Just because you're paranoid doesn't mean hackers won't nuke your employer into the ground tomorrow
Black Hat survey on infosec's darkest fears
The number one thing worrying infosec bods right now is… yup, you guessed it, a giant targeted attack that KOs their employers' systems.
This fear was seconded – though not closely – by the threat posed by the people with whom they make small talk at the water cooler: their org's very own blabby, policy-swerving, "oh-I'll-just-email-it-to-my-Yahoo!-address-update-it-on-my-phone-over-public-Wi-Fi.. oh-never-mind-I'll-use-this-USB-stick-I-found-on-the-floor" staffers. (Oh snap, they've just clicked on the malware-laden "fake PDF invoice" email – even though they're not in accounts. Great.)
So reckon the people behind the Black Hat cybersecurity knees-up, who polled 130 European infosec folk to find out what keeps them awake at night.
The survey's finding – that a targeted, sophisticated attack aimed directly at their particular organisation is the thing turning bright-eyed young cyber-defenders into grey-haired worriers – will surprise few, though worries corporate networks are not locked down tightly enough to user-proof them have risen markedly since last year.
Just over half (52 per cent) of respondents were worried about the cyber-attack-of-doom scenario, while a quarter stressed over "accidental data leaks by end users who fail to follow security policy". The latter was up from 17 per cent last year.
Intriguingly, not many infosec bods think the EU's General Data Protection Regulation will do much to improve online privacy. 42 per cent reckoned it would help "somewhat", as opposed to the quarter who thought it would "substantially improve" privacy. Nearly a third (30 per cent) thought it would either help a little or wouldn't make much of a difference. Black Hat opined this shows "growing scepticism among European security professionals with regard to the ability to protect user privacy".
More than two-thirds (70 per cent) of insfoseccers surveyed said they'd devoted some corporate resources to GDPR compliance, suggesting that the harsh legal penalties for non-compliance have focused minds across the sector. Despite that, just a third thought their employers' compliance was good.
Another question, asked for the first time this year, was whether infosec bods are worried about mission-critical cloud services being compromised. Just 16 per cent thought that was one of their top three worries, suggesting that – for now – public cloud vendors' security posturing is enough to reassure the masses.
Just 2 per cent gave a monkey's about "cryptocurrency mining and its potential impact on my enterprise network", which, while probably a sensible position to take, doesn't fully reflect what might be going on in hidden corners of the enterprise network.
And if all that leaves you feeling generally OK about infosec, two-thirds of respondents believed that a "major attack on critical infrastructure spanning multiple European countries" will take place in the next couple of years.
Stay paranoid, yo. ®
Sponsored: Becoming a Pragmatic Security Leader