Companies were least prepared to assess the security risks of cloud and mobile technologies, according to a survey of cybersecurity professionals released this morning.
Around 60 percent of companies were able to assess security risks in cloud environments, down 7 points compared to last year. Mobile devices scored at 57 percent, down by 8 percentage points compared to last year.
Overall, the confidence levels of security professionals that their cyber defenses were meeting expectations dropped from 76 percent last year to 70 percent in this year's survey, according to the report, which was produced by Annapolis, M.D.-based CyberEdge Group, and sponsored by Tenable.
The largest single drop was in the confidence in the security of web applications, down 18 points from 80 percent last year to 62 percent today.
Respondents also reported lower confidence in their ability to convey risks to executives and board members, down 3 percentage points from 83 percent last year to 80 percent today.
On a positive note, they were more confident about their ability to manage security effectiveness, up by 2 points from 81 to 83 percent.
Cris Thomas, strategist at Columbia, Md.-based Tenable Network Security, which produced the report, said that he was surprised by the results.
"It would be my assumption that as we go through time and work with these technologies more and more we get more comfortable with them," he said. "Our ability to assess the risk and mitigate those threats should become greater over time. But the numbers aren't showing that. The numbers are showing a decrease over last year, and I really don't have an explanation of that."
Take cloud services for example, he said. Companies are using more and more cloud services and cloud infrastructure.
He suggested that security pros might be becoming more aware of cybersecurity risks than they were before.
"Maybe we're just realizing what we don't know, and that there's a bigger security concern than we though there was," he said. "We're just starting to understand how complex the security is with cloud."
Similarly, mobile should be an old story, he said.
"We've had mobile devices for a while," he said. "This isn't something new and we think we'd have an understanding and grasp of the security issues. So I would expect this score to go up, but instead we had a decrease."
He suggested that increased media focus on security breaches might be bringing additional attention to potential problems.
The report broke the scores out by industry and showed a decline in all verticals.
"We're pretty much across the board," Thomas said. "It's not a good sign."
Health care scored the lowest this year, at just 54 percent percent -- down from 72 percent last year.
Looking the data geographically, India scored the highest, at 73 percent, and Japan the lowest with a score of 43 percent.
Thomas suggested that this might be due to the percentage of companies in each country who handle their own security.
"The level of outsourcing is higher in India," he said. "And it gives them the sense that they're paying someone else to handle it, and they think they're more secure."
Japan is on the other end of the spectrum.
"There's very little outsourcing in Japan, most of the security is done in-house," he said. "And that might be why they have a lower grade."
This does not necessarily mean that those companies are more or less secure, he added, just that they are more or less confident in their security.
"It is possible that your security is better if you outsource, and it's possible that it could be worse," he said. "But that perception is that these guys are experts, so my security is good."