SolarWinds has released the results of its Information Security Confidence Survey, which explored IT professionals’ confidence in their organizations’ security measures and processes. The survey found that while confidence is notably high, likely the result of several key factors, widespread adherence to security best practices is lacking, and significant, damaging attacks continue, potentially indicating this confidence is a false sense of security.
“Organizations are taking positive steps toward improving their information security; most notably in terms of budget and resources,” said Mav Turner, director of security, SolarWinds. “It’s important, however, to never fall into the trap of over-confidence. IT pros should do everything they can to ensure the best defenses possible, but never actually think they’ve done everything they can. This approach will ensure they are proactively taking all the steps necessary to truly protect their organizations’ infrastructures and sensitive data.”
Fielded in October 2014 in conjunction with Enterprise Management Associates, the survey* yielded responses from 312 IT practitioners, managers, directors and executives in North America from small and midsize enterprise companies.
“The survey brought out many interesting and disturbing trends,” said David Monahan, research director, risk and security management, Enterprise Management Associates. “The general over-confidence demonstrates why we are seeing more breaches. Much of this appears to come from the concept that compliance is equivalent to security. Knowing that all of the major retailers that have experienced breaches in the last year have been considered compliant, we know that is not true.”
- IT professionals are confident in their organizations’ security measures and processes.
In fact, 84% of those surveyed said they consider their organizations to be very secure, falling within at least the 30th percentile of the most secure organizations, with 15% of those believing their organizations are in the top 10th percentile. In addition, 87% said their IT departments currently have sufficient resources to keep their organizations secure.
- Increased budget, man-power and integration between security and other IT processes and operations, such as network and system administration, are likely driving this confidence.
For example, 74% of those surveyed reported their departments’ security budgets increased from last year to this year. Moreover, only 1% said their organizations do not have at least one staff member responsible for security, and 97% said they have more than one. This man-power could explain why 61% said they are able to test their defenses at least monthly. Finally, 47% said their IT departments tightly integrate security and other IT processes and operations, while all others reported at least some level of interaction.
- Widespread adherence to security best practices is lacking and damaging attacks continue to plague organizations, potentially indicating this high level of confidence is a false sense of security.
Though nearly 30% of respondents do not believe their organizations are a target for an attack and another 27% said they feel they are at low risk of a successful attack, 82% reported their organizations have experienced a significant attack, with approximately one-third of those reporting that it took at least one month to discover the attack. Furthermore, approximately one-third also said it took at least one month to recover from the attack (get the affected systems/applications back online/operating and the security hole mitigated). Underscoring this is that nearly 40% said their organizations either do not have defined security best practices or if they have them, do not regularly follow them.
*Full survey results available upon request.
This article was originally posted “Report: 84% Of IT Pros Rank Their Organizations’ Security Above Average” from Cloud Strategy Magazine.