IT and security professionals have no sympathy for the burden of management, if a new eight-country survey from McAfee is representative.
More than half of those who responded to the survey said senior and C-level executives should lose their jobs if a data breach is serious enough, while a quarter think bosses should absolutely lose their jobs after any breach.
The survey also suggests that leadership isn’t showing much leadership: A full 61 per cent said their executives expect more lenient security policies for themselves, and 65 per cent of those respondents believe this leniency results in more incidents.
The results were from a survey of 700 IT and security pros who worked at organizations in Australia, Canada, France, Germany, India, Singapore, the United Kingdom, and the United States. Thirty-five of the respondents were from Canada.
As with most surveys, it has both good and bad news. For some time many organizations learned of data breaches only after being notified by law enforcement or a third party. Respondents to this survey said internal security is discovering the majority of breaches, with 61 per cent of incidents being found by the security team. That’s up 14 points compared to the results of McAfee’s survey in 2015.
Compared to 2015, there was a six-point drop in intentional breaches (30 per cent to 24 per cent) by insiders, which includes employees plus others who have system access.
On the other hand, the number of accidental breaches by insiders went up. And, as many other surveys have noted, the severity of breaches is also growing. Over the past three years, the percentage of organizations experiencing a breach serious enough to require public disclosure or having a negative financial impact on the company has risen from to 73 per cent from 68 per cent. On average, respondents experienced almost six serious breaches each during their professional lives to date.
New to this year’s report was a question about which internal groups generate the most data leaks. Interestingly, IT or security departments are involved in
just over half of all leakage events, business operations and production are second at 29 per cent, and sales employees are in third place, at 26 per cent. A common case in sales is individuals downloading their contacts prior to leaving the company, the report notes.
Least likely groups to cause leaks are legal (6 per cent), finance (12 per cent), and human resources (15 per cent).
When it comes to insider threats, email leakage is the biggest security hole, followed by risky users and USB drives. All of these could be significantly reduced
with additional education on corporate policies and appropriate online behavior, the report argues.
Cloud applications and infrastructure are widely deployed, yet do not appear to result in any more data theft than traditional networks and data centers.
Almost half of the organizations surveyed (46 per cent) use a hybrid cloud/on-premises data storage approach, 29 per cent are cloud only, and 25 per cent keep their data on premises. Around two-thirds of the breaches experienced by the respondents occurred on traditional networks, and one-third were on cloud infrastructure.
Here’s another interesting result: Respondents didn’t appear to favour a particular strategy for reducing the risk of data exfiltration. All of the suggested strategies were within a few points of each other. The answer seemed to be “all of the above.”
Of the 35 Canadian respondents, 59 per cent said they had suffered a serious data breach in their careers.
Payment card information is now much less of a target, likely thanks to better protections, deployment of new payment technologies, and enhanced fraud detection systems, the report concludes. However, this has shifted criminals’ focus to personal information and intellectual property. Database leaks, network traffic, and file shares are the most likely exfiltration vectors.
Cloud usage continues to increase but is not responsible for a disproportionate amount of data breaches, the report adds.