Employees are still the biggest IT threat

Well-funded hackers with sophisticated tools made headlines and worried organizational leadership throughout 2014, yet the primary reason endpoint security risk has become more difficult in the past 24 months is due to negligent or careless employees who do not follow security policies, according to the Ponemon Institute.

Seventy one percent of responding IT professionals said managing endpoint risk has become more difficult in the past 24 months and of those, 78 percent consider negligent or careless employees who do not follow security policies as the biggest threat, followed by 68 percent who cite the significant increase in the number of personal devices connected to the network and 66 percent who point to the use of commercial cloud applications in the workplace.

According to respondents, 28 percent of attacks on an organization’s endpoint cannot realistically be stopped with the enabling technologies, processes and expertise they currently have in house today and 70 percent agree their organizations’ endpoint security policies are difficult to enforce due largely to a lack of governance and control processes.

In addition to user-centric behavior, IT also faces attacks on the endpoint that are growing in severity. Web-borne malware attacks are the most frequent in an organization say 80 percent followed by APTs (65 percent) and rootkits (65 percent). The biggest increase over last year’s report is in zero day attacks, APTs and spear phishing. Applications causing the biggest headache for IT this year are Adobe say 62 percent followed by Oracle Java (54 percent) and third-party, cloud-based productivity apps (46 percent).

“IT continues to battle malware at the endpoint and 69% of our respondents say it increased in severity last year,” said Dr. Larry Ponemon, Chairman, Ponemon Institute. “While it is positive news that companies are making the security of endpoints a higher priority, to win the war they need to recognize the criticality of minimizing employee negligence and investing in technologies that improve the ability to detect malicious attacks.”

Ninety five percent of responding IT professionals anticipate a move to more “detect and respond’ orientation in 2015, beyond the more traditional prevention-focused approach. Seventy percent of respondents say their organizations are using or plan to use big data to enhance their security. Sixty four percent say they have added or plan to add a threat intelligence component to its security stack.

In recognition of growing risk, 68 percent say their endpoint security is becoming a more important part of their organization’s overall IT security strategy. In 2015, IT security budgets will increase for 45 percent which is a similar figure to those that reported an increase for 2014.