Tommi - Fotolia
A new study shows a majority of IT security executives still maintain a high confidence level about their ability to prevent data breaches, yet the study also suggested those executives' organizations lack critical means to defend against emerging and sophisticated threats.
According to a study from network security firm Fortinet, Inc., 66% of companies are pretty confident (38% of respondents) or 100% confident (28% of respondents) in their security efforts. Yet according to the same survey, 29% of executives consider protection and detection of advanced persistent threats (APTs) a critical priority for their 2015 security initiatives. In addition, next-generation firewalls (NGFWs) and mobile device management (MDM) both garnered a 28% critical priority response.
The study featured a survey, conducted by CSO Strategic Marketing Services, of 250 IT managers and executives that were responsible for their organizations' network security and found that a significant portion of them "overstate their confidence in current security measures." The study reported that "there does seem to be a bit of a disconnect between so many executives (3 in 4) citing protection from APTs and next-generation firewalls as high/critical priority…and so many of the same folks (2 in 3) feel they have done almost all or all they can do to prevent an incident or breach."
Furthermore, the report showed 36% of executives were most concerned about protecting customer data from cyber attacks, while 22% were most concerned about system availability/business continuity. Meanwhile, intellectual property, employee data were at the low end of the priority scale with 13% and 11%, respectively.
In other words, according to Fortinet, these IT executives shouldn't be as confident as they are if they lack key security measures such as NGFWs and MDM and aren't protecting employee data and intellectual property.
"Given this discrepancy," the report states, "some respondents have unexpected -- and possibly unrealistic -- high levels of confidence in their ability to fend off threats and prevent potential losses."
Aamir Lakhani, senior security strategist with Fortinet, said enterprises need to take a more comprehensive view of their information security measures rather than just focusing on endpoints or the perimeter.
"The problem with that is attacks are not designed looking at only one portion of security," Lakhani said. "That's really been the motto of Fortinet since day one: Let's look at the ecosystem. Not just edge, not just firewalls, not just endpoints -- but look at everything."
On the opposite end of the confidence spectrum, the report showed that 26% of respondents said their security confidence level was "50/50" while 5% said they were "not so confident." Meanwhile, 3% of respondents said they had "zero confidence" in preventing data breaches or cyber attacks, stating that "it's happened before, it will happen again -- there's nothing we can do about it even if we try."
There were some bright spots, however, as the report showed that in the past year, companies have also taken the step of reaching out for help and outsourcing their security -- at least partially. According to the study, 27% of respondents said their preferred deployment method for network security was through on-premise managed services, while 25% cited vendor cloud services.
"While companies may need more security expertise than they have in-house," according to the report, "they don't want to wash their hands of ultimate responsibility for their own network -- which is a good thing."
Find out why security experts say long-duration advanced persistent threat attacks now the norm