The Perceptions Versus the Reality of IT Security Threats
When it comes to IT security, perceptions don’t always match reality. Many businesses believe that the biggest IT security threats to data are those caused by malicious outside forces attacking the organization. While there’s no question that external threats are real and businesses need to take measures to protect their parameters, internal threats caused by human error and employees who haven’t followed security protocol are just as common.
The discrepancies between perception and reality can been seen in the 2015 Black Hat Attendee Survey on enterprise IT security. Based on 460 North American respondents working in IT security (both management and staff), the number-one and number-two security concerns were related to external threats (57% and 46% respectively) with concerns about internal threats from users coming in a distant third at 21%. However, the challenges that are actually consuming IT budgets are somewhat different. The survey highlights that accidental data leaks caused by internal staff were identified as the number one challenge (tied with external attacks).
The issue of course is that when less attention (and IT budget) is spent on managing the internal risks, which are at least as real as the perceived risks, a security gap is exposed. The problem is further compounded when organizations – especially those on the smaller side – believe they are less at risk than bigger companies with higher profiles.
We have discussions with businesses every day about security. Anecdotally we can say that, at least among smaller businesses where protecting communications is not always a priority, there often exists a false sense of security. There is a perceived notion of being “off the radar” from attackers who are more focused on large enterprises – or as MSPMentor Blog writes: the belief of being “too small to be noticed”.
While it may be true that smaller companies are targeted less frequently because of their size and lower profile, the impact of a data breach can be far more devastating to a small business. Not to mention, it’s only one part of the problem given the risk of a data breach caused by human error.
So where do we go from here? The best approaches to security by any size of company are holistic ones that take into consideration both external and internal threats and assess what’s truly at risk if data were to be lost. (We wrote more on the topic of calculating the cost of a data breach here.)
Cloud security solutions, which address issues like data jurisdiction, need to play an integrated role in the overarching approach. These solutions, which include email encryption that works alongside basic email and has the ability to control what happens to messages even after they have been sent as well as securely share large files, are an ideal starting point. While there is no one-size-fits-all strategy, one thing is clear: The inherent flexibility, scalability and affordability that the cloud offers is changing the face of data security and is enabling businesses to take a top-down “big picture” approach in a way that is most relevant to their needs and budget.