McAfee Survey Finds IT at Cybersecurity Fault Most
McAfee this week published a report that finds most cybersecurity breaches are the result of lax IT processes rather than mistakes made by end users.
Based on a survey of 700 cybersecurity professionals working in organizations with over 1,000 employees, the “Grand Theft Data II” report finds 52% of respondents claim IT is at fault when a data leakage event occurs, versus 29% who cite business operations.
Candace Worley, chief technical strategist for McAfee, said that while the number of incidents in which IT teams are deemed at fault may seem high, it’s important to remember that IT teams also have the most opportunity to make a mistake by, for example, misconfiguring a server.
Overall, the survey finds 61% of respondents claim their current employer has been impacted by a data breach. The survey also finds that on average survey respondents have dealt with six breaches over the course of their professional lives. That number, however, may be low depending on whether respondents viewed a data breach to be an event significant enough to be worth reporting, noted Worley. However, the survey also finds that nearly three-quarters of the breaches cybersecurity professionals have needed to address either required public disclosure or affected financial results.
The survey also finds the causes of most data breaches have not changed much in recent years. The top three methods employed by cybercriminals to exfiltrate data, according to the survey results, are database leaks, cloud applications and removable USB drives. In addition, 61% of all incidents are discovered by the internal security team.
While the number security incidents are clearly up, Worley said it’s not clear whether there are truly more attacks being launched, cybercriminals are just becoming more successful or whether IT security teams have simply become better at discovering them. All three of those factors are likely at play, noted Worley.
The one thing the survey does make it clear is that organization that have deployed modern endpoint detection and response (EDR) tools are discovering more cybersecurity breaches than those organizations that continue to rely on signature-based cybersecurity tools. Organizations that have deployed EDR tools to secure their IT environments tend to discover more threats faster, noted Worley.
Other critical cybersecurity tools include data loss prevention and cloud access service brokers (CASBs). But the survey finds more than half of organizations have yet to install or properly configure at least one of these tools even though between 65% and 80% of breaches would have likely been prevented if one or more of these systems had been installed.
The McAfee survey also finds 49% of respondents plans to prioritize technology to combat new threats, versus 29% that said they would prioritize people and 21% that intend to prioritize processes. A full 64% said they have purchased additional security products in the last 12 months, while 62% said they have invested in employee training. Just over half (53%) said they have invested in developing a security operations center (SOC). Only 17% of organizations plan to invest in more security professionals and just 12% plan to prioritize better human-machine teaming.
Among the arguably most disappointing findings from the survey involves what appears to be a double-standard when it comes to cybersecurity accountability. A full 61% or respondents say their executives expect more lenient security policies for themselves, and this double standard results in more breaches 65% of the time. More than half of IT professionals think that senior and C-level executives should lose their jobs if a data breach is serious enough, while a quarter think that they should absolutely lose their jobs after any breach.
Worley noted the report makes it clear that most organizations are still wrestling to varying degrees with cybersecurity 101. The challenge going forward figuring out how to enable more organizations to graduate faster without necessarily having to attend the cybersecurity school of hard knocks.
