Share

Related Stories

  • Data Breach Battle Lines
    Employee negligence is often blamed for being the root of many information security incidents. Lauren Moraski finds that although these claims are not without merit, more often the enemy still lies outside the fortress walls
  • RSA 2013: Malicious data breaches result in significantly higher costs
    New research from the Ponemon Institute confirms what many already suspected: malicious data breaches are far more costly than unintentional ones, to the tune of a 78% cost mark-up.
  • Gen Y's need for full IT rights opens up big security holes for enterprises
    New research from Avecto has found that Gen Y workers are the most likely to demand elevated administrative rights when it comes to network usage, indicating a generational split on privilege management within the enterprise. Unfortunately, that is giving way to an alarming increase in malware and network infections – many of which go undetected for long periods of time.
  • Security issues increase corporate BYOD costs
    Despite the perception that bring your own device (BYOD) saves organizations money, more than two-thirds of IT professionals believe it increases costs, primarily due to the added security risks and measures required, according to a survey by Lieberman Software.
  • Comment: Avoid 'Friend or Foe' Syndrome with your IT Auditor
    In a perfect world, the confidence and communication that exist between an organization and its IT security auditor might resemble the doctor–patient relationship. But when Philip Lieberman examines this critical aspect of IT security, he finds an increasingly troubled history – and makes some suggestions about how both sides can gain more from the partnership.

Top 5 Stories

News

Three-quarters of IT staff don't trust their own security

18 April 2013

Would you bet $100 of your own money that your organization is safe from a data breach for the next six months? If the answer is “no”, then be assured that you are not alone.

A survey conducted by Lieberman Software has revealed that about three-quarters (73%) of IT security professionals would not be willing to bet $100 in the aforementioned scenario. And no wonder: apparently, corporate employees are simply ignoring security best practices.

The study also showed that 81.4% of IT security staff believe that employees tend to ignore the rules that IT departments put in place. Also, about half (52.2%) said they believe that employees wouldn’t listen even if IT directives came from executive management.

“These figures highlight the fact that many IT security professionals recognize that their organizations are woefully unprotected against cyber-attacks,” said Philip Lieberman, president and CEO of Lieberman Software. “While vendors of conventional security products – like firewalls and anti-virus – are constantly updating their tools to reactively protect against the latest threats, hackers are looking for flaws and engineering new attacks to exploit them. The reality is that 100% protection is nearly impossible to achieve, but there are still best practices for securing access to critical systems and data that many organizations tend to ignore.”

For example, the survey showed that IT groups are still not changing default passwords when deploying new systems. In fact, one-third (32.3%) of IT security professionals work in organizations that do not have a policy to change default passwords when deploying new hardware, applications and network appliances to the network.

“This simply must be a standard practice in any size organization,” said Lieberman. “Default privileged passwords are, in the truest sense, open backdoors into systems that are deployed on production networks. Most default passwords are publicly known and easily found online, meaning that anyone with malicious intent can use these default credentials as a foothold to gain anonymous access to systems and applications throughout the network.”

He added, “IT departments that do not have a solution in place to automatically detect, flag and change default privileged passwords on newly deployed systems are neglecting a very dangerous security hole.”

Then there’s the state of user privileges and administrative rights to consider. The survey found that most (75.8%) of IT personnel think that employees in their organization have access to information that they don't necessarily need to perform their jobs. Most workers (64.7%) also think that they have more access to sensitive information than colleagues in other departments. And 38.3% of IT security personnel have witnessed a colleague access company information that he or she should not have access to, but 54.7% of those respondents didn’t report them.

“These results suggest that even though most IT professionals are aware of the level of access they have to systems which may contain sensitive data, many organizations either cannot or will not control and audit this access,” Lieberman said.

He added, “The high number of staff who are thought to ignore IT directives could stem from willful negligence on the part of end-users, or the lack of proper internal security training. When these findings are taken together, respondents' lack of confidence in the ability of their organizations to withstand a data breach is hardly surprising."

 

This article is featured in:
Compliance and Policy  •  Data Loss  •  Industry News  •  Internet and Network Security  •  Security Training and Education

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×