IT Security Pros Worry About APTs, but Can't Change User Behavior

Security professionals claim to be concerned about targeted attacks but continue to allow employees to indulge in risky behavior, according to a new Bit9 report.

While security professionals are worried about targeted attacks against their company, IT professionals are not putting enough safeguards in place to defend against them, according to a new report. In many businesses, employees are allowed to indulge in risky IT security behavior even through it leads to data breaches from the outside.

About 60 percent of IT and security professionals in the United States, Canada and Europe claimed their main concern was being hit by an advanced persistent threat (APT), according to the Bit9 Endpoint Security Survey, released Aug. 30. Insider threats, such as an employee posting sensitive information to external sites such as WikiLeaks, were the second most important, at 28 percent.

Company executives were worried about targeted attacks, similar to the tactics used against RSA Security and some defense contractors earlier this year, the survey found.

The Bit9 report also found that 26 percent of organizations were worried about vendor partners being compromised, such as what happened with Epsilon and other smaller vendors earlier this year. Finally, a quarter of the respondents were worried about a cloud application breach, similar to what happened with various Sony properties this spring.

However, the survey found a significant disconnect between these concerns and what businesses were doing to protect themselves against dirty software or malware from infecting their systems.

Half the companies surveyed either had an open software environment, which allows employees to download and install whatever software they wanted, or relied on an "honor system" for employees to comply with written policy regarding unauthorized software applications.

These companies did not have any mechanisms in place to enforce their own security policies or monitor what was being installed. In fact, 51 percent of the companies had an open environment, Bit9 found. The most common unauthorized applications on endpoints were digital music sites like iTunes, social media and instant messaging software.

"Companies are increasingly worried about advanced persistent threat attacks, but they continue to engage in risky behaviors," said Tom Murphy, chief strategy officer of Bit9.