0

Exploit-based attacks are on the up (1), the majority of IT security professionals aren't sure if they can detect attackers attempting to breach the network (2), and 65% of companies let the tech support department give security training to staff. I would suggest, in order to make some sense of all of this, that you 'Go Hebrew'.

By which I mean, in case you were wondering, read it from right to left. Starting at the end and working backwards provides a clue as to what is going wrong: lack of properly considered education leads to a lack of confidence in defending network data which leads to an increase in exploits.

The math is, don't you think, pretty damn obvious all of a sudden. OK, time for a bit of disclosure here. As well as being a freelance journalist, an author and occasional broadcaster, I have also been a security consultant for the best part of twenty years so perhaps it is hardly surprising that I would think outsourcing security training to the specialists is a good thing. That said, just because I might be perceived to have a vested interest (and it is a wrong perception as I have never given staff training in my life) doesn't make me wrong.

According to Kaspersky Lab, most companies simply assign their own tech support people to train company employees in matters of IT security, rather than hiring outside IT consultants or security professionals. Yet staff training is a vital link in the strategic security chain. How vital? Well, four out of five of the most common internal security incidents recorded in the past 12 months (according to Kaspersky) were directly linked to staff actions:

  • 32% reported accidental leakages of confidential data
  • 30% reported employees losing corporate mobile devices with critical data stored on them
  • 19% of companies encountered intentional staff-facilitated data leakages
  • 18% of companies had dealt with incidents when confidential data got into the wrong hands due to the improper use of mobile devices

So if the belief is that in-house tech support is sufficient to train staff about IT security, and the stats suggest that is wrong, who should be providing the training and how many companies are taking the better option? Kaspersky Lab suggests, and I tend to agree, that "a better outcome can be delivered by commissioning a third-party IT consultant with the requisite training expertise" yet only 12% of those asked had done so. Amazingly, if you ask me, that's only just a little more than the 8% who gave the security training role to the HR department.

(1) According to F-Secure’s latest Threat Report for the first half of 2013 there has been a continued rise in exploit-based attacks, particularly against Java. In fact, nearly 60% of F-Secure’s top ten detections in the first half of 2013 were exploits, making it by far the most common attack vector.

(2) According to a recent Lieberman Software Corporation survey of 200 senior IT security professionals at the Black Hat 2013 conference in las Vegas earlier this year, 52% admitted they were "not confident” that their IT staff could detect the presence of an attacker who was attempting to breach their network or extract private data.

Edited by happygeek: unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

3
Contributors
2
Replies
47
Views
3 Years
Discussion Span
Last Post by rubberman
0

happygeek, thanks for the post. Could you also post links to these statistics?
Thanks.
-ikel

0

I often find that working back-to-front (or right-to-left if you prefer) to be very helpful in determination of root causes of such problems.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.