Day in and day out, the headlines around the Web paint a picture of an Internet often under attack and data breaches victimizing organizations of all sizes. Despite all that, a new study from Intel Security and education and policy studies organization Aspen Institute found that many organizations see an improvement in security.
“The biggest surprise was the perception that they are more secure today than three years ago; this of course, is a good thing,” Raj Samani, vice president and CTO of Intel Security, told eWEEK. “However, considering the daily pace of known successful cyber-attacks, we have to consider whether this perception is entirely accurate and whether there is a degree of overconfidence.”
The Critical Infrastructure Readiness report is based on a survey of 625 IT decisions makers across the United States, United Kingdom, France and Germany. Respondents were asked to evaluate their own security posture both currently and in retrospect.
Today, 27 percent of respondents indicated that their organizations are currently “very or extremely” vulnerable; in contrast, 50 percent indicated three years ago that they would have considered their organization to be “very or extremely” vulnerable.
There is, however, a disconnect between the vulnerability finding and perceptions in organizations about the actual threat level: 70 percent of respondents indicated that the cyber-security threat level in their organization is escalating.
Although there may appear to be a disconnect between the two statistics, there is also a rational explanation, Samani said. “In other words, yes, the threat is escalating, according to respondents, largely through nation-states; however, we are okay,” Samani said. “The industry vulnerability could be seen as something affecting somebody else.”
In fact, 48 percent of respondents indicated that a major cyber-attack that could result in the loss of human life is likely to occur in the next three years. While respondents see a risk from a major attack, the responsibility for defending and responding to such an attack is viewed as a national government concern. The study found that 76 percent of respondents hold the view that a national defense force should be in place to respond to a cyber-attack that damages critical infrastructure.
Going a step further, 86 percent noted the need for public/private cooperation to enable successful cyber-defense of critical infrastructure. The need for cyber-security cooperation between the government and the private sector is one that President Obama sees, as well. In February, he signed an executive order on information sharing for cyber-security. The White House strategy includes starting up new information-sharing groups, called hubs, that are built around vertical industry sectors to fight hackers.
When looking at the actual security risks organizations face, user error was identified as the top issue.
Samani said that there is no magic answer to the question of what organizations should do to reduce the risks of user error. “It will be a combination of process, people and technology,” Samani said. “Recognizing the risk, managing the risk and ensuring controls are there to address the potential overconfidence is the way forward.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.