In-Depth

Losses Mount as Security Risks Rise and IT Struggles

A new survey by Symantec of 1000 organizations in the U.S. and Europe highlights the rise in security risks and actual damage done

• By James E. Powell
• 03/23/2009

Security risks are real and growing, and they’ll continue rising for at least the next two years, according to IT security professionals interviewed for Symantec’s recent report, Managed Security in the Enterprise. Other key findings of the survey of IT security risks, challenges, and strategies: managers say it’s getting harder for them to provide effective IT security because of increased regulatory pressures, a smaller budget, and problems finding and hiring qualified staff.

Organizations reported increased threats (a theoretical risk) and a rise in actual attacks in the last two years; respondents expect the trend to continue in the next two. Actual losses (including lost revenue and lost staff productivity) were reported by virtually all (98 percent) enterprises surveyed. In fact, 88 percent of U.S. organizations reported being attacked in the last two years, of which 42 percent saw attacks on a regular basis.

That validates other Symantec findings according to Grant Geyer, vice president of managed services at the firm. Geyer told Enterprise Strategies that the company’s Internet Security Threat Report showed a significant rise is malicious code, especially in bot networks. “That 72 percent said malicious code events were increasing is no surprise. The problem is that IT is finding that anti-virus programs alone aren’t enough to combat the problem. Today’s malware works in difficult-to-detect stealth mode, attacking in a number of vectors, from e-mail and unpatched systems to the USB drive you plug into your system.”

Geyer fears that when one-third (33 percent) of respondents say they have experienced internal malicious attacks when data leaves the network, these experts are seriously underestimating the problem. “From our customer profiles, we know that there is a tremendous amount of data leaving an enterprise. It’s difficult to say how great this threat is, but it’s on a par with external malicious attacks.”

One-third classified the cyber attacks as somewhat or highly effective. The top reported loss categories: environment downtime (48 percent) and customer or employee personally identifiable information (31 percent). Nearly one-third of respondents say their organization experienced losing productivity (31 percent), revenue (15 percent), or customer trust/good customer relationships (12 percent).

“I don’t think downtime is the most far-reaching effect of cyber attacks,” Geyer said. Customer information losses, such as personal information and credit card losses, are high. One in five companies have lost credit card information; that’s very damaging for any enterprise. In addition, I think enterprises would be surprised at the amount of corporate data actually being stolen.” Geyer pointed out that for large enterprises, the loss of its customers’ personally identifiable information was more important than a loss of downtime; for small companies, the reverse was true.

According to the report, cyber risk “far out-ranked all other risks, with 67 percent rating cyber attacks as the #1 or #2 risk they face as an organization,” which is twice the perceived risk of traditional crime and over four times the perceived risk of terrorism.

Nearly half of U.S. organizations (49 percent) and six in ten European respondents claim that it is getting “somewhat or significantly more difficult to provide security” because of increasing threats (58 percent), understaffing (57 percent), or insufficient budget (49 percent). When it comes to staffing, 55 percent say their staffing level is “about right,” but one-third say they are “somewhat under staffed.” Furthermore, both European and U.S. organizations reported that when trying to get the greatest productivity from their existing IT security staff, the complex nature of security, difficulty retaining staff, and distractions from security audits got in the way.

A large number of enterprises are turning to outsourcing to solve their problems. Nearly 62 percent of U.S. organizations and 77 percent of European firms are considering or using outsourcing. Outsourcing gives IT round-the-clock coverage and greater access to security expertise while lowering costs and mitigating risks.

“This makes it really tough for companies,” Geyer points out. “They’re hit with increasing regulations and a smaller budget. Even if they do have a decent budget, they can’t find staff with the needed skills.” Geyer pointed out some variations by industry: while globally 39 percent said they were understaffed, 49 percent of health care organizations and 53 percent of entertainment/recreation companies said so. “Health care is particularly hard hit; they have been hit with regulations such as HIPAA that are taking there toll on top of everything else.”

Telephone interviews of IT security staff in 523 enterprises in the United States and 477 in Europe (Germany, the U.K., France, Italy, and Spain) were conducted in late January. The organizations had between one thousand and one million employees. Among U.S. respondents, 80 percent were executives responsible for IT security (managers, directors, or vice presidents); the remaining 20 percent were employed in non-management IT security positions. The company says its report has a margin of error of about 2.8 percent at a 95 percent confidence level.