Black Hat USA is one of the biggest security events on the global calendar; now in its 18th year the six day event is well attended by the security staff of some of the biggest companies, with many having more than 5000 employees. Therefore, this is an excellent place to hold a survey about cyber security, which is precisely what the organizers did for the first time this year.
So what did people have to say?
More than a third of attendees said their most time-consuming tasks involve addressing vulnerabilities introduced by internally developed or third party off the shelf solutions. However these are not considered the greatest threats, simply the most time consuming security tasks.
Naturally, the type of attacks which concern them most are sophisticated ones which target the specific organization. This was followed by phishing and social engineering attacks at 46% with issues such as in-house software vulnerabilities, polymorphic malware and cyber-espionage in joint third place with around 20% apiece.
The survey observed a clear disconnect between threats of most concern and security spending allocation. While security pros considered targeted attacks, phishing, social engineering, polymorphic malware and cyber-espionage among their greatest concerns, spending was prioritized differently. The top two targets for spending priority were accidental leaks and compliance issues, i.e the two issues with the greatest risk of legal difficulties.
41% agreed that the perception of current threats is not an accurate reflection of the real areas of concern, largely due to unbalanced media coverage of issues such as hacktivism and political hacking. Respondents also indicated a difference between the issues which concerned management as opposed to their own concerns, with a disparate level of concern about malicious insider attacks and a lack of understanding and due concern about social engineering and phishing attacks.
The next few years
Looking ahead, the Internet of Things is posing a looming security concern, with 36% of respondents believing these devices will be one of their main security concerns in the next couple of years, whereas currently only 6% of them consider it an area for concern.
Considering the coming twelve months, 73% of respondents felt that they were likely to face a significant security compromise in the next year, with several stating “it’s not a matter of if, but when.”
When asked what the most likely attack surface and route of entry is likely to be, 33% cited end users who are easily fooled by social engineering tactics or who fail to follow security policy as their most likely weakness. Given the disconnect between concerns and budgetary allocation, it’s unsurprising that around one fifth also give their own defenses or poor security architecture as a likely route of entry for attackers. One of the explanations for this might be that nearly three quarters of those surveyed felt their security teams were understaffed and only one third felt that they had the appropriate budget to properly defend themselves.
However, it’s not all doom and gloom for the security pros, many felt that they had adequate support from non-IT colleagues and only 12 percent described themselves as actively job hunting. This is a significant improvement from a few years ago when other studies indicated that management had little knowledge or interest in cyber security. Perhaps the unbalanced media coverage has had some benefits.