for causing the biggest security headache
• 5.3% point the finger at external threats from government as chief offender
Malware, including email-borne and web-based threats, topped the list of most concerning threat vectors followed by personally identifiable information (PII) and social engineering. The majority of respondents, 71.4%, cited people as the most frequent (or most likely) point of failure for IT security. 21.4% faulted process and 7.2% labeled technology as the weak link.
As a new breed of cybercriminal gets more sophisticated, IT security pros find themselves increasingly wary that employees are not keeping pace. This chasm demands a comprehensive security strategy that takes into account all threat vectors from technological and human standpoints. Organizations need a combination of technology, training, knowledge and awareness to keep both inadvertent and intentional attacks from happening.
We were also curious as to whether or not all of this recent information has driven people to believe in the need for psychometric testing to determine employee honesty. Over two thirds of our respondents said no. When asked if these security professionals would be willing to take such a test themselves, again nearly two thirds of them said that they would be willing.
Of course security and privacy will always be concerns within businesses and a strict "need to know" policy should be implemented and enforced to help protect important data, but it would seem that forcing everyone to a polygraph test for employment regardless of what data they are exposed to may be a bit on the paranoid side and those surveyed seemed to agree.
Everyone continues to have their own philosophical and ethical stances, but the real concern as this survey points out is the everyday tangible malware that continues to barrage inboxes and networks millions of times a day.