Enterprise executives are hardly naïve about network security issues these days but a Radware survey says there is still a dangerous knowledge gap and the need for more education on security ahead of IT decision-making at most companies. Among the new issues for concern: the rising use of wearable technology among workers, which could represent new attack points.
The survey of 205 senior IT executives at large ($50 million in revenue) companies in the US and UK also showed a distinct gap when it comes to views on ransomware: The vast majority (85%) of executives whose companies had never been hit insisted they wouldn't pay a ransom, but almost half of those (43%) who had been hit did pay.
"That speaks to their awareness level," says Ben Desjardins, director of Security Solution Marketing at Radware Ltd. (Nasdaq: RDWR). "Many executives don't realize how network-dependent their operations have become until something happens."
Wearable technology such as smart watches and fitness trackers represent both an extension of the concern around bring-your-own-device policies regarding smartphones and an initial wave of new devices ahead of the Internet of Things (IoT), which will bring millions more, he says. Radware added questions about wearables to the survey to start assessing what companies are thinking regarding IoT.
"You start to have a bleeding of the BYOD challenge, with employees bringing new network-capable devices into networked environments, putting them on WiFi and connecting them to laptops, even if it's just to charge them," he says. "Those network-capable devices potentially expand the attack footprint."
The survey showed 41% of companies don't have any policies around wearables at this point, however, and only one-third have implemented up-to-date policies within the last two years, as those devices have proliferated. Only 18% of those surveyed saw wearables as a potential point of attack.
But there is recognition that IoT is a security challenge looming: 29% said IoT devices were "extremely likely" to be attack points, only slightly less than saw network infrastructure as most vulnerable (31%).
Desjardins says past annual Radware surveys have been more qualitative but this year the company tried to dig into more quantitative details and came away with the belief there is still "a false sense of security lingering at the C-level" about how vulnerable businesses are. That's true even when awareness peaks following highly publicized data breaches at many companies. (See AT&T: Businesses Not Ready for Data Breaches.)
"Among executives outside of the IT realm, it's natural that there will be an ebb and flow of concern -- it's unreasonable to expect executives to keep up with the threat landscape, as that's a daunting task for security experts," he says. "But they do need to have an idea of what is in place in terms of response plans and also to realize how the business decisions they make change the security dynamic." (Listen to: IoT: Tackling the Security Challenge.)
For example, he says, executives may push to adopt cloud computing for its cost and market benefits but need to be taking into account how that changes security needs. While that seems like a no-brainer to many within the networking industry, changes of that nature happen and security is considered later, he notes.
Interestingly, executives are more aware of the cost of security failures. More than a third of US respondents to the survey said a cyber attack had cost them more than $1 million, and 5% said they had spent more than $10 million in recovering. UK executives reported lower costs: 63% said an attack had cost less than about $500,000 to cover. But more than a third of overall respondents admitted the real risk of cyber attacks is the damage to their reputation of their brands.
— Carol Wilson, Editor-at-Large, Light Reading