Most IT professionals wouldn't bet on security of own networks: report

Most IT professionals wouldn't bet on security of own networks: report

Summary: If even most IT security professionals wouldn't count on the safety of their own corporate networks, how are the rest of us supposed to feel about that?

TOPICS: Security, Networking

Most IT security professionals wouldn't bet their own money on the security of their corporate networks, according to a new report published by authentication solutions provider PhoneFactor.

For reference, PhoneFactor's researchers surveyed over 300 IT professionals in the United States in February about the the security of their corporate networks.

When asked to wager one of five amounts ($0, $1000, $5000, $50,000, or $1,000,000) that their network would not be compromised in the next 12 months, 57.7 percent of the respondents refused to take the bet, going instead with just $0.

Sarah Fender, vice president of marketing and product management at PhoneFactor, explained in the report, "It’s easy for a person to say that their network is secure, but when we asked them to make a bet using their own money, they simply would not do so unless additional protections were put into place."

Even worse, the study found that 70.3 percent of respondents were only somewhat confident or not all confident that an unauthorized person could not gain access to their networks.

So, if IT security professionals are this skeptical about the security of corporate networks, how much trust can the rest of us reasonably place when accessing these networks -- whether it be with personal or work devices?

Unfortunately, the reality is likely that most employees won't notice (or even care) one way or another -- leaving so much personal and corporate data at risk at a time when many experts from the likes of Cisco, McAfee and Verizon are constantly reminding us that targeted attacks on networks and mobile devices are increasingly rapidly.


Topics: Security, Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • There might be things you shouldn't bet on

    If you bet on it you can also bet on when you will be attacked. Ok, you might say that you won???t conquer the market if you don't have self-confident, are a bit cocky and take some risks. But if the risk is you getting attacked and you are responsible for your companies or customers security and data I would step back a bit from betting. If you win you will conquer but if you lose you will lose confident.

    But; of course there is a problem if environments lack in security. As a user it's not good for self-confidence and productivity to even think you might have security breach... Hopefully it???s just awareness stopping you from betting and not the fact your environment lack in security, then there is a big problem???at least arising.

    Chicken? Nope, just aware.

    @maxbuchler, a user and I feel quite secure (ooops...I didn't say that. And it's definitely not a bet)
  • not a big surprise

    More companies are worried about 2 things.
    1-bottom line

    They will do what they need to be, to be compliant, but not spend the money needed to truly make themselves as secure as they can be, either from a $$ perspective or from a business interruption perspective. How many IT security people see business leaders run to the CFO when Security policies and practices cause them even the slightest disruption of their day?
    • May be being secure should be a compliant issue

      Perhaps we need to make it costly to be insecure.

      I am sure there be no issue with costs if says banks lost there banking license if there systems were proven to be insecure. Hospitals lost the right to treat patents if patents records are not kept on a secure system.
  • I don't know that I would bet on it, either

    And it has nothing to do with how secure my network is. I believe I have a very secure network, but there are some weak links in the chain of compromising the network. All it takes is one gullible user to give his userid/password to a socially engineered phishing email or phone call and the network is technically "compromised", goodbye $1000. There's also the general assumption that once you make the "bet", someone will be actively trying to compromise your network (in order to "win" the "bet"), which takes the whole issue of obscurity out of the equation.
  • depends on how you define "network"

    A network is the interconnection of hosts... routers and wires provide that interconnection.

    I would be reasonably safe betting that would be safe.

    The hosts on the net? no bets - especially if there are any windows systems there.
    • Guess you will have to look for another job...

      ...since every network has hosts and nearly every network these days is a mixed environment of some kind that will surely include Windows. So if you aren't willing to take responsibility for the whole thing you are doomed to failure...and in the wrong line of work. You have to take the world as you find it, not as you wish it was.
      • doomed to failure...

        Sure i am - as long as insecure, outdated, badly written apps and services are forced on me to support: how am i going to secure an app listening on doezen of random (RANDOM!) high ports? Or servers that insist on using telnet of ftp? There is no defense for that.
  • Or perhaps they realize nothing is truly secure.

    Why would they bet on something they know can never be 100% secure? My company takes security very seriously. However it's a very large company and the sheer size of the network makes it impossible to guarantee 100% security. That's not lack of confidence. That's an acceptance of reality.
  • It isn't the network. It is the users whom you need to keep in check.

    Two highest vectors of infection:
    o Drive-by attack
    o USB pen drives

    I have done the following to lock down users' 'high risk' behavior:

    o Setup a Linux Squid Proxy using an approved B2B 'white-list' only (no black-list maintenance required)
    o Add a GPO to hide the 'connections tab' in IE to block removal of proxy setting
    o Set up a GPO to point all IE Browsers to Squid using the white-list only
    o Give users access to Firefox running on the Linux Proxy in an LSM sandbox for if/when accessing (during breaks, etc) to non-white list sites running over NoMachine NX thin client sessions.
    o Add physical USB locks

    This closes down the most common vectors of infection found in the Enterprise.

    This works quite well.

    Linux. The way it should be.
    Dietrich T. Schmitz *Your
    • RE: It is the users whom you need to keep in check

      [i]Two highest vectors of infection:
      o Drive-by attack
      o USB pen drives[/i]

      Opening email attachments (e.g., malformed PDF, DOC, XLS and PPT files)?
      Rabid Howler Monkey
      • Actually no issues--using Postini with Exchange

        Dietrich T. Schmitz *Your
  • Ding, Ding, Ding, Ding....

    That's my BS detector going off. The truth of the matter is that if you work in IT you are betting your own money on your security every single day. You may not be handing cash to a bookie, but if your security fails you will be disgraced and or unemployed...effectively meaning you are betting your entire salary and professional future on it. If you think you aren't you are just burying your head in the sand.
  • be rich!

    my roomate's step-sister made $19634 past month. she gets paid on the internet and bought a $452200 home. All she did was get lucky and use the advice explained on this link N U T T Y R I C H . C O M
  • bet more that money every day

    you are betting your reputation it's not going to look so good on the next job interview ... I was the guy who allowed the security breach that you heard about in the news .... If the company you work for is not on board with security its your head not theirs .... Their response we fired the person responsible... your response time to work in another field
  • Politics

    Politics is too polite a word for it but that's what it is. Even when thousands of lives are at stake in a war, leaders will try to appease constituents and make decisions to save their own butts or further their careers. I found a HUGE hole when I consulted for Honeywell (and I mean hole as in nothing was there to stop anyone) and even after I proved they were being hacked, they said "we don't have it in the budget"; probably because no data was being stolen or deposited or worse, changed. Only when I pointed out that if they waited for something serious to happen and what the might entail did they begin to listen. I said once the news got onto the hackers' websites that Honeywell was not a honey pot but pure honey, did they take it up the ladder and let upper managers find the money.
  • www paybuybuy com

    www paybuybuy com
    www paybuybuy com
    www paybuybuy com
    www paybuybuy com
    www paybuybuy com
    www paybuybuy com