BYOD and Cloud Threats Loom, But IT is Woefully Unprepared

According to a Dell global security survey, less than one-fifth (18%) of IT staff surveyed consider predicting and detecting unknown threats as a top security concern today. The percentage is just marginally better in the UK (22%).

“Traditional security solutions can defend against malware and known vulnerabilities, but are generally ineffective in this new era of stealthy, unknown threats from both outside and inside the organization,” said Matt Medeiros, vice president and general manager for Dell security products at Dell Software Group. “These threats evade detection, bypass security controls, and wreak havoc on an organization’s network, but, despite these dangers, our study found, among those surveyed, organizations are just not prepared.”

Epidemic threats come from all perimeters, both inside and outside of the organization and are often hidden in poorly configured settings or permissions, and ineffective data governance, access management and usage policies. The survey delved into how IT feels about strategies for improving their security posture in the face of all of this.

About 64% of respondents agree that organizations will need to restructure/reorganize their IT processes, and be more collaborative with other departments to stay ahead of the next security threat. Of those surveyed in the US, 85% said this approach is needed, contrasting with the UK (43%) and Canada (45%), which were the least convinced that strategy is necessary.

Nearly 90% of respondents believe government should be involved in determining organizations’ cyber defense strategies, and 78% in the US think the federal government plays a positive role in protecting organizations against both internal and external threats, which underscores the need for strong leadership and guidance from public sector organizations in helping secure the private sector, the study noted.

The UK (22%) ranked second-highest in the number of respondents who would prefer the government had “no role at all,” with Canada ranking top with a quarter of respondents (25%) selecting that option.

The dramatic spike in social engineering, malicious and/or accidental internal attacks, as well as sophisticated, advanced persistent threats means that organizations are essentially vulnerable from all directions. It’s unsurprising then that 67% of survey respondents say they have increased funds spent on education and training of employees in the past 12 months (55% in the UK); 50% (globally and in the UK) believe security training for both new and current employees is a priority.

Also on a bright note, about half (54%) have increased spending in monitoring services over the past year (42% in the UK); this number rises to 72% in the US.

When it comes to perceived threats, BYOD, cloud and the Internet were the top areas of concern.

A sizable number of respondents highlighted mobility as the root cause of a breach, with increased mobility and user choice flooding networks with access devices that provide many paths for exposing data and applications to risk. Most (93%) of organizations surveyed allow personal devices for work (88% in the UK). Around a third--31%--of end users access the network on personal devices (37% in the US; 24% in the UK). And 44% of respondents said instituting policies for BYOD security is of high importance in preventing security breaches (46% in the UK).

More than half (57%) ranked increased use of mobile devices as a top security concern in the next five years (71% in the UK), and 24% said misuse of mobile devices/operating system vulnerabilities is the root cause of security breaches (16% in the UK).

When it comes to the cloud, the survey found that many organizations use cloud computing (73% overall; 90% in the US; 66% in the UK). That introduces unknown threats that lead to targeted attacks on organizational data and applications.

Nearly half (49%) ranked increased use of cloud as a top security concern in the next five years (47% in the UK), suggesting unease for the future as only 22% (globally and in the UK) said moving data to the cloud was a top security concern today. In organizations where security is a top priority for next year, 86% are using cloud applications. About 21% said cloud apps or service usage are the root cause of their security breaches (16% in the UK).

And finally, the significance of the unknown threats that result from heavy use of internet communication and distributed networks is evidenced by the 63% of respondents who ranked increased reliance upon internet and browser-based applications as a top concern in the next five years.

More than one-fifth of respondents (21%) consider infection from untrusted remote access like via public Wi-Fi among the top three security concerns for their organization (16% in the UK). Almost half (47%) identified malware, viruses and intrusions often available through web apps, OS patching issues and other application-related vulnerabilities as the root causes of breaches (43% in the UK). And 70% are using email security to prevent outsider attacks from accessing the network via their email channel (77% in the UK).

“There is still a disturbing lack of understanding and awareness of the type of impact and detriment caused by the unknown threats that can come from both sides of an organization’s perimeter,” Medeiros said. “As a result, we believe a new security approach is needed - one that’s embedded in the fabric of software, governing access to every application and protecting every device, both inside and outside a corporate network. Only then will organizations have a chance at keeping one step ahead of these epidemic threats that can significantly damage their network.”

What’s hot on Infosecurity Magazine?