In a recent survey of IT professionals, the top three security threats cited were Anonymous, cyber-criminals, and nation-states -- particularly China. Competitors and insiders were down the list.
Bit9 surveyed 1,861 US and European IT professionals, including security specialists, in March and April. Here are the numbers for the North America and Europe for the threats of most concern to IT there. Europe worries significantly less about attacks by nation-states. I can't help but wonder whether this is because the worldwide attacks being mounted by China, Russia, and others simply have not been noticed or publicized to the same extent outside of the US. Correspondingly, Europe is more concerned about challenges from insiders and from competitors.
71 percent of IT staffers at companies with more than 500 employees believe their company will be targeted in a cyber attack within the next 6 months. For all companies the number is 61 percent. When broken down by industry, government IT is far and away the most concerned with being targeted, and their strongest concern is attacks from nation-states. (They may have read recent news accounts of the view of one particular government cyber-security Cassandra, who believes that essentially every large company in the US has already been penetrated; it's just that most of them have not discovered that fact yet, and may never do so.)
When asked about the relative importance of vulnerability in particular classes of machines in the environment, the most respondents (54 percent) expressed concern about infrastructure servers and the core data they contain. But levels of concern were only slightly less (in the range of 45 percent) for file servers / databases, Web / app servers, Exchange / email servers, and end-user laptops / desktops.
The IT professionals who responded to this survey are not very confident about the efficacy of the cyber security measures they have in place. They expressed the most confidence, 40 percent, for infrastructure servers, and the least, 26 percent, for end-user laptops / desktops. In other words, a majority of IT, 60 percent, believes their server defenses are not up to snuff, and a sobering 74 percent believes this for end-user computers.
IT and security professionals surveyed believe that the implementation of best practices and better security policies will have the biggest impact on improving cyber security. They have little confidence that government efforts in this area will make any real difference. There's little belief in evidence that technology will improve and save the day.
Does this survey accord with the ground truth where you are? Are you in fact worried that your cyber defenses will prove insufficient to deter well-resourced, persistent, patient attackers? Do you suspect or know that you have already been breached? Please let us know in the comments.