I receive a lot of end-of-year wrap ups, threat studies and infosec prediction press releases in my inbox this time of year. As my colleague Bill Brenner has already mentioned many times in his Salted Hash blog, these often contain little new information and are mostly a rehash of what we’ve seen the previous year. While I often skip over them for meatier news items, I do read some.
Today, I came across a fairly disturbing stat while reviewing some new research from Kaspersky Lab: approximately 1/3 of the IT department in many organizations lack even a basic knowledge of security and the particular threats they are up against.
Kaspersky, in partnership with B2B International, has conducted a survey twice in two years that covers IT professionals working for large and medium-sized businesses. The aim of the annual survey is to find out what IT specialists think of corporate security solutions, to ascertain their level of knowledge about current threats, the sort of problems they most often face and their ability to evaluate the risks associated with cyber-threats, etc.
Kaspersky said the sample includes more than 3,300 senior IT professionals from 22 countries. All respondents had an influence on IT security policy, and a good knowledge of both IT security issues and general business matters (finance, HR, etc.). Globally, respondents were drawn from companies of three sizes: Small Business (SB, 10-99 computerized seats), Medium Business (MB, 100-999 seats) and Enterprise Organization (E, 1000+ seats).
Diving a bit deeper into the research, a summary of the study says:
The survey revealed that 31 percent of IT professionals have not heard of any of the most common cyber-threats, including those targeting the corporate sector. It turned out that only 31 percent of respondents were aware of SpyEye and Zeus, while Duqu went largely unnoticed – only 13 percent of those surveyed having heard of the computer worm. It should be noted that nearly half of those who have heard about these threats consider them a danger to their business. However, the general cyber-threat awareness of the modern IT professional leaves much to be desired.
I find this particularly intriguing because the research goes on to say that preventing IT security breaches was the top concern for IT professionals surveyed! Among those polled, 31 percent said preventing security breaches is the biggest worry. Other top responses included data protection (another security concern) at 27 percent and, also, ensuring IT systems are used fully to maximize IT infrastructure ROI at 23 percent.
Clearly security is on the minds of IT. So, if these folks are so concerned about their organization’s security – and worried they might be breached – why are so many still unaware of some of the most well-known, highly-publicized threats out there?
This next set of stats helps us understand why: The research finds 44 percent of respondents indicated budget constraints are an obstacle to tighter security within their organization. And 37 percent cited a significant degree of misunderstanding of IT security issues among those in charge of the purse strings. Insufficient numbers of trained personnel to deal with IT threats is the third most cited problem (that must be that percentage that has no idea that Zeus is something other than a Greek mythological character).
Are you surprised by these numbers?