Security Tops IT's Concerns, Symantec Study Finds
Global study of security personnel identifies goals, points out risks and staffing issues
Cyber attacks are hitting home -- literally -- and understaffed IT resources know it. That's just one aspect of a new report from Symantec, 2010 State of Enterprise Security Global Data.
The study found that in the last 12 months, cyber attacks have hit three-quarters of the enterprises, and 41 percent claim the attacks were somewhat or highly effective. Things are only expected to get worse; 57 percent said such attacks will grow somewhat to extremely fast (“external malicious attacks” will grow the fastest).
Security is top of mind for IT, the report reveals. For example, 42 percent of IT managers put it as their leading IT concern, surpassing traditional criminal activity, natural disasters, and terrorism <em>combined</em>. In ranking areas for IT improvement, "better manage business risk of IT" came in second (“improve infrastructure performance” topped the list), with 87 percent of respondents rating it “somewhat or absolutely important. The report also notes that 94 percent "expect to implement changes to their cyber security efforts in 2010, with almost half (48 percent) forecasting major changes."
Every respondent in the survey reported a "cyber loss" last year. Among the most frequent: theft of customer personally-identifiable information, downtime, intellectual property theft, or theft of customer credit card data. Respondents acknowledge the costs in 92 percent of the cases, most commonly lost productivity (36 percent), lost revenue (33 percent), and lost of customer trust or damaged customer relationships (32 percent).
Those losses impact the bottom line. The study asked respondents to quantify the costs; on average, the loss was $2 million a year. For large enterprises (those with 5000 or more employees) the figure was even worse: $2.8 million annually. An operations manager told Symantec that it costs his auto dealer consortium $11,000 per name if security is compromised. “The costs of cyber attacks are financial, brand, stock price, and a lot of other things as well. But the biggest cost is a ruined reputation. Who wants to do business with a company that cannot protect their customers’ information?”
Productivity was clearly hit, and the loss can take many forms. "Maybe your business kept going and customers could get your goods and services, but it took twice as many resources to get it done because half your people were experiencing downtime," Matthew Steele, director of strategic technology at Symantec, told Enterprise Strategies.
The nature of attacks is also changing, Steele pointed out. "We've noticed a shift in the threat landscape from attacks that target infrastructure to attacks that target data. They're still attacking the infrastructure -- that's the bridge -- but the target is now the data. When that intellectual property gets stolen and then sold, there's a a big impact on business."
Futhermore, attackers now launch smaller attacks more often, and the attacks run in stealth mode, Steele said. Such attacks don't have as large a malicious code footprint as in the past, and the monetary impact of that code is much higher. The attacks are going after specific pieces of information in specific organizations, so you start to see a higher volume of attacks with lower frequency. For companies such as Symantec, it means more signatures must be created.
Worse, because of the stealth nature of the attacks, by the time a business recognizes the theft, it's often too late to mitigate the damage.
Steele says that cyber attacks targeted customer credit cards because such data was easy to either use or resell quickly. Intellectual property is more difficult, but the increase in organized crime's involvement in cyber attacks (with the means to profit from such stolen property) should have enterprises even more concerned.
Even with large staffs (large enterprises typically have 230 employees working on security tasks), enterprises feel understaffed, though Symantec says despite these pressures, organizations are "holding their own."
"Organizations have their hands full with the high frequency of attacks and staggering losses. Unfortunately, data center realities are making it even harder for IT to secure the enterprise," the report notes.
Staff is one issue -- impacting security systems management, data-loss prevention, and network and endpoint security -- at just the time IT is tackling server virtualization, endpoint virtualization, and software-, infrastructure-, and platform-as-a-service initiatives. Complicating matters are two new "hot" technologies -- cloud computing and virtualization – and compliance with up to 19 different IT standards or regulations, including ISO, HIPAA, Sarbanes-Oxley, CIS, PCI DSS, and ITIL.
The report concludes with recommendations for strengthening enterprise security:
- Organizations need to protect their infrastructure by securing their endpoints, messaging and Web environments. In addition, defending critical internal servers and implementing the ability to backup and recover data should be priorities. Organizations also need the visibility and security intelligence to respond to threats rapidly.
- IT administrators should protect information proactively by taking an information-centric approach to protect both information and interactions. Taking a content-aware approach to protecting information is key in knowing where sensitive information resides, who has access, and how it is coming in or leaving your organization.
- Organizations need to develop and enforce IT policies and automate their compliance processes. By prioritizing risks and defining policies that span across all locations, customers can enforce policies through built-in automation and workflow and not only identify threats but remediate incidents as they occur or anticipate them before they happen.
- Organizations need to manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.
The telephone survey, conducted by Applied Research in January, focused on enterprises with at least 500 employees. It included a mixture of 2100 CIOs, CISOs, and senior IT managers in 27 countries.
James E. Powell is the former editorial director of Enterprise Strategies (esj.com).