Forcepoint™ Study Finds Organizations Must Balance Cybersecurity Tech Investments With Understanding Human Behaviors & Intent
Respondents reveal that organizations grapple with understanding impact of peoples’ motivations and intent
India – February 27, 2017 – Global cyber security leader Forcepoint™ today released results from a new study – The Human Point: An Intersection of Behaviours, Intent & Data.” The study was compiled through the input of more than 1,250 cyber security professionals worldwide.
The study shows that while cyber security professional are dissatisfied with technology investments – and a combination of data sprawl and eroding network boundaries makes security more difficult – there are opportunities to improve security postures and results. Rather than focusing solely on security from a technology perspective, the survey’s results reveal potential upside associated with understanding users’ behaviours and intent as they interact with critical business data, such as intellectual property.
“For years, the cyber security industry has focused primarily on securing technology infrastructure. The challenge with this approach, however, is that infrastructure is ever-changing,” said Matthew P. Moynahan, chief executive officer at Forcepoint. “By understanding how, where and why people touch data, businesses will be able to focus their investments and more effectively prioritise cybersecurity initiatives.”
“Technology has always evolved with human connect and it has transformed business like never before. For years, enterprises have focused on investing primarily on securing network infrastructure and technology. The challenge with this approach, however, is that today’s infrastructures are ever-changing in composition, access and ownership. Therefore, the need of the hour requires a shift in outlook, i.e. focusing on detection rather than prevention. In order to detect, an understanding human behaviour is curial. For us to be in forefront, industry needs to understand how, where and why people touch confidential data and IP which will enable businesses to focus their investments in the right kind of cybersecurity initiatives.” said Surendra Singh, Country Director, Forcepoint
Key findings presented in the report include:
Data Sprawl and Eroding “Network” Boundaries: Corporate networks are no longer tightly controlled entities with clear boundaries. The definition of a corporate network must be reconsidered given the expansive nature of applications, systems and infrastructure connected to critical business data. For example, respondents reported a variety of systems with limited corporate control are used in the context of critical business data, such as private cloud services (49 percent), BYOD laptops or other devices (28 percent), removable media (25 percent) and public cloud services (21 percent).
In addition, the growing use of BYOD and corporate policies allowing social media usage is creating concern. In fact, nearly half of respondents (46 percent) are very or extremely concerned about the co-mingling of personal and business applications on devices such as smartphones.
Losing Visibility of Critical Business Data: Data sprawl is making it more difficult for cyber security professionals to maintain visibility into how employees use critical business data across company-owned and employee-owned devices; company approved services (e.g., Microsoft Exchange) and employee services (e.g., Google Drive, Gmail). Only seven percent have extremely good visibility; 58 percent say that have only moderate or slight visibility.
Vulnerabilities at the Intersection of People & Content: There are many points where people interact with critical business and data and content, ranging from email to social media to third-party cloud applications and more. Email, by far, was gauged to present the greatest threat. In fact, 45 percent of the respondent named this as the top risk. Mobile devices and cloud storage were also deemed significant areas of concern.
Respondents were also asked to assess vulnerabilities associated with actions of people, ranging from inadvertent behaviours to criminal intent. Overall, malware caused by phishing, breaches and BYOD contamination, for example, along with inadvertent user behaviours were seen as the number one risk by respondents; each was named to the top spot by 30%.
Technology to Strengthen Cyber: Those surveyed do not hold high hopes that more cyber security tools will improve security; only 13 percent strongly agreed these investments would improve security, while 48 percent only slightly or moderately agreed. This could be, in part, due to the low levels of satisfaction with existing tools. Only four percent were extremely satisfied with cybersecurity investments to date.
A Focus on Cyber Behaviors and Intent: As cyber security professionals look to get a better handle on the risks that might be posed to critical business data, the questions of behaviours and intent are rising priorities. Overall, Forcepoint’s study shows that while there is agreement that understanding behaviours and intent is vital to cybersecurity, most companies are unable to effectively do so.
An overwhelming majority of respondents – 80 percent – believe it’s very or extremely important to understand the behaviours of people as they interact with IP and other data. Further, 78 percent believe the understanding intent is very or extremely important. However, only 31 percent said their companies are very or extremely effective at understanding behaviours; only 28 percent responded similarly in the context of understanding user intent.
However, there appears to be agreement on an approach that could serve to bolster security: focusing on the point in which people interact with critical data to better understand behaviours and intent. In fact, 72 percent of respondents – the vast majority – strongly agree or agree that doing so will help prove results and costs associated with cybersecurity investments.