Businesses expect the pressure to secure their organisations to increase even further, according to the 2015 Security Pressures Report from security firm Trustwave.
While 54% of IT and security professionals felt more pressure to secure their organisations in 2014, 57% of respondents expect to experience more pressure to secure their organisation in 2015.
However, a greater proportion of enterprise respondents (64%) expect increased pressure, compared with the corresponding 48% of their small and medium business counterparts.
Most respondents (84%) cited reputation or financial damage as their biggest fear of a breach at their organisation.
“No matter the security maturity level at a given organisation, the pressure is on,” the report said.
The report is based on a survey of more than 1,000 information security professionals. Respondents also reported pressure to roll out cloud and mobile IT projects, despite unresolved security issues.
Read more about business and security
- More UK businesses are outsourcing their IT security because budgets are not growing as fast as the security threat.
- An Intel Security report encourages businesses to address and educate employees on “six levers of influence” used by hackers.
- UK businesses are at risk of reputational damage due to lack of awareness on how to protect their data assets.
- Traditional approaches to security are exposing UK businesses to heightened risk of attack.
The security threat of emerging technology
More than three-quarters of respondents said they had been pressured to unveil IT projects that were not security-ready.
Nearly half of IT and security professionals were most pressured to use or deploy the cloud in 2014, up from 25% in 2013.
The report notes that adopting emerging technologies – such as cloud and bring your own device (BYOD) – overtook advanced security threats as the top operational pressure facing respondents.
Other challenges included understaffed security teams as security threats mount, and increasing pressure from C-level executives to protect data despite resource constraints.
Some 61% of respondents said they felt the most pressure from owners, board and C-level executives – up from 50% in 2015.
While 70% respondents believed they were safe from cyber attacks and data compromises, 84% wanted the size of their IT security team increased.
Just over half said they would like to see their security team double in size, while just under a third said they would like to see it grow to at least four times its size.
Low estimation of internal threats
Asked about the nature of the threats, 62% of respondents were most pressured by external threats, compared with internal threats.
Weak passwords were cited by just 9% of security professionals as the insider activity they felt most pressure to fend off, despite previous Trustwave research showing easy-to-crack passwords contributed to nearly a third of all breaches.
In the light of increased demands, 78% of respondents said they are likely to, or plan to, collaborate with a managed security services provider (MSSP) in the future.
“All signs point to turbulent times for IT and security professionals, and our findings back this up,” said John Amaral, senior vice-president of product management at Trustwave.
“Overall, pressures for IT and security professionals increased from 2013 to 2014, and even more distress is expected in 2015,” he said.
Threat landscape grows ever more hostile
Amaral highlights that the survey found the decisions security professionals make are not necessarily the ones they want to make.
“Many report they do not have enough resources and in-house skills to deploy a defence-in-depth security programme without confronting a mountain of pressure while doing it,” he said.
Christina Richmond, programme director of security services at analyst firm IDC, said the pressures IT professionals face are growing.
“Cyber criminals are increasingly crafty, new attack vectors are emerging, budgets are tight, skills are at a premium, security policies are either incomplete or disregarded, and many security solutions are proving too complex to manage or too basic to be useful against a professional adversary,” she said.
Richmond said these pressures are driving businesses to increasingly look to partner with MSSPs who can help control complexities related to security technologies as well as mitigate and respond to advanced security threats.
Seven recommendations for security professionals
The report makes seven recommendations for information security professionals:
- Accept that everyone, including you, is at risk: Operating under the belief that breaches are inevitable allows security professionals to better prepare their strategy;
- Acknowledge that outsiders and insiders can equally hurt you: Attacks waged by outside adversaries attract the most headlines, but threats posed by insiders can be as destructive;
- Turn to advanced solutions: Companies must turn to more advanced threat management solutions, such as next-generation SIEMs, file-integrity monitoring and anti-malware gateways;
- Think security first: Automated vulnerability scanning, ongoing and in-depth penetration testing and web application firewall deployment can help keep reduce the risks;
- Narrow the disconnect between the security group and senior management: Organisations that deploy strong IT governance, in which security-conscious leaders regularly communicate and collaborate with those responsible for security and ensure priorities are being met, are less likely to experience damaging breaches;
- Embrace the revolution: Companies must recognise the exploding risk potential of disruptive and emerging technologies, assess them for vulnerabilities and deploy security controls such as network access control, data loss prevention and encryption;
- Accept a helping hand: There is no shame in turning to an outside partner for help on threat, vulnerability and compliance management.