IT managers in Poland are probably more relaxed than their international counterparts in Central and Eastern Europe. The main reason: trust. A recent IDC survey creates an informal trust index that indicates IT managers in Poland, relative to managers in other CEE countries, are less worried about staff messing up carefully configured systems or leaking data.
This is a bit unexpected. While Poland rarely makes the top lists of source countries for hacking or other online attacks, it has traditionally scored below average in polls of interpersonal trust done by the OECD. And a comprehensive 2013 study conducted inside Poland argues that poles are losing what little trust they have in each other.
That Hungary landed the second spot is also surprising. It is often named as one of the countries producing the most malicious activity. According to a 2013 article in Bloomberg based on a study by Akamai Technologies, Hungary was tenth overall as a source of global attack traffic. Meanwhile a Symantec whitepaper released in April 2014 puts Hungary seventh globally in terms of bots, producing around the same number as Germany (which has eight times the population) and also Japan (which has nearly thirteen times the population). Yet the survey results do not suggest that Hungarian IT managers have greater security installed in the workplace. If anything, they are average at best.
By contrast, Russian IT managers have plenty of protection. Despite spending less per capita on IT security than their counterparts in other CEE markets, Russian IT managers are more likely to have advanced solutions in place, taking the top spot in seven of the twelve categories addressed in the survey. Perhaps Russian managers are cognizant of the fact that Russia is often listed as one of the top three sources of malicious IT activity. Perhaps more important, a 2013 security bulletin by Kaspersky placed Russia fourth in terms of PC infection risk via the Internet. On the other hand, the Czech Republic is also one of the more advanced countries in terms of IT security deployments. Yet the country ranks among the bottom three in the trust index.
All of this makes cause and effect hard to pin down at the national level. For instance, it may be that Czech IT managers (or at least those that attended IDC's roadshow) have read more about the dangers and have gotten paranoid, and are now attempting to use technology to replace training and trust. Or it may be that non-IT professionals in the Czech Republic are actually more likely to tinker with machines, leak data, and sabotage systems; and IT managers therefore need to put greater protections in place. As for Greece, it could simply be that people are projecting their feelings about the country's endless economic woes on their fellow workers, and that people are actually fairly trustworthy.
In other words, generalizations need to be understood as just that. Large-scale breaches remind us that it only takes one compromised machine, one downloaded virus, or one disabled firewall to destroy a firm's integrity. Also, retailers, telcos, and financial firms invest heavily in IT security to protect customer transaction data along with reputations. In many markets, they are among the most secure industries. Yet despite the lessons of the Target attack, last month DIY giant Home Depot got robbed of around 56 million credit and debit card numbers. In the first half of this year, France Telecom was hit at least twice. Just last week, the media reported that systems at JP Morgan Chase and four other banks were compromised in a long-running massive attack. And in Central and Eastern Europe, we've seen the Polish president's computer system hacked along with several Czech banks, the Czech stock exchange, and Slovak banks.
And these are just the large scale attacks that have made headlines. Most organizations are under constant threat, often from within. Symantec estimates that around 29% of data breaches are from accidents and 6% from insider theft. It is interesting (and fun) to consider national differences and the idea that some countries may be more trustworthy than others. But that should not be a substitute for a comprehensive security policy, where a little mistrust can go a long way in terms of greater protection.
The trust index was generated from a survey conducted from March through September of 2014 at the IDC Security Roadshow. In addition to a host of questions about the state of IT security, the survey also asked IT professionals attending the events to rank from 1 (lowest threat) to 5 (highest threat) the degree to which they trusted staff in three key areas: unwanted reconfiguration of machines, employee sabotage, and unintended data leakage or loss. Of the 459 that participated in the survey, around 85% answered all three questions.
For complete survey results or more information about IDC's IT Security Roadshow or research into IT security, please contact Pavla Cincerova (firstname.lastname@example.org or +420 221 423 116) or Tatiana Hinova (email@example.com or +420 221 423 155).Mark Yates is a research manager at IDC CEMA's Prague office.