(click image for larger view and for slideshow)
Information security budgets are continuing to be squeezed by the economic downturn, with half of businesses reporting that their security spending has decreased in the past year. In comparison, only 37% of security professionals reported similar budget decreases in 2010.
That finding comes from a new study released by vulnerability and IT compliance management vendor nCircle, and is based on a survey of more than 550 information security professionals it conducted in March.
Beyond security spending cuts, 18% of businesses, up from 12% in 2010, report that they've also cut IT compliance-related spending. But these budget decreases can cause problems. For starters, 30% of security professionals said that their companies aren't adequately enforcing security policies, and 44% don't think they're effectively measuring security risk or regulatory compliance effectiveness.
"On a positive note, this is the second consecutive year security teams believe executives are more aware of security risks," said Elizabeth Ireland, VP of marketing for nCircle, in a statement.
Unfortunately, the survey found, management awareness may come at the expense of a proactive information security profile. Indeed, security professionals' top job concern is "providing management reports on network security effectiveness and risk," followed by having meaningful metrics, enforcing security policy compliance, and maintaining a consistent approach. Reducing network and information security risk, meanwhile, ranked last on their list of priorities.
What are the top challenges facing security programs today? Security professionals listed their number-one concern as meeting security compliance requirements (for 26%), followed by cloud computing (16%), advanced persistent threats (16%), Web application vulnerabilities (14%), and smartphones (13%). Interestingly, compliance, cloud computing, and Web application vulnerability concerns decreased slightly from 2010. Meanwhile, worries grew over advanced persistent threats, VoIP vulnerabilities, and especially smartphone security.
Reflecting the challenge of securing enterprise IT systems today, 95% of respondents also expect the number of data breaches their company experiences to increase this year.
According to a new report from Intel-owned McAfee, security professionals' concerns are justified, as the volume of many types of attacks continues to increase. "Malware has just posted its busiest quarter in history. Fake anti-virus software seems to be on the rise again and password-stealing Trojans are demonstrating a consistent level of activity," according to the study, which reviewed the most malicious threats seen in the first three months of 2011.
"It's been a busy start to 2011 for cybercriminals," said Vincent Weafer, senior VP of McAfee Labs, in a statement. "We're seeing a lot of emerging threats, such as Android malware and new botnets attempting to take over where Rustock left off, that will have a significant impact."
Thankfully, however, security professionals aren't having to deal with so much spam or malware. "Globally we have seen a significant reduction in spam as well as a corresponding shift in botnets due to the Rustock botnet's being taken mostly offline," according to the McAfee report. Indeed, spam volumes are now half what they were just one year ago. While spam still accounts for 1.5 trillion messages per day, it now only outnumbers legitimate email by a three-to-one ratio.
Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud, as this Tech Center report explains. Download it now. (Free registration required.)
