Well-funded hackers with sophisticated tools made headlines and worried organizational leadership throughout 2014 yet the primary reason endpoint security risk has become more difficult in the past 24 months is due to negligent or careless employees who do not follow security policies says IT in the 2015 State of the Endpoint study by Ponemon Institute and commissioned by Lumension®, a global leader in endpoint management and security. 

Seventy one percent of responding IT professionals said managing endpoint risk has become more difficult in the past 24 months and of those, 78 percent consider negligent or careless employees who do not follow security policies as the biggest threat, followed by 68 percent who cite the significant increase in the number of personal devices connected to the network and 66 percent who point to the use of commercial cloud applications in the workplace.

"Respondents in this year's study have shifted their thinking and are now also attributing endpoint risk to human behavior in addition to particular device vulnerabilities," said Chris Merritt, director, solution marketing, Lumension. "This is a significant cultural shift to note because it illustrates how IT is starting to look at cybersecurity holistically. In addition to technology solutions, in 2015 IT must also take into account company policies and control processes, user awareness and overall employee education."

According to respondents, 28 percent of attacks on an organization's endpoint cannot realistically be stopped with the enabling technologies, processes and expertise they currently have in house today and 70 percent agree their organizations' endpoint security policies are difficult to enforce due largely to a lack of governance and control processes. 

In addition to user-centric behavior, IT also faces attacks on the endpoint that are growing in severity. Web-borne malware attacks are the most frequent in an organization say 80 percent followed by APTs (65 percent) and rootkits (65 percent). The biggest increase over last year's report is in zero day attacks, APTs and spear phishing. Applications causing the biggest headache for IT this year are Adobe say 62 percent followed by Oracle Java (54 percent) and third-party, cloud-based productivity apps (46 percent). 

"IT continues to battle malware at the endpoint and 69% of our respondents say it increased in severity last year," said Dr. Larry Ponemon, Chairman, Ponemon Institute. "While it is positive news that companies are making the security of endpoints a higher priority, to win the war they need to recognize the criticality of minimizing employee negligence and investing in technologies that improve the ability to detect malicious attacks." 

2015 IT Security Plans
Ninety five percent of responding IT professionals anticipate a move to more 'detect and respond' orientation in 2015, beyond the more traditional prevention-focused approach. Seventy percent of respondents say their organizations are using or plan to use big data to enhance their security. Sixty four percent say they have added or plan to add a threat intelligence component to its security stack. 

In recognition of growing risk, 68 percent say their endpoint security is becoming a more important part of their organization's overall IT security strategy. In 2015, IT security budgets will increase for 45 percent which is a similar figure to those that reported an increase for 2014.

Interestingly, 53 percent report they are not keeping up with the use of 'destructive malware' as was seen most recently in the Sony hack.  "Unfortunately for IT, the bad guys keep getting better," Merritt said. "Organizations must evolve their security approach with business resiliency in mind – and the increasing use of ransomware and other destructive attacks underline the absolute business necessity of staying on top of the ever-evolving cyber threat landscape."