IT security skills inside enterprises have remained dangerously stagnant and have not kept up with the constantly expanding pool of threats being created by hackers, leaving a wide range of companies vulnerable to a host of preventable security vulnerabilities.
That’s one of the key findings from a recent CompTIA study, “ The Evolution of Security Skills ,“ which also argues that IT security departments must change their approaches to potential attacks by taking more proactive stances to properly fight hackers.
What’s happened is that security threats from hackers have expanded way beyond those of simple viruses and malware of the past to take on a much broader set of attacks including phishing, spyware and social media attacks, Seth Robinson, the senior director of CompTIA, told ITPro.
“Companies are generally not aware of the wide range of attacks they face,” based on the survey results, which included responses from 350 U.S.-based businesses in October 2016, said Robinson.
For example, 64 percent of the respondents said that viruses are likely to affect their businesses, 62 percent said spyware likely can affect their companies and another 52 percent agreed that phishing attacks could affect them. In contrast, only 32 percent of respondents said they could be affected by IP spoofing, while only 31 percent they see threats for their companies from ransomware. Social media engineering attacks raised concerns among only 26 percent of respondents, while DDoS attacks only garnered worries among 24 percent of the respondents. Other kinds of attacks today, including botnets, rootkits, man-in-the-middle attacks and SQL injection threats, only garnered concerns from 22 percent, 21 percent, 20 percent and 18 percent of respondents respectively, according to the study.
Those attitudes, said Robinson, show that IT security strategies are often behind the times and require new mindsets inside a wide variety of companies so they can better protect their data, corporate IT systems and other assets.
What’s needed is a shift from the defensive security postures of the past to real-time offensive strategies which can see oncoming attacks and take steps to resolve them before they can cause damage, he said. To do that, according to CompTIA, many companies also need to broaden the security skills of their technology professionals while at the same time implementing top to bottom security training throughout their organizations.
“It’s moving from having the ability to build a firewall [around IT systems] to having the ability to see the overall landscape and protecting the information as much as you can,” said Robinson. “Along the lines of having different skills, that’s is one step which companies can take.”
Becoming aware of the wide range of security threats beyond the old concerns about viruses and malware is a key part of that mindset change, he added.
“In many cases, that is probably a bad assumption” that companies won’t face social media, botnet, rootkit, IP spoofing and other attacks, said Robinson. “SQL injection is pretty common, but most think they need not worry about it,” according to the survey results.
CompTIA, a technology association for the IT industry, published the survey results as part of its continuing efforts to ramp up its activity to encourage IT security administrators, leaders and executives to make needed changes to better protect their companies, said Robinson.
“The numbers have been generally consistent over last few years,” he said, as attitudes about IT security have continued to languish behind old beliefs. “One surprise I saw was how smaller firms continue to lag behind larger competitors” on security issues, he said. “Smaller firms are not feeling a large pressure to improve their IT security skills, even though they are continuing to come under attack by hackers.
“They probably don’t think they have the resources for that, but the need is definitely there,” said Robinson. “We need to continue to focus on these companies and see what kind of tools we can give them even if they can’t build a world-class program.”