In a finding that comes as a surprise, the majority of threat actors attacking organisations are cyber criminals. This is the view of hundreds of cybersecurity professionals and experts who completed a wide-ranging survey for ISACA (Information Systems Audit and Control Association) and RSA Conference.

This view was shared by respondents from around the world, with 32 percent from North America, 36 percent from Europe and Africa and 20 percent from Asia. Nearly 80 percent of the respondents were members of the ISACA.

Rob Stroud, International President, ISACA told SCMagazine that he was surprised that cyber criminals were seen as the number one threat. “It’s something we hear about and read about but in the last year we have really started to see a focus or concentration of criminals using cyber as a vehicle to attack organisations and individuals,” he said.

He adds that those who are now using cyber means as an attack outlet would have previously targeted organisations through other means.

The numbers, highlights and concerns

Survey respondents were asked which treat actors were exploiting their organisation specifically in the year 2014.

Out of the 636 respondents, 290 said cyber-criminals were attacking them.

This was followed closely by 259 who said they were harmed by non-malicious insiders.

Survey participants also identified phishing and malware as the most popular initial means of attack and infiltration in an organisation, which gives a clear indication that the industry still has to work on the fundamentals of basic security.

The chief motivation for attacks is believed to be financial gain.

Out of 741 people who answered this question, 33 percent said financial gain was the motivation.

Disruption of service leading to chaos etc came second (24 percent) followed by intellectual property theft (19 percent)

More than 90 percent of the respondents also added that their organisation had experienced a loss of at-least one or more mobile devices in 2014.

A big issue and concern identified in the survey was the lack of trust in the capabilities of the cyber-security teams. Nearly 13 percent of the respondents said they weren’t confident in their cyber-security team’s ability to detect and respond to incidents. A further 41 percent replied they only had confidence in their teams to deal with simple issues.

“What’s happening with increased attacks and increased reporting, organisations aren’t exactly losing trust but questioning the security posture and investment,” Stroud said. “That’s both a good thing and a bad thing. A good security professional will use this as an opportunity to up their investment,” he said. “So I actually see this as an opportunity – if your organisation is asking questions, it’s an opportunity to realign, reinvest and refocus.”

Recruitment of staff was identified as another key problem in the survey. 43 percent of the 926 respondents said it takes three to six months to fill a security position. A further 10 percent said they cannot fill one or more positions.

“Fundamentally it’s a skills gap. Organisations want to employ qualified, skilled candidates and the skills that these people have is a combination of incident response, business continuity, forensics as well as traditional security skills,” Stroud deduced. He also added that despite good salaries and career prospects in the ever-important field of cyber-security, the shortage of staff won’t have an overnight fix because it takes time to gain those qualifications.

Better security professionals who are competent at their jobs means a safer internet and networking, both mobile and otherwise – for all of us.