A little over a year ago Tripwire conducted a study that showed energy sector IT professionals were overconfident in their ability to detect breach.  Unfortunately, this overconfidence persists.

This year’s Tripwire study showed that 72% of energy IT pros believe they could detect configuration changes to endpoint devices on their organization’s network within the hour.  The problem is that over half of these professionals, exactly 52%, said their automated tools did not pick up all the necessary information needed to quickly identify unauthorized configuration changes to endpoint devices that can indicate an attack in progress.

As an IT security professional who is in charge of ensuring an organization’s data and operations are protected from threats and disruption, confidence in detecting an attack quickly when the tools that are being used show otherwise is not only harmful to the success of business, but it is also extremely dangerous to those that the business serves.  In this case, the energy sector provides a service that if interrupted could shut down an entire city.

Another finding in the study related to this type of dangerous confidence is that 84% of energy IT pros believe they would receive alerts within hours if their vulnerability scanning systems detected unauthorized devices.  However, 52% of these same professionals are unsure how long this process actually takes.

Not only is overconfidence in detection of breach a problem because it doesn’t push a change in behavior by these security professionals, but these security decision makers are also assuming they’re doing the right things to secure their environment.  By believing they’re doing everything they should, this makes it that much harder for organizations to actually realize they need to get additional help to ensure a true state of security for their enterprise.

Additional findings by Tripwire’s study worth noting include:

  • 73% of energy IT pros believe they could detect unauthorized software added to the organization’s network within hours, but only 59% know exactly how long the detection process would actually take.
  • 44% of energy security decision makers find that less than 80% of patches succeed in a typical patch cycle.
  • 40% of these energy professionals do not know how long it takes to generate an alert if a system fails to log properly, but 95% assume a report will be generated within hours.

When you read behind the lines of the study’s findings you’ll find the hidden message, a message that the security industry has been voicing for years, but that keeps getting ignored: Security is not only technology; it involves people, process and technology.

It is very clear that part of the reason for IT security professionals’ overconfidence comes from the fact that they’ve adopted technologies that are supposed to make their job easier by keeping an eye on the overall enterprise, and although adopting them has its benefits, not testing them and not really knowing to what extent they are protecting the business is a problem.

If energy IT pros are assuming the time it will take their security technology to alert them of intrusion is not accurate, it is obvious that testing isn’t taking place. Another problem would also be that it seems there is a lack of awareness of the in-depth and complex nature of an attack if IT pros are solely relying on technology to identify threats.  What’s even more frightening is that this pattern extends to IT pros in other industries such as healthcare and in different types of businesses too, large and small.

Change always faces resistance, but as cyber threats continue to grow and technology solutions continue to prove incomplete, it is time for IT pros and business executives to adapt.  Adapting means using security technology solutions, but also including information security in the business process and getting the right people, security experts, to support the IT team.

If you’re unsure of where your business stands with information security give us a call.  We’re here to help businesses adapt to changing times by integrating security in a holistic way, through people, process and technology.

 

Schedule your free consultation and make sure you’re on the right track!

 

Photo courtesy of Tashatuvango