The Trouble with Average IT Security

Version imprimable, PDF et e-mail

When most people think about crime it’s generally viewed as something unfortunate that happens to somebody else.  Not surprisingly, that same attitude appears to be carrying over into the realm of cybersecurity.

A new survey of 200 IT decision makers working in midsized companies conducted by the research firm Vanson Bourne on behalf of Artic Wolf Networks, finds that 95 percent of the respondent rated the cyber defenses they have implemented as being above average.

Of course, the level of IT security being applied is one of those things that’s in the eye of the beholder. Even though virtually all of the respondents rated their organizations as being above average, a full 72 percent conceded that their jobs were so diverse that it was difficult to pay as much attention to IT security as they should.

Thanks to the rise of ransomware many mid-market organizations are now discovering that they make for relatively easy targets for cybercriminals. Many of them are somewhat lax when it comes to backing up data. Before many of them realize it, large swaths of data the business can’t do without has been encrypted by ransomware.

The truth of the matter is that what passes for average IT security today simply isn’t up to the task at hand. In addition to ransomware that is getting more lethal and sophisticated with each passing day, zero-day threats are becoming more common. There’s even speculation that the distributed denial of service (DDoS) attack that paralyzed web sites up and down the east coast late last year was just a reconnaissance in force. Cybercriminals will be leveraging the vulnerabilities discovered by that attack to launch more targeted attacks now that they have a better understanding of the defenses employed by a whole host of companies that for the most part have “average security.”

The trouble with average is that refers to a median that is calculated by dividing the sum of a value by a set number. If there are 200 participants in a survey only half of them can be in fact be above average. All 95 percent are simply not above average. In the case of IT security average today generally means having deployed a network firewall along with anti-virus software. Whether any of those implementations are up to date or even actually working is an assumption. In fact, half the respondents in the survey (50%) admit that because IT security is so complex they have no idea how to go about improving the security posture of their organizations. Just over half (51%) also report they would like to be able to spend more money of IT security. But truth be told, a many of them probably aren’t sure where to apply those additional budget dollars if they had them.

The real issue here is that midmarket companies are increasingly being exposed as the soft underbelly of IT security. Large IT organizations have been shoring up their IT security defenses for years. When they do get compromised it’s usually because someone made a mistake. In contrast, midmarket companies have IT security defenses that are limited at best.

It should become clear by now that what passes for average IT security today in midmarket organization is simply not good enough. The amount of money to spend on security is only a part of the equation. The real issue is the amount of IT security expertise being applied. Unless midmarket companies find a way to solve that expertise issue soon it’s now only a matter of time before they become yet another cybercrime statistic.

Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.

Connect with Mike on LinkedIn, Twitter, and Google+

Remonter en haut de page