Osterman Research recently conducted an in-depth, international survey of security-focused decision makers and influencers in large organizations. Our goal was to understand the seriousness of various security issues and what organizations are doing to address them. We conducted the survey in North America, Latin America, Europe and several countries in the Asia-Pacific region across a number of industries. A total of 205 surveys were conducted.
There were some surprises discovered in the research – what we consider to be “disconnects”, or issues that are causing serious problems within enterprises that decision makers are not doing enough to address.
Disconnect #1: Malicious Bots
Malicious bots are a serious problem, but few have deployed the right tools to deal with them. Our research found that slightly more than four in five organizations surveyed (82 percent) reported that they had been the victim of some form of bot-generated attack. For example, 38 percent of organizations reported that distributed denial-of-service (DDoS) bot attacks occur at least weekly, and 62 percent report that they occur monthly. We also found a high frequency of bot attacks focused on things like web scraping, account takeovers and digital fraud, among other forms of attacks.
Despite the high frequency and severity of various bot attacks, only 24 percent of organizations report that they use any kind of dedicated bot management tool. The result is that 34 percent of those surveyed admitted that bot attacks are most likely to make their way through the existing security defenses, and 28 percent admitted that there is a “good chance” that there are many such attacks of which the organization is not aware. This has led to a situation in which 61 percent of respondents told us that they are not confident in dealing with sophisticated bot attacks.
Disconnect #2: Misunderstandings About Security Responsibilities
Misunderstandings lead to data breaches. The vast majority of organizations have migrated, or are in the process of migrating, their applications and data stores to the cloud. While the process of doing so continues apace, decision makers’ understanding about many of the nuances of doing so has lagged.
For example, many customers do not understand the “shared responsibility model” inherent in virtually all cloud services. While many decision makers believe that once they migrate applications and data to the cloud the provider is now responsible for things like security of the data and backing up the data to ensure its availability, that’s not really the case. While cloud providers perform these activities insofar as they need to in order to ensure the proper operation of their services, the primary responsibility for activities like security and backup still rest with the customer.
Disconnect #3: Influence vs. Budget
Security influence and budget responsibility are mismatched. The survey found that while IT has the greatest influence on application development environment security in 37 percent of organizations, the information security function is a close second, with 31 percent of organizations giving the information security team the greatest influence on application development security.
However, the information security function seldom owns the application security budget – only 11 percent of organizations let their information security team take primarily responsibility for the application development budget. Instead, IT and business owners are the most likely to own the budget – in 78 percent of organizations, it’s one of these two groups that owns the security budget, despite the fact that in only 51 percent of organizations these groups combined exert the greatest influence on application security.
Here are three takeaways to consider from these disconnects:
- Deploy dedicated bot management tools that will deal with the problems posed by sophisticated bad bots. While web application firewalls, for example, can help, dedicated capabilities focused specifically on the behavior of malicious bots are essential.
- Ensure that your IT and security teams fully understand the shared responsibility model and who is supposed to do what. A failure to fully understand the roles of customers vs. public cloud providers puts organizations at greater risk of data loss.
- If it makes sense to put the information security team in charge of application development environment security, it probably makes sense to put them in charge of the application security budget, as well.