The role of IT in
defending against cyber attacks is more difficult than ever, with more
sophisticated attacks on the rise – and in some cases, attackers have
infiltrated corporate networks without IT knowing. But even more concerning to
IT departments in defending against attacks is the lack of willingness by
employees to take precautionary steps against them, according to the latest
results from the A10 Networks Application Intelligence Report (AIR).
The A10 AIR report
examines the interaction with applications and the growing security
implications that result personally and for businesses and their IT
organizations. AIR previously examined the rise in use
of apps in our “blended lives,” blurring lines between work and personal
business through use of apps at home and in the office.
In contrast to the
previous report that looked at the consumer impact of apps in the workforce,
today’s announcement addresses the challenges of IT decision makers who are
faced with the rise and complexity of cyber attacks, and the sometimes careless
attitudes of employees who unwittingly introduce new threats to their
businesses. This data is even more disturbing with metrics that found almost
half (48 percent) of IT leaders say they agree their employees do not care
about following security practices.
Frequency of Known –
and Unknown – Cybersecurity Attacks
The report also
interviewed IT decision makers about their efforts to defend their corporate
networks, users and applications against cybersecurity attacks, finding that
half (47 percent) said their company has suffered a data breach at least once.
When it comes to DDoS
attacks, more than one third (38 percent) say their company has suffered an
attack at least once over the past 12 months, with another 9 percent not aware
if they’ve been attacked or not. When projected across the entire industry, this
presents an ominous trend, as nearly half of IT professionals have
either been a victim of a DDoS attack or don’t know yet if they have been.
As IT defenders are
faced with the increasing sophistication of adversaries who are responsible for
the size and frequency of these attacks, 44 percent of the IT professionals
surveyed in the report expect DDoS attacks to increase over the next year – and
70 percent expect overall cyberattacks to increase or remain the same.
However, one out of
three (37 percent) employees surveyed say they aren’t familiar with what a DDoS
attack is – with 11 percent not knowing if they’ve been victimized themselves –
which makes it hard to protect someone when they aren’t familiar with the
dangers or how to prevent attacks in the first place.
The diverse variety of
cyberattacks is also cause for concern. On the topic of ransomware, almost one
quarter (22 percent) of IT decision-makers say their company has been the
victim at least once, and an additional quarter (26 percent) believe it is
probable – but ultimately unknown – that their company has been a victim. This
equates to nearly half of the industry either having been victimized by
ransomware, or not aware if they are already vulnerable to a looming attack.
Help for IT Professionals
is On the Way
Perhaps as a direct
correlation to the rise of these attacks, the survey revealed that 63 percent
of IT professionals believe their overall IT and security budget to increase.
Additionally, one third (36 percent) of IT departments are looking to grow
their security teams, as security is the top hiring focus, followed by the
applications team, which participants expected to see a 17 percent increase in
head count.
Who’s Responsible for
App Security?
More than half (55
percent) of employees expect the use of business apps to increase, increasing
the odds these devices may become part of a larger DDoS attack, which can bring
entire businesses to a screeching halt.
But who is ultimately
responsible to protect employees who used non-sanctioned apps at work? App
developers, IT departments and end users are at odds over who is responsible
for application security and best practices regarding the many apps on the
phones of employees. With employees, responsibility is low: only two out of
five (41 percent) claim ownership for the security and protection of
non-business apps they use.
And who is that
“someone else” who should be protecting users’ apps in the workplace? Employees
think security should be provided by the app developers (20 percent), service
providers (17 percent) and their IT department (16 percent).
But if you ask IT
decision-makers who is internally responsible, one third say the security team
is most responsible for protecting employee’s identity and personal information,
followed by the CIO or VP (17 percent) of the company, and 15 percent state
“the whole IT department.”
Additional AIR
findings include:
Employee Behavior
toward the Use of Banned Apps or Sites at Work
· It’s an accepted fact that companies can block
apps and websites at work – 85 percent of employees find this practice
acceptable, and 85 percent would accept a job that does so.
· However, only two thirds (61 percent) of
employees cliaim their companies actually block specific sites or apps.
· One third (30 percent) of employees surveyed
knowingly use non-sanctioned apps.
· 10 percent don’t know if the apps they use at
work are banned or not.
· Of those who use non-sanctioned apps, over
half (51 percent) claim “everybody does it,” while one third (36 percent)
believe their IT department doesn’t have the right to tell them what apps they
can’t use.
· One third (33 percent) claims IT doesn’t give
them the apps needed to get the job done.
Perceived Attitudes of
Employees and Thoughts on Best Practices
· Almost a quarter (23%) of IT decision-makers
think there will be no improvement in security behavior at their company, but
75 percent think optimistically that there will be.
· 88 percent of IT heads say employees need
better education on best security practices.
· IT decision makers say their top recommended
password policy is updating passwords regularly (76 percent) followed by
choosing different passwords for different systems (59 percent), and two-factor
or multi-factor authentication (53 percent).
· Password policies are communicated to
employees through email reminders (66 percent) followed by employee orientation
(50 percent), internal meetings (48 percent), and communication from a manager
(44 percent).
Challenges and Needs
of IT
· When protecting their company, the biggest
challenge noted by IT professionals is lack of corporate commitment to policy
and enforcement (29 percent).
· Forty-one percent of IT leaders are only
slightly optimistic about their ability to stop threats and protect their
company.
This data is
consistent with a recent A10 Networks report that
found the average company suffers 15 DDoS attacks per year, with average
attacks causing at least 17 hours of effective downtime, including slowdowns,
denied customer access or crashes. Attacks are also getting harder to defend,
with average peak bandwidths of 30 to 40 gigabits per second (Gbps) and many
exceeding that mark.
“A10’s AIR report shows how employees too
often unknowingly weaken cybersecurity and the use of unsanctioned apps. With
often poor understanding of corporate security policies, this behavior
increases the risks that come with a growing reliance on disparate and
app-dependent workforces.”
A10 Application
Intelligence Report (AIR)
The Application
Intelligence Report (AIR) is a global research project that examines the
behavior and attitudes of the global workforce toward the use of business and
personal apps, and their impact on risk, security, and corporate culture.
AIR was commissioned
by A10 Networks and conducted independently by strategic research firm Provoke
Insights. It involves more than 2,000 business and IT professionals in 10
countries, with the intent to provide education for employers that can help
them reassess corporate policies and ultimately protect their businesses – and
their applications – by simply becoming more aware of the behavior of their
employees.
No comments:
Post a Comment