Exploit-based attacks are on the up (1), the majority of IT security professionals aren't sure if they can detect attackers attempting to breach the network (2), and 65% of companies let the tech support department give security training to staff. I would suggest, in order to make some sense of all of this, that you 'Go Hebrew'.
By which I mean, in case you were wondering, read it from right to left. Starting at the end and working backwards provides a clue as to what is going wrong: lack of properly considered education leads to a lack of confidence in defending network data which leads to an increase in exploits.
The math is, don't you think, pretty damn obvious all of a sudden. OK, time for a bit of disclosure here. As well as being a freelance journalist, an author and occasional broadcaster, I have also been a security consultant for the best part of twenty years so perhaps it is hardly surprising that I would think outsourcing security training to the specialists is a good thing. That said, just because I might be perceived to have a vested interest (and it is a wrong perception as I have never given staff training in my life) doesn't make me wrong.
According to Kaspersky Lab, most companies simply assign their own tech support people to train company employees in matters of IT security, rather than hiring outside IT consultants or security professionals. Yet staff training is a vital link in the strategic security chain. How vital? Well, four out of five of the most common internal security incidents recorded in the past 12 months (according to Kaspersky) were directly linked to staff actions:
- 32% reported accidental leakages of confidential data
- 30% reported employees losing corporate mobile devices with critical data stored on them
- 19% of companies encountered intentional staff-facilitated data leakages
- 18% of companies had dealt with incidents when confidential data got into the wrong hands due to the improper use of mobile devices
So if the belief is that in-house tech support is sufficient to train staff about IT security, and the stats suggest that is wrong, who should be providing the training and how many companies are taking the better option? Kaspersky Lab suggests, and I tend to agree, that "a better outcome can be delivered by commissioning a third-party IT consultant with the requisite training expertise" yet only 12% of those asked had done so. Amazingly, if you ask me, that's only just a little more than the 8% who gave the security training role to the HR department.
(1) According to F-Secure’s latest Threat Report for the first half of 2013 there has been a continued rise in exploit-based attacks, particularly against Java. In fact, nearly 60% of F-Secure’s top ten detections in the first half of 2013 were exploits, making it by far the most common attack vector.
(2) According to a recent Lieberman Software Corporation survey of 200 senior IT security professionals at the Black Hat 2013 conference in las Vegas earlier this year, 52% admitted they were "not confident” that their IT staff could detect the presence of an attacker who was attempting to breach their network or extract private data.