Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/7/2008
12:44 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Report: IT, Security Departments Not Seeing Eye To Eye On Threats To The Business

While 92 percent of security professionals in new Ponemon-Lumension study say their organization suffered a cyberattack, only 55 percent of IT staffers said the same

A new report underscores a major disconnect between IT and security groups when it comes to what most threatens their organizations.

The Ponemon Institute's 2008 Security Mega Trends Survey, which was commissioned by Lumension, reveals just how far apart IT departments and security groups are when it comes to what they perceive as the biggest threats to their data today and in the next 12 to 24 months. While outsourcing risks are at the top of IT managers' worries, data breaches and cybercrime are the biggest worries for security.

More specifically, half of the IT managers said that outsourcing was a high or very high security risk to their organizations today and in the next one to two years; 44 percent also pointed to data breaches as a comparable risk today, while 40 percent expect them to be so in the next one to two years. Security professionals, meanwhile, ranked data breaches and cybercrime higher: Sixty-six percent consider data breaches high or very high risks today, while 65 percent rank them as such for the next year to two years. In addition, 65 percent say cybercrime is a high or very high risk to their organizations today, while 77 percent say it will be in the next 12 to 24 months. That's in contrast to the IT side, where 47 percent consider it a high risk today, and 49 percent expect that it will be in the next year to two years.

"We see a big disconnect between IT and security in their thoughts about data breaches and how risky that is to a business," says Pat Clawson, CEO of Lumension.

But the most disturbing disconnect was in actual breaches. While 92 percent of security professionals say their organizations had suffered a cyberattack, only 55 percent of IT staffers said the same, while 32 percent said they were uncertain. "That just floored me," Clawson says. "That shows the silos" that still exist, he says.

The two groups were far apart on Web 2.0 threats as well, with only 34 percent of IT saying the use of Web 2.0 will result in the loss of business information (including trade secrets), while 64 percent of IT security said it will. "That's a big delta -- IT is not 'getting' the risk," Clawson says.

Mobile devices is one area where both sides are on the same page, however, with nearly half of each group ranking them as a high or very high risk to the business. "We also think that mobility is dramatically contributing to data loss...mobility and mobile devices were the only area where IT and security got close" in their perceptions, Clawson says.

"The key for both IT operations and IT security is to find the common ground necessary to better wage this security battle together," says Larry Ponemon, chairman and founder of the Ponemon Institute.

Interestingly, both IT and security departments don't rate virtualization as high risk. But about half of each said the biggest danger with virtualizatoin is not being able to identify and authenticate users to multiple systems "and third parties' access to private files without authorization," according to the report.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.