Data security is becoming a higher priority in board meetings at corporations, but IT teams are feeling the stress of implementing new security technology in addition to its various other tasks, a new Trustwave study says.
The recent high-profile data breaches and sophistication of ongoing cyberattacks has created a stronger awareness in companies that they cannot handle security with only the resources on hand, says Leo Cole, general manager of security solutions at Trustwave.
"The really scary thing that we are seeing is a great many companies, at 85%, say they need to double their IT staff to be effective, and we know that isn't going to happen," Cole says.
The IT industry already has a zero unemployment rate for people who possess the skills needed to combat modern cyberattacks, making it impossible to realistically expect IT security teams could be doubled at most companies, Cole says. "Those skills don't exist," he adds.
Trustwave, a Chicago-based security services provider, commissioned a third-party research firm to survey more than 800 full-time IT professionals throughout the U.S., Canada and Europe who are security decision makers within their companies. The survey took place during December 2013 and January 2014 and the results were published in the company's first security pressures survey report.
Four of five IT professionals say they were pressured in 2013 to roll out IT projects despite security concerns. In addition, 73% of respondents say their organization is safe from security threats, a figure Trustwave categorizes as "businesses putting the blinders on."
One of the key takeaways from the report was that company boards have "a far deeper interest" in security than in the past, Cole says. Fifty percent of respondents said they felt the most pressure about security exerted from the company's top levels or boards.
"In the past, it would be a checkmark for the board asking if the company was secure," Cole says. "Someone says yes, they say OK, and it was on to the next item."
In light of highly publicized holiday-season breaches at Target and other retailers, it is now more common for a company board to want a deeper understanding of how the IT team knows the company is secure, he adds.
Trustwave researchers have performed penetration testing on point-of-sale devices, especially mobile point of sale, in the past. Too often, they have found vulnerabilities in those systems that provide access to payment data on hundreds of customer accounts, Cole says.
But health care records are a growing target because they are getting easier to hack at pharmacies in retail stores and other locations, and can provide information for fraudsters to take over other accounts, he adds.
The survey revealed that pressure remains on IT teams to get revenue-producing products, such as an e-commerce site or mobile payment initiative, out to the public as quickly as possible.
"Forever, security has been seen as the thing that slows all of those projects down," Cole says. "Many times, projects go out the door without proper security, but companies are going to start looking at that now."
IT professionals view targeted malware as the top security threat for organizations in the past year, with 62% saying they experienced extra pressure to protect against data breaches after the high-profile attacks.
Respondents felt pressure to incorporate security technology with all of the latest features, though one in three said their company did not have enough resources to do so effectively.
Companies' approach to new security technology will likely change, as they will begin to assure their IT teams can handle integration, Cole says.
While external threats caused more pressure than internal security threats, the IT professionals say employee accidents caused more pressure than intentional employee malfeasance.
Three out of four IT teams surveyed say they manage security in-house, but 83% of respondents say they currently use or will look to use managed security services in the future.