"Security awareness training programs can make a dent into this problem, but people who are not security practitioners cannot really be expected to be the defenders of the kingdom," Greenberg says.
Companies can try for modest gains in awareness, "but we are kidding ourselves if we think every employee will never click on a link or attachment in their email," Greenberg says. "It only takes one successful click to inject a rootkit, keylogger [or] trojan, allowing a hacker illegal entry into your environment. Clearly this is a problem to keep in our sites."
Ignored Insider Threats
Attacks from within organizations are nothing new. But the number of threats from these seemingly trusted parties is on the rise, says Michael Cox, president of SoCal Privacy Consultants.
"Many Web-facing organizations are strictly focused on external threats, which include espionage agents, saboteurs, and cyber criminals," Cox says. "However, businesses are constantly being surprised by breaches caused by workforce members and third-party services providers."
Since these trusted parties have the greatest access to sensitive information, the average cost of breaches caused by trusted parties is greater than those caused by external threats, Cox says. "The false sense of security organizations have with trusted parties has allowed breaches by these actors to grow more rapidly than those by external threats."
For employees, the primary causes of breaches are inadequate awareness and training programs, roles-based access controls and activity monitoring, Cox says. For third-party service providers, inadequate due diligence and monitoring programs are the primary causes.
Another threat that was prevalent in 2013 and will be in 2014 is the production and distribution of insecure applications.
"The proliferation of e-commerce and mobile applications has enabled many companies to have greater connectivity with their clients," South says. But we have yet to solve the resulting problems that have been present for well over the past 10 years: injection and cross-site scripting threats."
Security professionals continue to produce code that's easily compromised, South says, given the level of sophistication of the attackers. "With the emergence of NOSql databases and their associated injection attacks, the ability to compromise Internet-facing applications may well continue to increase rather than decrease," he says.
Concerns about network security "have rightfully been overtaken by concerns about the applications and services running thereon," says Jason Taule, chief security and privacy officer of FEi Systems, a healthcare technology integrator. "Both internal development teams as well as the commercial software market are paying increased attention to the demand for secure code."
The security of an application and the credentials one uses to gain access are only as strong as the process by which a user's identity was vetted to begin with, Taule says. "Requiring that a user insert a PIV card into a reader, offer up a biometric, and enter a password does nothing if these credentials weren't provided to the correct individual," he says.
Sign up for CIO Asia eNewsletters.