Insider threats are the number one cybersecurity risk, according to IDC’s recent whitepaper, “Affordable Tools and Shared Responsibilities Define Midmarket IT Security Trends,” sponsored by SolarWinds. Inadvertent threats are the main issue; nearly 62% of survey respondents cited user error as providing the greatest cyberattack exposure. The report also named a lack of regular cyberhygiene and the need for more effective, affordable tools as top issues for organizations to address.
The human factor is central to the issue, explained Tim Brown, vice president of security for SolarWinds, He said employees tend to make mistakes—such as leaving network shares open or carelessly sharing data—in the course of doing their jobs. But Brown also noted that phishing attempts have improved drastically. Some, he said, have “gotten so complex and so good that they are hard to distinguish. They are contextually aware. They understand what’s going on in an organization.” These improved phishing emails are much more likely to be clicked.
An important part of cyberdefense, then, is ongoing education and training. But Brown’s take was, again, human-centric. Instead of the technical team giving the security training, he suggested training come from someone who knows how to convince people and motivate them.
With limited time and resources, organizations are focusing their efforts on the “must-do” activities, but automation is a priority, with 65% of those surveyed saying they expected to spend more in the coming year than before. Also, while many organizations choose to implement security tools themselves, a growing number are outsourcing at least part of the process.
Still, these approaches make it incumbent on the in-house teams to make sure processes are followed and systems are patched. Survey respondents showed patch management and endpoint protection as lesser priorities, as compared with email security, data encryption, and access and identity management.
Brown said while the continuing growth of insider threats was expected, the widespread lack of basic cyberhygiene was a bit of a surprise. “If you look at the actual exploits that have caused the most harm, what is it? A known vulnerability that was not patched allowed people in to do the wrong things,” he said. Attention, he said, was focused on “shiny new applications” before taking care of the basics.
You can read the complete IDC whitepaper here.