2011 State of Security Report: 3,300 Companies Sound Off
2011 State of Security Report: 3,300 Companies Sound Off
Earlier today, we announced the findings of our 2011 State of Security Survey, which explored the state of cybersecurity efforts in organizations of all sizes. The findings of the survey* – based on 3,300 responses in 36 countries – reveals that (for the second year in a row) security is the leading business risk they face, ahead of traditional crime, natural disasters and terrorism. However, results from the survey also indicate that organizations are getting better at fighting the war against cybersecurity threats. While the majority of respondents suffered damages as a result of cyberattacks, more respondents reported a decline in the number and frequency of attacks compared to 2010.
The survey revealed additional positive findings. For example, 71 percent of organizations saw attacks in the past 12 months, compared to 75 percent in 2010. The percentage who reported an increasing frequency of attacks fell from 29 percent in 2010 to 21 percent in 2011, and 92 percent of companies saw losses from cyberattacks in 2011, down from 100 percent last year.
Despite these improvements, security continues to be a huge concern for organizations. While businesses face a variety of risks, the top three concerns are related to data and network security. Respondents rank cyberattacks as their top concern, followed by IT incidents caused by well-meaning insiders, and internally generated IT-related threats. The survey results indicate that more and more businesses believe that keeping their operations and information secure is of vital importance. Forty-one percent said cybersecurity is somewhat or significantly more important than 12 months ago. In contrast, only 15 percent think it is somewhat or significantly less important.
Significant industry trends are driving security concerns facing businesses of all sizes. As organizations deal with the proliferation of smartphones and tablets, as well as the immense popularity of social media, they are grappling with new security challenges. Forty-seven percent of respondents said mobile computing was affecting the difficulty of providing cybersecurity, followed by social media (46 percent), and the consumerization of IT (45 percent).
Other key findings from the report include the following:
- Organizations report that the threats they’re facing are evolving as well. Hackers are still their top concern, cited by 49 percent, followed by well-meaning insiders (46 percent). New to the list this year are targeted attacks, such as Stuxnet, that zero in specifically on a single organization for political or economic reasons.
- Twenty-nine percent of companies experience cyber attacks on a regular basis and 71 percent saw attacks in the past 12 months. Furthermore, 21 percent said the frequency of attacks is increasing. The top attack vectors are malicious code, social engineering, and external malicious attacks. Interestingly, these are also the fastest growing attack vectors.
- Ninety-two percent of companies saw losses from cyberattacks. The top three reported losses were downtime, theft of employee’s identity information and theft of intellectual property. These losses translated to monetary costs 84 percent of the time. The top costs were productivity; revenue; lost organization, customer, or employee data; and brand reputation.
In order to address these shortfalls, businesses are increasing staffing levels and budgets for the IT department. They are adding the most staff in areas of network, web and endpoint security. Security budgets are also growing in web and network security, as well as data loss prevention. It’s clear that organizations are stepping up their efforts in improving their protection. For those organizations wanting to take the appropriate steps to address their specific challenges, I’ve provided the following recommendations:
- Organizations need to develop and enforce IT policies. By prioritizing risks and defining policies that span across all locations, businesses can enforce policies through built-in automation and workflow to protect information, identify threats, and remediate incidents as they occur or anticipate them before they happen.
- Businesses need to protect information proactively by taking an information-centric approach to protect both information and interactions. Taking a content-aware approach to protecting information is key in identifying and classifying confidential, sensitive information, knowing where it resides, who has access to it, and how it is coming in or leaving your organization. Proactively encrypting endpoints will also help organizations minimize the consequences associated with lost devices.
- To help control access, IT administrators need to validate and protect the identities of users, sites and devices throughout their organizations. Furthermore, they need to provide trusted connections and authenticate transactions where appropriate.
- Organizations need to manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.
- IT administrators need to protect their infrastructure by securing all of their endpoints – including the growing number of mobile devices – along with messaging and Web environments. Defending critical internal servers and implementing the ability to back up and recover data should also be priorities. In addition, organizations need visibility, security intelligence and ongoing malware assessments of their environments to respond to threats rapidly.
*Applied Research fielded this survey by telephone in April and May 2011. The results are based on 3,300 responses in 36 countries. The company surveyed C-level professionals, strategic and tactical IT, and individuals in charge of IT resources from companies with a range of 5 to more than 5,000 employees. Of the total responses, 1,225 were from companies with 1,000 or more employees. The survey included respondents in 36 countries in North America, EMEA (Europe, Middle East and Africa), Asia Pacific and Latin America.