According to the latest Algosec study, think of bring your own device as bring your own disaster. “Policies and processes that focus on intrusion and other external threats fail to address the biggest risks facing most organizations – employee errors and malice, non-corporate devices, poor visibility and manual processes,” suggests the report. The overall conclusion of the report is that the biggest threat to business comes not from high profile external attacks, but from staff, their personal devices, and poor process management.
One of IT’s problems is that businesses are increasingly adopting next generation firewalls (NGFWs) because of the promise of increased security and centralized policy management, but are finding “that the increased security still comes at the price of more changes, more policies, and more complexity.” The demands of increasingly complex applications and the need for business agility are making ad hoc or manual changes more tricky.
“Out-of-process changes caused more problems for IT departments this year than in 2012. Last year, 54.5% attributed system outages to these changes, whereas this year 76.1% said that they caused application or network outages, a 39% increase.” Overall, internally caused outages “occurred three times more often than data breaches and five times more frequently than audit failures.” The reality is that the increasing complexity of NGFWs imposes an increasing workload and a greater potential for errors.
But while the firewalls are used to protect against external threats, most respondents to the Algosec survey rated insiders (accidental or malicious) a greater threat than external hackers and hacktivists (63% to 37%). “Employees’ devices create additional challenges for IT departments,” adds the report. “Two-thirds of respondents said that permitting employees to connect their own devices to the corporate network increased the risk of security breaches and 55% said it increased network security complexity.”
The overall impression from this survey is that the high-profile nature of external hacks and breaches is diverting concentration from the more common cause of business disruption: a company’s own staff and its own processes.