Security professionals are most concerned about targeted attacks, external hackers and insider threats, according to a recent report from Symantec. Their jobs are made more challenging by industry trends such as mobile computing, social media and the consumerization of IT, the survey found.
Nearly 50 percent of IT security professionals surveyed said external threats pose somewhat or extremely significant risks to the organization, compared with 46 percent for accidental breaches by well-meaning insiders and 44 percent for malicious insiders, according to Symantec's 2011 State of Security Survey, released Aug. 31. Most organizations on average ranked cyber-attacks as bigger risks to their businesses than other forms of criminal activity or natural disasters.
Mobile computing, social media and consumerization of IT were the top three industry trends making enterprise IT security more challenging, the survey found. About 41 percent of the respondents also said securing the organization's platforms and data was "somewhat" or "significantly more" important than it was 12 months ago.
"Mobile computing, social media use and the consumerization of IT are providing new challenges as organizations increase their cyber-security efforts," said Sean Doherty, vice president and chief technology officer of enterprise security at Symantec.
Symantec found that 29 percent of organizations see attacks on their organizations on a regular basis and 71 percent had been attacked at least once in the past 12 months. The top attack vectors were malicious code, social engineering and other external attacks. A little over a third of the respondents expressed concern about state-sponsored attacks.
Interestingly, the number of organizations reporting attacks in the past 12 months dipped slightly in 2011 to 71 percent compared with 75 percent in 2010. The number of organizations that claimed to see an increase in attacks also declined from 29 percent to 21 percent.
The drop-offs appear to be the result of companies increasing their security staffs and budgets, the survey found. About 46 percent of surveyed businesses reported increasing networking and Web security staff. Furthermore, 41 percent planned to increase the budget for network security and Web security and 38 percent for security systems management.
Organizations are "stepping up" to improve protection, as these industry trends will have long-term effects and will continue to evolve, said Chirantan Desai, senior vice president of the Endpoint and Mobility Group at Symantec. However, a little over half of the organizations said they are dealing with routine security measures and security breaches, while only 45 percent said they are pursuing innovative and cutting-edge security problems.
About 20 percent of organizations reported losing at least $195,000 as a result of a cyber-attack, which included lost revenue and other direct financial costs, reduced stock price, litigation costs, regulatory fines, damage to the brand and customer trust, as well as lost productivity and data. About the same number lost $271,000 or more. Lost productivity and lost revenue accounted for the largest chunk of damages incurred. About 92 percent of those surveyed said cyber-attacks resulted in downtime, compromised employee data and theft of intellectual property. These losses translated into actual financial loss about 84 percent of the time, the survey found.
Symantec surveyed security professionals at 3,300 global organizations. The survey participants included individuals in charge of IT resources at small businesses and tactical IT staff, strategic IT professionals and C-level executives at large enterprises.