The study revealed that 71% of IT professionals surveyed said that threats to endpoint devices, primarily mobile devices often personally owned by employees but used for work, have become more difficult to block or mitigate. However, 55% of respondents said their budgets for endpoint security will be unchanged in 2014; only 29% plan to increase budgets.
In other words, enterprises say they know the threats are increasing, but they aren’t putting their money where their mouth is, Larry Ponemon, chairman and president of the Ponemon Institute, said in a webcast this week in which the study results were presented.
“Most organizations make endpoint security a top priority, but budgets lag behind. It’s one thing to say we have a problem, but it’s another thing to allocate corporate resources,” Ponemon said.
The study, sponsored by Lumension, a supplier of endpoint security products, surveyed 676 IT pros and IT security professionals at various companies. This was the fifth annual study of endpoint risk by the Ponemon Institute.
Endpoint security risks are coming from all directions, added Ponemon. The types of threats and the percentage of respondents who identified them as a problem are as follows: Mobile devices (75%); third-party software applications (66%); remote workers (45%); personal computers (43%); and employee negligence (40%). That last category refers to security threats stemming from employee mistakes that expose the organization to a breach.
The 75% citing mobile devices as a threat represents a huge increase from 2009, when only 9% of respondents viewed mobile devices as a top risk.
[Read Michele Chubirka's suggestions for ways to improve security in 2014 in "6 Information Security New Year's Resolutions."]
Organizations also are concerned about security risks associated with cloud computing, according to the survey. Forty-four percent of respondents cited cloud risks as a threat in the latest survey, up from 28 percent in the 2012 survey.
In a follow-up phone interview with Network Computing, Ponemon attributed the rise in concern about cloud-delivered security threats to endpoints to the rise of what he called “BYOC,” or bring your own cloud. Some employees who use cloud file storage services in their personal lives now use those services in the workplace, often without informing IT.
“Employees may say they want to do document collaboration with others in your organization or even with some outside folks,” he said. “But in phase two, the employee moves confidential business data into the cloud. Now, suddenly, we have the potential for a problem.”
The report also indicated that organizations are increasingly concerned about targeted attacks, or advanced persistent threats (APTs). Thirty-nine percent of survey respondents reported APTs as one of their most concerning risks, up 55% from 2009.
According to the study, the most common way APTs are launched is through spearfishing, in which an e-mail is sent to an individual employee with specific information about that person to convince him or her to click on a link in the e-mail that launches the attack.
As to the budget for enterprise security staying the same for more than half of respondents, Ponemon is slightly encouraged that more respondents said they will increase endpoint security spending (29%) than those who plan to decrease spending (16%).
“In general, people are slightly more optimistic about getting more budget, maybe not enough budget, but more budget because endpoint security as a category is rising in importance,” Ponemon said.