Significant compromises are not just feared, but expected, Black Hat attendees say
These serious concerns are among those registered by respondents to the 2017 Black Hat Attendee Survey, the results of which are being published Wednesday. The survey offers insights on the plans and attitudes of 580 experienced security professionals, including many cybersecurity leaders who work in critical-infrastructure industries.
The survey results come on the heels of federal warnings about a hacking campaign being waged against U.S. energy and nuclear power companies.
Sixty percent of respondents to the Black Hat survey believe that a successful cyberattack on U.S. critical infrastructure will occur in the next two years. Only 26% are confident that U.S. government and defense forces are equipped and trained to respond appropriately.
About two-thirds of respondents think it likely that their own organizations will have to respond to a major security breach in the next 12 months. Sixty-nine percent say they do not have enough staff to meet the threat; 58% feel they do not have adequate budgets.
The heightened concern over near-term attacks appears to have been exacerbated by recent activity by nation-state threat actors and a shortage of confidence in current U.S. cyber policy. Sixty-nine percent of IT security professionals feel that state-sponsored hacking from countries such as Russia and China has made U.S. enterprise data less secure.
Only 26% of information security pros believe that the new White House administration will have a positive impact on cybersecurity policy, regulation, and law enforcement over the next four years.
When it comes to threats, IT security professionals’ greatest concerns are around phishing and social engineering (50%) and sophisticated attacks targeted directly at their own organizations (45%), according to the Black Hat survey. For the second straight year, respondents ranked ransomware as the greatest emerging threat to rise over the past 12 months, with 34% of the vote. The survey was conducted before the emergence of the recent WannaCry and Petya exploits.
As in past surveys, the Black Hat attendees registered strong concern over the disparity between their own priorities and those of top management in their organizations. Despite concern about emerging attacks, respondents indicated that functions such as compliance and risk measurement occupy the largest shares of their time and budget.
When asked how their IT security budgets are spent, 36% of Black Hat survey respondents said that compliance is the top priority, up from 31% in 2016. The effort to measure security posture and risk – a priority that finished ninth among security professionals but third among top executives – is a top spending priority for 23% of respondents, about the same percentage as last year, making it the number three overall security spending priority.
While respondents to the Black Hat survey today are most concerned with social engineering and targeted attacks, the majority believe that their priorities will change in the not-too-distant future. Digital attacks on non-computer systems – the Internet of Things – currently ranks 10th among security professionals’ chief worries; but when asked what they believe they will be most concerned about two years from now, IoT security ranks first on the list, at 34% (up from 28% in 2016).
Security pros also registered some concerns about internal data leaks, particularly those released via WikiLeaks. When asked which attackers they feared most, Black Hat respondents said they are most concerned about those with inside knowledge of their organizations (39%, up from 36% in 2016). Some 61% of respondents said they believe WikiLeaks is having an impact on the way corporations and government agencies conduct their operations. Thirty-two percent of IT security pros oppose the work done by WikiLeaks; 31% are in favor of it, with 37% remaining neutral.