The 2011 State of Security Survey showed that the number of businesses experiencing cyber attacks declined a bit, from 75% to 71%, and while nine of 10 experienced losses, that figure was better than the 100% in 2009. More than a fifth of the organizations reported regular attacks, and a handful reported a large number or extremely large number of attacks. One in five businesses reported losses of at least $195,000 as a result of cyber attacks.
External malicious attacks, social engineering and malicious code were cited as top attack vectors among those reporting a high number of attacks and growing frequency of attacks. Of course, many modern attacks use combinations of these approaches.
"Most attacks have been very focused, especially in the last three years," says Sean Doherty, Symantec VP and CTO of enterprise security. "They’ve moved from broadcast attacks--worms, broad-based spam and phishing--to targeted attacks, which increasingly use a number of techniques."
The survey included organizations from SMBs with fewer than 50 employees to enterprises of more than 5,000 across a wide range of verticals. Generally speaking, the responses from large and small organizations were about the same, Doherty says, although SMBs have fewer resources and are slower to adopt strong security processes and fine-grained control. However, smaller organizations are more flexible and likely to lead the way in adoption of broader controls, such as whole-disk encryption.
The respondents ranked cyber attacks as their most significant business risks, followed by well-intentioned insiders and internally generated IT threats, well ahead of traditional criminal activity, brand-related events, natural disasters and (lastly) terrorism. Hackers, well-meaning insiders, targeted attacks and malicious insiders were cited as the most significant security threats.
Accordingly, four in 10 report that securing their organization’s platforms and information has become more important in the last year, while 45% say its importance remains about the same. The industry trends driving security were tightly grouped, ranging from mobile computing (47%), social media and the consumerization of IT on the higher end, and private and cloud computing on the lower end (about 40%).
More than half the organizations feel they are doing well in addressing routine security measures and responding to attacks and breaches, while just under half say they are doing well demonstrating compliance and pursuing strategic and innovative or cutting-edge security issues. Security staff increases were led by endpoint, Web and network security, while budget increases were led by security systems management, and Web and network security.
"Information security is generally getting increases in budget, but they are very small," says Doherty, based on his conversations with customers and other organizations. "IT as a whole has been under a lot of pressure to reduce cost to the organization, and savings are being made in one area--say, storage or telecommunications--to help fund investment in security."
See more on this topic by subscribing to Network Computing Pro Reports Strategy: Security via Compliance (subscription required).