You want some good numbers? Check out the InformationWeek security survey

By | May 10, 2012

Posted in: Network Security Trends

I've grown to anticipate the annual InformationWeek Strategic Security Survey with some enthusiasm. It's one of the better conceived surveys around, covers a wide range of sectors and organization sizes, and is sufficiently large sample (946 IT and security professionals) to be statistically significant. and it's chock full of interesting information about what troubles enterprises and what they are and are not doing about it.

Not surprisingly, managing the complexity of security was most frequently cited as one of the greatest security challenges (more than half the respondents). The point is that while any one point problem may prove thorny and/or expensive to deal with, the overwhelming sense is that dealing with security, especially in large, complex enterprises is, well, overwhelming.

One of the more surprising findings is that despite the sky-is-falling hype around mobile security and social media, most practitioners are not overly worried about either. Only a quarter of the respondents think smart phones and tablets pose significant threats to their organizations. One in five say they are not yet a threat, but will be. The numbers for social media as a threat were almost identical. My sense is that those are sizing up mobile as a growing concern that should be addressed now are close to the mark. But a lot of nasty stuff is coming through the social media vector, and people who have been trained to be reasonably wary of email are far too trusting on Facebook.

One in five organizations experienced data breaches or cyber espionage. That's the ones that know they have been breached. It's well established that breaches typically go months undetected. If you actually are the victim of an ATP, in particular, your secrets are being leeched as you read this. Malware as involved in 68% of the breaches, of course, and phishing in half. The two often go hand in glove: The attacker tricks the right corporate user into clicking a link or opening an attachment, and gains a beachhead in the network. Of course, there is just the Stupid Factor as well, the 28% involving stolen computers or storage devices. This should probably read lost or stolen. Laptops are left in the back of taxis, backup media simply vanishes and now smart phones, well....

The fallout from cyber attacks? A third left the network and/or business applications unavailable. A third of the breaches involved intellectual property theft/information confidentiality compromise. One in five resulted in compromised customer records.

Only a fifth of the organizations say they are more vulnerable to breaches than a year ago. That may be moot: How vulnerable were they the previous year?

What are organizations doing in response? But 28% say they spend 1-5% of the IT budget on security. One in 20 spend less than 1%. One in 10 spend more than 25% of the IT budget on security Those folks are serious. But spending may not be an entirely reliable measure; like a baseball team, you can spend smart or spend unwisely.

You May Also Be Interested In: