Compliance, Phishing Are Top Time Drains for Security Teams

This year’s Black Hat Attendee Survey report, Where Cybersecurity Stands, is billed as a “look at the concerns, attitudes, and plans of some of the industry’s top IT security professionals.” Black Hat surveyed 315 current and former conference attendees, gathering responses from CEOs, CISOs, CIOs, CTOs, and other infosec professionals across more than 20 industries. We highlight some key findings below — and invite you to stop by and see us at Booth #258 next week in Las Vegas to chat about the results in person.

Compliance Tops Phishing/Social Engineering as Most Time-Consuming Daily Pursuit

This year, infosec pros said they spend the most time working to maintain their organizations’ industry and regulatory compliance — not a huge surprise, given that the General Data Protection Regulation (GDPR) formally reared its head in May. This daily focus jumped up the list to barely edge out last year’s top pursuit: phishing and social engineering.

Following are the top 10 most time-consuming daily activities identified by survey respondents; the first percentage noted is from this year’s responses and the second percentage is from 2017. (Note that up to three responses were permitted.)

1. The effort to keep my organization in compliance with industry and regulatory security guidelines (40%, up from 32%)
2. Phishing, social network exploits, or other forms of social engineering (39%, up from 35%)
3. The effort to accurately measure my organization’s security posture and/or risk (36%, up from 35%)
4. Security vulnerabilities introduced by my own application development team (22%, down from 26%)
5. Security vulnerabilities introduced through the purchase of off-the-shelf applications or systems (22%, up from 21%)
6. Accidental data leaks by end users who fail to follow security policy (20%, up from 18%)
7. Internal mistakes or external attacks that cause my organization to lose compliance with industry or regulatory requirements (18%, down from 21%)
8. Sophisticated attacks targeted directly at the organization (14%, down from 16%)
9. Attacks or exploits on cloud services, applications, or storage systems used by my organization (11%, up from 10%)
10. The potential compromise of cloud services providers that my organization relies on (8% and a newcomer to Black Hat’s “Time Spent” list)

It’s interesting to note that “Ransomware or other forms of extortion perpetrated by outsiders” fell out of the top 10 this year, dropping from 12% of responses in 2017 to just 4% this year. Also worth a mention outside of the top 10 is “Cryptocurrency mining and its potential impact on my enterprise network.” This is another newcomer to this year’s response list — though only 3% of respondents flagged it as being one of their most frequent daily pursuits.

Top Concerns Don’t Align With Most Frequent Daily Activities

The survey shows that infosec professionals’ biggest cybersecurity concerns don’t necessarily align with how they spend their time. Only phishing/social engineering is shared among the top five answers on the two lists.

Following are the top 10 concerns identified by respondents. (As above, up to three answers were permitted, and the second percentage noted is from the 2017 survey.)

1. Sophisticated attacks targeted directly at the organization (47%, up from 45%)
2. Phishing, social network exploits, or other forms of social engineering (40%, down from 50%)
3. Accidental data leaks by end users who fail to follow security policy (22%, up from 21%)
4. The potential compromise of cloud services providers that my organization relies on (22%, a newcomer to this year’s list)
5. Attacks or exploits on cloud services, applications, or storage systems used by my organization (16%, up from 15%)
6. Data theft or sabotage by malicious insiders in the organization (16%, steady from 2017)
7. Internal mistakes or external attacks that cause my organization to lose compliance with industry or regulatory requirements (15%, up from 12%)
8. Attacks on suppliers, contractors, or other partners that are connected to my organization’s network (15%, up from 7%)
9. Security vulnerabilities introduced by my own application development team (14%, down from 15%)
10. Polymorphic malware that evades signature-based defenses (12%, down from 20%)

Again, ransomware fell out of the top 10 concerns among respondents — though just barely, clocking in at #11. Still, there was a significant drop-off from last year; just 11% rated it as a top concern in 2018 compared to 17% in 2017. As to concerns around cryptocurrency mining — a new response option this year — only 5% of infosec pros said it’s a top concern, putting it near the bottom of the list.

Other Notable Findings

• 38% of infosec professionals said that end users are the weakest link in their organization’s IT defenses.
• 40% said the most-feared cyber attacker is an individual who has inside knowledge of their organization.
• 59% believe it's likely or definite that their organization will face a major security breach within the next year.
• 30% either don’t know the status of their organization’s level of GDPR compliance, or said they are behind and worried about the potential risk of non-compliance.
• 26% said their organization is not subject to GDPR compliance — which, as the Black Hat report notes, “seems unlikely, since most large enterprises do at least some business with European customers.”
• 69% believe attackers will successfully target US critical infrastructure within the next two years, and just 15% feel the government and private industry are properly prepared to respond.
• 66% feel they don’t have enough training to do everything that’s asked of them, and 34% said that a lack of qualified people and skills is the main reason that IT security strategies fail.
• 37% said that passwords are not effective for protecting enterprise data; just 19% said they are effective, and 44% had a neutral stance.