Employees Remain Biggest IT Security Threat, But Training & Investment Still Lag Behind

Written by Joe Kozlowicz on Thursday, May 26th 2016 — Categories: Security

a user logs in with RSA secure IDIf your cybersecurity efforts were the big boss in a video game, your users would be the flashing weak point for hackers to attack. So why aren’t IT departments spending more time and money on training?

Surveys from across the industry are discovering that while IT security spending continues to increase, even with budgets shrinking overall, the amount spent on policy, end user training, and staff certification is much lower than the amount spent on hardware and software for detection and mitigation.

Malware and ransomware continue to grow as threats, with its primary entry point to your systems coming from users clicking on malicious links or e-mail attachments. Most healthcare breaches come from stolen devices or unsecured workstations. Users regularly use the same password at work as on their personal sites and applications, so when a large breach occurs at, say, LinkedIn, their work accounts can also be compromised.

Kaspersky Labs lists phishing and social engineering among their top threats for 2016, and four of their top five precautionary steps rely on the user (use strong passwords, destroy sensitive documents, don’t open suspicious e-mails, and keep antivirus software up to date).


Where Are IT Security Dollars Being Spent?

A SANS study from 2015 found that protection of data is the most important reason for security spending, followed by compliance, then reducing incidents and breaches.

Security spending is increasing, even as IT budgets overall are dropping. For companies with an IT budget between $500,000 and $1 million, projected IT security spending jumped from 4%-6% of the budget to 7%-9% in 2016.

However, companies are mostly spending on software, hardware, staff, compliance, and risk reduction rather than end user training, governance, policy, training, or security programs.

72% reported operational spending was focused on protection and prevention, 62% said detection and response, 58.6% said compliance and audits, and 49.7% said risk reduction. Most of these categories involve using a combination of hardware and software in concert with trained IT staff to detect, mitigate, and restore systems from cyber attacks.

Only 45.5% said they were using operational spending for end user training and awareness. Only 43.4% reported governance/policies, and only 39.3% said staff training and certification.

White Paper

Need a Managed Security Solution?

Talk to one of our experts today.

IT Teams Are Not Focused on User Activity

While it’s true that you need firewalls, IPS/IDS, antivirus tools, and preferably 24/7 monitoring to keep your IT security in good standing, insider threats and ignorant user activity are just as likely – if not more so – to lead to a security breach or malware infection.

A Ponemon Institute survey from April 2016 found that 55% believed their organization had fallen victim to a security breach caused by a malicious or negligent employee, but only 45% made security training mandatory for employees.

For those companies that had mandatory security training, 29% reported that C-level executives did not have to take the course.

Less than half (49%) of training courses including phishing and social engineering attack training; only 36% included mobile device security; and just 29% (!) reported training on using cloud services securely.

It’s not the cloud itself that’s insecure, it’s the way it is being used. A strong security policy, complete with required training, regular audits, and smart employee users is the best way to keep breaches at bay. All the hardware and IPS in the world won’t stop a misguided employee from leaving that password written on a monitor sticky note.