MOUNTAIN VIEW, Calif. – Aug. 31, 2011 – Symantec Corp. (Nasdaq: SYMC) today announced the findings of its 2011 State of Security Survey which explored the state of cybersecurity efforts in organizations of all sizes. For the second year in a row, IT said security is the leading business risk they face, ahead of traditional crime, natural disasters and terrorism. However, organizations are getting better at fighting the war against cybersecurity threats. While the majority of respondents suffered damages as a result of cyberattacks, more respondents reported a decline in the number and frequency of attacks compared to 2010.
Read more detailed blog post:
There were some positive findings. Seventy-one percent of organizations saw attacks in the past 12 months, compared to 75 percent in 2010. The percentage who reported an increasing frequency of attacks fell from 29 percent in 2010 to 21 percent in 2011, and 92 percent of companies saw losses from cyberattacks in 2011, down from 100 percent last year.
“Mobile computing, social media use, and the consumerization of IT are providing new challenges as organizations increase their cybersecurity efforts,” said Sean Doherty, vice president and chief technology officer of Enterprise Security at Symantec. “There’s no question that attackers are using more insidious, sophisticated and silent methods to steal data and wreak havoc. Organizations today have more to lose than ever before and need to keep adopting the security innovations and best practices that the industry is delivering to stay protected.”
Organizations More Concerned About Cybersecurity
Security continues to be a huge concern for organizations. While businesses face a variety of risks including natural disasters, traditional crime, and even terrorism, the top three concerns are related to data and network security. Respondents rank cyberattacks as their top concern, followed by IT incidents caused by well-meaning insiders, and internally generated IT-related threats.
The survey found more and more businesses believe that keeping their operations and information secure is of vital importance. Forty-one percent said cybersecurity is somewhat or significantly more important than 12 months ago. In contrast, only 15 percent think it is somewhat or significantly less important.
Cybersecurity Drivers Changing
Significant industry trends are driving security concerns facing businesses. As organizations deal with the proliferation of smartphones and tablets in the enterprise, as well as the immense popularity of social media, they are grappling with new security challenges. Forty-seven percent of respondents said mobile computing was affecting the difficulty of providing cybersecurity, followed by social media (46 percent), and the consumerization of IT (45 percent).
Organizations report that the threats they’re facing are evolving as well. Hackers are still their top concern, cited by 49 percent, followed by well-meaning insiders (46 percent). New to the list this year are targeted attacks, such as Stuxnet, that zero in specifically on a single organization for political or economic reasons.
Most Businesses Experience Cyberattacks
It’s no secret that businesses continue to experience cyberattacks. Twenty-nine percent of companies experience attacks on a regular basis and 71 percent saw attacks in the past 12 months. Furthermore, 21 percent said the frequency of attacks is increasing. The top attack vectors are malicious code, social engineering, and external malicious attacks. Interestingly, these are also the fastest growing attack vectors.
Ninety-two percent of companies saw losses from cyberattacks. The top three reported losses were downtime, theft of employee’s identity information and theft of intellectual property. These losses translated to monetary costs 84 percent of the time. The top costs were productivity; revenue; lost organization, customer, or employee data; and brand reputation.
The survey found that 20 percent of small businesses lost at least $100,000 last year due to cyberattacks. That figure was even higher for large enterprises, with 20 percent incurring $271,000 or more in damages.
What Are Businesses Doing?
According to their own assessment, 52 percent of the respondents said they are doing somewhat or extremely well in addressing routine security measures, while 51 percent reported that they are doing somewhat or extremely well in responding to security attacks or breaches. They’re not doing quite as well in areas of compliance and pursuing strategic initiatives or innovative security measures.
In order to address these shortfalls, businesses are increasing staffing levels and budgets for the IT department. They are adding the most staff in areas of network, web and endpoint security. Security budgets are also growing in web and network security, as well as data loss prevention. It’s clear that organizations are stepping up their efforts in improving their protection.
- Organizations need to develop and enforce IT policies. By prioritizing risks and defining policies that span across all locations, businesses can enforce policies through built-in automation and workflow to protect information, identify threats, and remediate incidents as they occur or anticipate them before they happen.
- Businesses need to protect information proactively by taking an information-centric approach to protect both information and interactions. Taking a content-aware approach to protecting information is key in identifying and classifying confidential, sensitive information, knowing where it resides, who has access to it, and how it is coming in or leaving your organization. Proactively encrypting endpoints will also help organizations minimize the consequences associated with lost devices.
- To help control access, IT administrators need to validate and protect the identities of users, sites and devices throughout their organizations. Furthermore, they need to provide trusted connections and authenticate transactions where appropriate.
- Organizations need to manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.
- IT administrators need to protect their infrastructure by securing all of their endpoints – including the growing number of mobile devices – along with messaging and Web environments. Defending critical internal servers and implementing the ability to back up and recover data should also be priorities. In addition, organizations need visibility, security intelligence and ongoing malware assessments of their environments to respond to threats rapidly.
Symantec’s 2011 State of Security Survey
Applied Research fielded this survey by telephone in April and May 2011. The results are based on 3,300 responses in 36 countries. The company surveyed C-level professionals, strategic and tactical IT, and individuals in charge of IT resources from companies with a range of 5 to more than 5,000 employees. Of the total responses, 1,225 were from companies with 1,000 or more employees. The survey included respondents in 36 countries in North America, EMEA (Europe, Middle East and Africa), Asia Pacific and Latin America.
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.
Note to Editors: If you would like additional information on Symantec Corporation and its products, please visit the Symantec News Room at http://www.symantec.com/news. All prices noted are in U.S. dollars and are valid only in the United States.
Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
Forward-looking Statements: Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and are subject to change. Any future release of the product or planned modifications to product capability, functionality, or feature are subject to ongoing evaluation by Symantec, and may or may not be implemented and should not be considered firm commitments by Symantec and should not be relied upon in making purchasing decisions.
TECHNORATI TAGS: Symantec, security, cybersecurity, cyberattacks