In-Depth

Malware Clean-Up Swamps IT Managers

Companies favor security technology, overlook adequate user training

• By Mathew Schwartz
• 11/29/2005

When it comes to threats, protecting corporate data is IT managers’ top concern. Yet instead of dedicating themselves to the job, IT managers must spend an inordinate amount of time on the mundane task of cleaning up after malware infections.

These results come from a survey conducted by Mountain View, Calif.-based security software vendor GreenBorder Technologies Inc., of 70 IT managers at medium-size companies.

Overall, IT managers most worry about data privacy and confidentiality (for 56 percent of respondents), followed by malware cleanup efforts (54 percent), interference with existing applications and systems (51 percent), patching time and effort (43 percent), and compliance violations (36 percent).

For combating malware, almost all respondents say they employ antivirus software and network firewalls, and three out of four also restrict Internet browsing. Yet IT still spends an inordinate amount of time on cleanup. “Even with the layered security strategies most companies have in place, malware is still getting in and causing major pain,” notes Drew Hoffman, CEO of GreenBorder. In short, IT managers must “dedicate a significant percentage of their resources to cleaning up and patching infected systems.” At one in three companies, for example, between 21 percent and 40 percent of IT staff time is spent on patching.

How, exactly, is malware invading the enterprise? Respondents overwhelmingly blame user behavior (67 percent), followed by zero-day attacks (43 percent), then blended and morphing threats (33 percent). After any infection, 80 percent of respondents also report it takes at least half a day to clean, re-image, or otherwise restore a PC to health.

Security Manager, Heal Thyself

The GreenBorder survey results mirror those of the 2005 Global Security Survey from Deloitte Touche Tohmatsu, especially when it comes to respondents’ top concerns. “Chief among them are the increasing sophistication of threats (63%) and the lack of employee awareness and training (48%), both of which may create an environment of exploitable vulnerabilities and weak operational practices,” notes the Deloitte report.

While respondents to both surveys often blame users for security problems, the Deloitte report criticizes many organizations for not spending enough time or money to address many potential security holes.

Deloitte notes there’s a special problem with security processes: “Although the majority of organizations are confident that they have adequately protected themselves from internal and external attacks, many of their investments in technology are undermined by process flaws.” For example, “33 percent of respondents acknowledge that they have done nothing to protect themselves from internal wireless communication exposures, and only 38 percent run scans to identify rogue wireless networks.”

Another too-common information security shortcoming is a lack of proper employee training, notes Deloitte. “With identity theft spinning out of control, and so many respondents concerned with the lack of employee awareness, it is troubling that only 65 percent of organizations have trained their employees on how to identify and report suspicious activity.” Fewer than half of organizations have training or awareness initiatives scheduled for the next 12 months.

Some of this is intentional, notes Ted DeZabala, a principal in the security services group of Deloitte & Touche LLP. “In an attempt to minimize the human risk factor, financial institutions have been focusing on enterprise-wide solutions.” Such technology includes identity, access, vulnerability, patch, and security-event management.

Yet technology alone can only do so much. That’s why any security software or hardware will have to be “augmented by security training and awareness if organizations are to minimize the number of human behavioral threats,” he says.

Related Articles

Layering is Key to Countering Zero-Hour Attacks
http://esj.com/Security/article.aspx?EditorialsID=1557

Bot Networks and Modular Code Target Enterprises
http://www.esj.com/Security/article.aspx?EditorialsID=1523