A recent NetEnrich survey of over 150 IT professionals found that while more than 40 percent of respondents’ companies have been victims of cyber attacks, fully 43 percent said the attacks could have been prevented with a better cyber security policy.
Additionally, 37 percent of respondents said they could have used better tools and methods for testing and monitoring, and 21 percent felt the breaches could have been avoided if their companies had better communicated security policies to employees.
Still, recent research from CEB found that more than 90 percent of employees violate corporate policies designed to prevent data breaches.
“While spending on information security has dramatically increased over the last decade, companies are overlooking a bigger cause of breaches — employee behavior,” CEB data privacy practice leader Brian Lee said in a statement.
“Establishing a more balanced approach to information governance — one that complements technological controls with prudent and relevant privacy policies that employees can easily follow — will allow companies to effectively use the information they collect and protect against a damaging data breach,” Lee added.
Mike Ahmadi, global director for critical systems security for the Synopsys Software Integrity Group, told eSecurity Planet that he’s not surprised by CEB’s findings. “Most employees do not want to willingly violate these policies, in my experience, but the business world penalizes lost productivity and does not reward employees who use the excuse, ‘I was following the data loss policy guidelines,'” he said. “Unless usability remains stable and workflow is not hindered, employees at all levels will violate these policies.”
Last fall, a Balabit survey of 381 IT professionals found that 69 percent of respondents said they would bypass security controls and risk a potential security threat to achieve the biggest deal of their life.
Notably, the recent NetEnrich survey also found that 53 percent of respondents see employees, rogue or otherwise, as the greatest source of cyber attacks on companies.
Stolen or weak passwords are seen as the most common cause of cyber attacks at 26 percent, followed by testing and monitoring system failure (21 percent), advanced persistent threats (15 percent), and employee error (14 percent).
“All the data shows that cyber security must be a top priority for companies and that half-measures and workarounds will not do,” NetEnrich president and CEO Raju Chekuri said in a statement.
Still, a recent Accenture survey of 2,000 security practitioners at large enterprises found that while 75 percent of respondents are confident in their ability to protect their enterprises from cyber attacks, one in three targeted attacks against those same respondents’ companies over the past 12 months resulted in an actual security breach.
The Accenture survey also found that 51 percent of respondents admit it takes months to detect sophisticated breaches, and as many as a third of all successful breaches aren’t uncovered at all.
And while survey respondents said internal breaches have the greatest impact on their companies, 58 percent prioritize heightened capabilities in perimeter-based controls over addressing high-impact internal threats.
Given extra budget, just 17 percent of respondents would invest in cyber security training.