You may have heard that the NSA has been spying on just about everyone, everywhere without regard for whether or not they are an actual threat to national security. The allegation that RSA accepted a payment of $10 million in exchange for cooperating with the NSA led some to boycott the recent RSA Conference, or participate in the TrustyCon counter-conference that was hosted around the corner. As it turns out, though, most IT professionals don’t seem all that concerned with the activities of the NSA.
AppRiver conducted a survey of the attendees at the RSA Conference. AppRiver’s Fred Touchette describes in a blog post how the boycott and the apparent success of TrustyCon piqued his interest about where government hacking ranks on the overall threat landscape for IT professionals.
“We decided to do a face to face survey with conference attendees one on one to ask them a few simple questions about these issues compile the data and see what is on people's minds," Touchette explains. "These are people that deal with security every day, whose jobs depend on keeping networks secure, and who use threats as a practical problem not [as] theoretical or philosophical issues.”
The AppRiver survey only includes responses from about 110 people—out of a total attendance of about 25,000—so it doesn’t qualify as a scientifically relevant sampling. Nevertheless, the results are interesting.
What AppRiver discovered is that only a meager 5.3 percent of respondents ranked external threats from government hacking attempts as the top threat. Government spying, like that conducted by the NSA, ranked at the bottom of the survey results, tied with malicious insiders—authorized individuals like Edward Snowden who intentionally compromise or expose data.
A third of the respondents cited the insider threat without malicious intent as the top threat. In other words, random users compromising data or putting the network at risk by circumventing security controls, ignoring security policies, or just plain human error.
The biggest concern by far, though, remains external hackers. More than 56 percent of the survey respondents cited evil bad guys on the outside of their network trying to infiltrate and infect their PCs as their number one security concern.
Interestingly, regardless of what is considered to be the top threat, nearly three fourths of those surveyed believe that people are most frequently the weak link in the security chain that leads to network or endpoint compromise. More than 20 percent claim that faulty policies are to blame, while only 7.2 percent fault technology as the point of failure.
The debate over government intelligence gathering is far from over. But, according to AppRiver’s unscientific survey of IT security professionals, the ethics and legality of NSA activities is simply not part of the day-to-day concern when it comes to defending against malware and cyber attacks.