Overconfidence in IT security readiness is a problem even for high-tech organizations, according to a recent Deloitte survey of technology, media and telecommunications companies.
Among the firms surveyed, 88% of companies are confident that they’re protected against external IT security attacks and 68% believe they understand their own IT security risk.
However, a lower number (62%) said they have a program in place to address their security risks. And despite the majority of organizations’ confidence in how well protected they are, most (59%) have experienced an IT security incident in the past year.
What was being those attacks and breaches? These are the top factors businesses have increased their vulnerability to IT security threats:
1. Third party complexity
The top source of security threats was the number and types of third parties the company works with, cited by 78% of survey respondents. Much of the trouble has to do with the increase in the use cloud computing, as more organizations are putting sensitive and critical data in the cloud.
One step many companies are neglecting when it comes to keep that information safe: negotiating for cloud computing contracts that protect data and allow for effective action to be taken if there’s a breach. Just 68% of companies say they address security in their cloud computing contracts.
Some issues to keep in mind when evaluating and negotiating agreements with cloud providers:
- Breach notification — Get notified of all security incidents involving the provider, even if it doesn’t affect your data.
- Audits and testing — Many experts recommend companies conduct penetration testing against a provider before signing a contract and negotiate for the ability to conduct regular security audits.
- Liability — While standard contracts often don’t hold providers liable if data is breached, many cloud customers are able to get providers to accept capped liability for breaches.
2. Increased use of mobile devices
Mobile devices are also an emerging source of IT security vulnerabilities, cited by 74% of respondents to Deloitte’s survey.
In addition to the devices companies issue, users are also bringing in their own smartphones and tablets to work — and in many cases, it’s happening whether IT wants it to or not. But despite the prevalence of personal devices, many companies have yet to take steps to protect data when it goes mobile.
Even among companies with over 10,000 employees, just 64% have created specific BYOD policies. Just over half (52%) of smaller firms have done so. Even worse, 10% admit that they haven’t done anything at all to address BYOD security risks.
In addition to creating policies, companies can address the new risks by implementing mobile device management tools and other technology to help the IT department enforce security controls.
3. Lack of IT security awareness among users
Low security awareness among users was cited as a top obstacle to improving security by 70% of the organizations surveyed. And 73% chose user mistakes as a top security threat.
One problem could be the way organizations conduct security training. Many experts recommend tailoring IT security training to different audiences within the company. Different users have different levels of access to sensitive data, and tailored sessions will help give people the information they need to do their own jobs securely.
However, just 30% of organizations surveyed offer targeted IT security training based on job level. Close to half (44%) provide the same general security training for all employees.
Some other strategies experts recommend to increase IT security awareness:
- Mix in advice on how users can keep their personal information safe and prevent identity theft — that may help get people’s attention.
- Conduct in-house mock attacks to prove to over-confident users that they are also vulnerable to security threats.
- Show statistics on how much money businesses lose due to security incidents — and, if applicable, mention past incidents at your company and explain the damages that resulted.
- Train managers first and get them to stress to their employees that security is part of their jobs.
- Ask for input when developing security strategies — people will care more about a plan they helped come up with, and as users become more tech savvy they might have good ideas to offer, too.
- Take any chance you get to remind users about security — anytime a user interacts with an IT is opportunity to offer some kind of lesson or make a connection to a security-related topic.
- Offer warnings about current security issues — for example, emailing a warning about new malware or a phishing scam will help prevent those specific attacks and keep security fresh in people’s minds.