Top Concerns Don’t Align With Most Frequent Daily Activities
The survey shows that infosec professionals’ biggest cybersecurity concerns don’t necessarily align with how they spend their time. Only phishing/social engineering is shared among the top five answers on the two lists.
Following are the top 10 concerns identified by respondents. (As above, up to three answers were permitted, and the second percentage noted is from the 2017 survey.)
- Sophisticated attacks targeted directly at the organization (47%, up from 45%)
- Phishing, social network exploits, or other forms of social engineering (40%, down from 50%)
- Accidental data leaks by end users who fail to follow security policy (22%, up from 21%)
- The potential compromise of cloud services providers that my organization relies on (22%, a newcomer to this year’s list)
- Attacks or exploits on cloud services, applications, or storage systems used by my organization (16%, up from 15%)
- Data theft or sabotage by malicious insiders in the organization (16%, steady from 2017)
- Internal mistakes or external attacks that cause my organization to lose compliance with industry or regulatory requirements (15%, up from 12%)
- Attacks on suppliers, contractors, or other partners that are connected to my organization’s network (15%, up from 7%)
- Security vulnerabilities introduced by my own application development team (14%, down from 15%)
- Polymorphic malware that evades signature-based defenses (12%, down from 20%)
Again, ransomware fell out of the top 10 concerns among respondents — though just barely, clocking in at #11. Still, there was a significant drop-off from last year; just 11% rated it as a top concern in 2018 compared to 17% in 2017. As to concerns around cryptocurrency mining — a new response option this year — only 5% of infosec pros said it’s a top concern, putting it near the bottom of the list.
Other Notable Findings
- 38% of infosec professionals said that end users are the weakest link in their organization’s IT defenses.
- 40% said the most-feared cyber attacker is an individual who has inside knowledge of their organization.
- 59% believe it's likely or definite that their organization will face a major security breach within the next year.
- 30% either don’t know the status of their organization’s level of GDPR compliance, or said they are behind and worried about the potential risk of non-compliance.
- 26% said their organization is not subject to GDPR compliance — which, as the Black Hat report notes, “seems unlikely, since most large enterprises do at least some business with European customers.”
- 69% believe attackers will successfully target US critical infrastructure within the next two years, and just 15% feel the government and private industry are properly prepared to respond.
- 66% feel they don’t have enough training to do everything that’s asked of them, and 34% said that a lack of qualified people and skills is the main reason that IT security strategies fail.
- 37% said that passwords are not effective for protecting enterprise data; just 19% said they are effective, and 44% had a neutral stance.