The majority of threat actors attacking organisations are cyber-criminals. That's the surprising view of hundreds of cyber-security professionals who completed a landmark survey for ISACA and RSA Conference.
Respondents were drawn from around the world, with 32 percent from North America, 36 percent from Europe and Africa and 20 percent from Asia. Some 80 percent of respondents were members of ISACA.
The findings were presented at an RSA conference session this morning (Wednesday) by Rob Stroud, vice president, strategy and innovation, CA Technologies and international president, ISACA and Fahmida Rashid editor-in-chief, RSA Conference.
Survey respondents were asked which threat actors were exploiting their organisation in 2014. Out of 636 respondents, 290 said cyber-criminals were attacking them, followed closely by 259 who said they were harmed by non-malicious insiders and 255 who said they were being targeted by hackers (note: respondents could tick more than one box for this question).
Stroud told SCMagazineUK.com that he was surprised that cyber-criminals were seen as the number one threat. “It's something we hear about and read about but in the last year we have really started to see a focus or concentration of criminals using cyber as a vehicle to attack organisations and individuals,” he said.
He believes that those who are now using cyber as an attack vector would previously have targeted organisations through other means.
Survey respondents identified phishing and malware as the most popular initial means of attack on organisation, an indication that the industry still needs to work on some of the fundamentals of security.
The motivation for attacks is believed to be financial gain. Out of 741 people who answered this question, 33 percent said financial gain was the motivation for attacks, followed by disruption of service (24 percent) and intellectual property theft (19 percent).
More than 90 percent of respondents said that their organisation had experienced a loss of one or more mobile devices in 2014.
A big issue identified in the survey was the lack of trust that in the capabilities of the cyber-security teams. Nearly 13 percent of respondents said they were not comfortable with their team's ability to detect and respond to incidents while a further 41 percent replied they had confidence in them but only to deal with simple issues.
“What's happening with increased attacks and increased reporting, organisations aren't exactly losing trust but questioning the security posture and investment,” Stroud told SC.
“That's both a good thing and a bad thing. A good security professional will use this as an opportunity to up their investment,” he said. “So I actually see this as an opportunity – if your organisation is asking questions, it's an opportunity to realign, reinvest and refocus.”
Recruitment of staff was another key problem identified by the survey, with 43 percent out of 926 respondents reporting it takes three to six months to fill a security position and 10 percent saying they cannot fill one or more positions.
“Fundamentally it's a skills gap. Organisations want to employ qualified, skilled candidates and the skills that these people have is a combination of incident response, business continuity, forensics as well as traditional security skills,” he said.
Despite good salaries and good career prospects in cyber-security, the shortage of staff won't be solved overnight because of the time it takes to gain those qualifications, he said.