The key challenges and contradictions that frustrate security professionals

The role of employees, the needs of the supply chain, and a reliance on antivirus products are three Catch 22s for security pros, according to a study from Glasswall Solutions.

How CISOs can gain a better understanding of their cybersecurity attack surface

Security professionals face various trials and tribulations in their efforts to protect and defend their organizations. But amidst the normal, everyday challenges are larger issues that are seemingly contradictory in nature. Relying on employees as a defense against cyberattacks yet being concerned about their risky actions. Opening yet limiting your network to suppliers. Allowing yet controlling specific files and data. These are just some of the issues highlighted in survey results released on Wednesday by Glasswall Solutions.

SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)

Among the 150 security leaders in the US and UK surveyed by Glasswall in February 2019, 40% said they're completely reliant on employees as the last line of defense against a cyberattack. Some 45% said they're mostly reliant on employees for this role. Yet more than 42% of the respondents said they believe that employees themselves are susceptible to phishing attacks, and engage in risky behavior. Among those, many said they do provide employees with security training, reading material, and even anti-phishing software. Yet there remains a high level of concern, with respondents citing such employee behavior as leaving devices unlocked when away from the desk, poor password protection habits, and using unsecured personal devices for work.

Most of those surveyed said they see their network perimeters as vulnerable, yet acknowledge that their partners and suppliers can cause trouble by stepping around perimeter defenses. The risk involved in such supply chain interactions was a greater concern for respondents than were employees visiting dangerous websites or using removable devices to access the network. The threats from third-party access include data leaks, password sharing, and the ongoing exchange of documents through the supply chain.

Glasswall Solutions

Email, which is a critical asset for any business, was another top concern for respondents, who cited the risks of file attachments and links to malicious websites. Those surveyed pointed to the pervasiveness of phishing attacks in email, the inability of technology to block all threats, the knowledge that most malware is spread through email, and sheer human error. The top file attachment format for hosting malware was Microsoft Word's legacy DOC format, much higher than documents using the XML DOCX format.

"There seems to be a common problem that employees just open attachments without thinking a second time," said one respondent in the report. "In addition, the email cyber attacks are becoming increasingly more sophisticated and like a genuine email."

Many of the respondents pointed to the network perimeter as their most vulnerable spot, reporting that partners and suppliers create risks when they venture beyond that barrier. Specifically, security leaders pointed to three types of cyberattacks that most concern them: Hackers spying within their IT infrastructure, systems failing or loss of network connectivity, and ransomware. As a result, 82% of those surveyed cited their network perimeter as the area where they most need to continue to invest in security.

Antivirus products were seen as a necessity, but an inadequate solution. Only 9% of respondents said they were completely confident in their antivirus solutions, yet 96% said they continue to invest in these products as a basic form of protection, albeit one that doesn't offer much help against today's sophisticated and advanced threats.

"The entire security industry is used to buying products that find problems. Not products that solve problems," said one respondent in the study. "Since 2005, over 10.5 trillion records have been breached worldwide. Yet we continue to invest in the 1000s of security technologies that keep allowing these breaches. It's very rare, almost non-existent, to find a technology that actually eliminates a risk."

A full 75% of respondents in both the US and UK said they impose some type of control on files that enter their organization. They block or disable risky file features like macros and executable files, and scan or filter files in general. A majority also said they're aware of the protections used by their supply chain partners. Yet malware attacks still get through.

"The challenge of securing the network continues to frustrate and confound security leaders who are struggling to find the balance between risk and cost, minor disruption and catastrophe, and keeping pace with the demands of business while keeping their organizations safe," Glasswall said in its report. "While old practices die hard, it's time to take a tough, cross-organizational look at processes, habits, and dated technologies that may keep near-term business churning, but that are elevating risk and the potential for longer-term pain."

Also see

Image: iStockphoto/Arjuna Kodisinghe

By Lance Whitney

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.