Security professionals are more concerned about common malware than "advanced persistent threats" carried out by sophisticated cyber-criminals or by rogue governments, a survey finds.
IT security professionals rated common,
low-level malware as their top IT security concern, according to a recent
IT security professionals rated the
lack of resources and the inability to deal with zero-day vulnerabilities as their
top concerns in the latest survey from eEye Digital Security, released June 16.
Most respondents feel high-profile malware such as Project Aurora and Stuxnet is
either a small or very small threat to their organizations. Most also consider
government-sponsored hacking as a low priority.
In a survey of more than 1,677 IT
administrators, managers and C-level executives, nearly 55 percent said they
consider mass malware and spyware a "very large" or "large"
threat to the enterprise. That was in stark contrast to the 12 percent who said
the same for Stuxnet and Operation Aurora, 11 percent for Night Dragon, and 23
percent for government- and state-sponsored attacks. Nearly 44 percent consider
Stuxnet a "very small" threat, the survey found.
"While it is important to remain
vigilant against attacks that wreak havoc and damage reputations, we must also
remain focused on attacks that fly in under the radar" and happen every day,
Marc Maiffret, CTO of eEye Digital Security, said.
About 47 percent of the respondents are
concerned over a lack of staff or tech resources, while 41 percent said they are
concerned about improper configuration. About 42 percent rated their inability
to protect against zero-day vulnerabilities as a large or very large concern.
The "2011 Headlines
" survey "demonstrated that headline-driving
attacks are not what keep IT security professionals or executives up at
night," according to eEye.
The survey found that security
professionals want to make defense against stealthy, everyday attacks a
priority, Maiffret said. "Although cutting-edge headlines and horror
stories may rule the air, most security professionals remain focused on the
basics," said Maiffret.
If they suddenly had 20 percent more in
their budgets, most respondents are interested in basic tools. About 65 percent
said they would spend it on security reporting and dashboard technologies, 63
percent named patch management, and 60 percent named configuration compliance
tools. A little over half, or 52 percent, said they would take the budget
increase to hire more personnel.
About 61 percent said they would not
spend it on more regulatory compliance reporting tools, and 49 percent said
they would not invest in defenses against advanced persistent threats and other
However, most respondents, or 57
percent, said they won't be seeing any increases in their 2011 budgets, despite
the supposed economic recovery. Only 21 percent expect an increase, and 22
percent actually reported a decline, according to the survey.
The survey included security
professionals and executives from organizations of various sizes across all
industries. Thirty percent of respondents came from organizations with 4,000
employees or more, and another 34 percent came from the true small to midsize
businesses, with less than 99 employees. While 22 percent of the respondents
came from high-tech, 35 percent came from industries other than high-tech,
financial services, energy, retail, health care or the government sectors.