IT decision makers in the UK view malware as the main security threat to their organisation, but there is growing concern about phishing and spear phishing. These are two of the findings from a report, ‘Data Security and Risk Management Review’, sponsored by managed service provider Advanced 365 (Advanced).
The report includes a survey which highlights the top ten threats facing organisations. While human actions (malicious or accidental) remain a major vulnerability, malicious software (malware) ranked above them as the number one threat facing organisations.
Meanwhile, phishing and spear-phishing appear to be the fastest growing risks, with 65 per cent of the 300 respondents identifying this as a threat they think is increasing in severity or frequency.
The worst of the rest
In addition, spamming appeared in fourth place, above denials of service (DDoS) and social engineering, the tactic of manipulating people to give up confidential information such as passwords and bank details. There is also an increasing sophistication in these types of attacks, with phishing emails which appear to come from a trusted source becoming more difficult to identify.
Neil Cross, MD, Advanced commented: “The results of this survey highlight the evolving and changing nature of security threats, and the constant challenges that organisations face in protecting themselves from cyber-criminals. Humans will always be a weak link in the security chain but other types of threat are evidently increasing.”
As a result of these escalating threats, raising awareness and knowledge of security issues among employees is increasingly important. The review considers the so-called ‘security knowledge gap’ between security professionals and other staff and also the information disparity between them and the criminals they are trying to stop. With threats evolving at such a fast pace, there are concerns that many businesses are playing catch-up with hackers.
When asked what the most important tool is for increasing knowledge and awareness of threats, exactly half of respondents suggested awareness-raising programmes. This was followed by formal training (39 per cent), threat intelligence (36 per cent) and industry/peer information (35 per cent), so it is clear that IT decision makers recognise the need for greater security training and education. Respondents also agreed that training should be carried out at regular intervals.
Cross added: “As threats such as malware and phishing become more targeted and sophisticated, it is reassuring that IT professionals recognise the importance of frequently educating staff and raising awareness of security issues, as well as ensuring that their own skills keep up with those of the cyber-criminals.
“It is equally vital for employees to be aware of what is at stake from a security perspective, both for them and the business, and why ongoing awareness training is necessary to minimise potential vulnerabilities.”
Digital technology is the great enabling force of the 21st century according to new report
GlobalGiving has announced a three-week programme of free online training on crowdfunding – but only for charities who apply before the 5 October deadline