Someone recently launched a survey at Linkedin regarding the biggest security threat to a organization this year. The survey listed six options as the answer including proliferation of mobile devices, adoption of social networking, internal treats, hackers, regulators, and lack of understanding by senior management.
I think none of the above options points out the biggest threat. My point of view is:
Lack of Security Awareness should be the biggest, as it is the root threat of other threats.
We know most organizations already have their security policies in place, let's talk about why in reality people (average users and security professionals) do not always obey the rules people defined in security policies: Lack of Security Awareness.
One CISSP at Microsoft commented this in the discussion: "There are two kinds of systems - those that have been compromised and those that will be".
I think it is a good point. This kind of negative consciousness in security is actually a survival technique. People with this kind of awareness can prevent incidents and damage, as awareness is the prime factor to make a security program successful.
Therefore, as I mentioned above, I always believe the biggest threat is not from technical domains, it’s from people’s mind: lack of security awareness, the root threat.
No awareness, no security. Not only for this year, it is permanent.