Penetration testing should look at IT and non-IT business processes, and should include how vulnerable the organization is to social engineering.
Training employees in safer behavior is a must. "People will not change their behavior unless they have motivation to do so, and organizations must generate that motivation in a positive, consistent and persistent manner." They should be motivated to use digital media safely, and perhaps people-centric security is in order, the report says.
"The rise of ubiquitously connected devices and the Internet of Things has expanded the attack surface, and commands increased attention, larger budgets and deeper scrutiny by management," The Gartner report says. "Security is not a technical problem, handled by technical people, buried somewhere in the IT department. ... Risk-based decision making requires improvements in non-IT executive communication and engagement."
Sign up for CIO Asia eNewsletters.