Next to cyberattacks, well-meaning insiders pose greatest security risk
Businesses are concerned about security, but which are the biggest and what are their strategies. Symantec explores these questions in their 2011 State of Security Survey.
Symantec commissioned Applied Research to conduct the survey in April and May of 2011. Thirty-three hundred organizations worldwide, across a range of industries and sized from 5 employees to many thousands were surveyed. Sixty-five percent of the organizations had 500 or more employees, weighing the survey heavily towards large organizations in terms of total seats.
It's not surprising that respondents are concerned about security. The table below shows their ranking of their concerns. They were asked to rank the following risks from 1 (most significant) to 7 (least). The numbers shown are average rank:
| Cyberattacks | 3.23 |
| IT incidents caused by well-meaning insiders | 3.56 |
| Internally generated IT-related threats | 3.65 |
| Traditional criminal activity | 3.96 |
| Brand-related events | 4.25 |
| Natural disasters | 4.38 |
| Terrorism | 4.97 |
This seems pretty reasonable, given a broad definition of 'cyberattacks'. And it's reasonable in spite of the fact that 44 percent saw just a few cyberattacks in the last year and 29 percent saw none at all. Only 6 percent say they saw a number they would call "large" or "extremely large".
Ninety-two percent of those who saw attacks say they saw losses, such as downtime, loss of employee PII, intellectual property or customer PII, from the attacks. Eighty-four percent of these cases translated into actual costs. Twenty-percent of businesses lost at least $195,000 as a result of cyberattacks.
Respondents are also reasonable in judging the chief drivers of security challenges. The top 3, in order are "Mobile computing", "Social media", and "Consumerization of IT". But in fact there are 10 challenges listed and range of selection is not that great, decreasing the value of the question some.
When asked to rank the most significant security threats, the winners were "Hackers", "Well-meaning insiders", and "Targeted attacks". Other threats like "Malicious insiders" and "Hacktivism" are not far behind.
When asked what they are doing about security, the responses were thus:
| Addressing routine security measures | 52% |
| Attending to security attacks or breaches | 51% |
| Demonstrating compliance | 48% |
| Pursuing strategic security initiatives | 48% |
| Pursuing innovative or cutting-edge security issues | 45% |
I find this disappointing. I don't have a problem with the ranking, and in fact 'routine security measures' should be #1. But it's hard to believe only 52 percent are focusing on it. Measures such as using least-privilege everywhere are the ones that prevent the cyberattacks that respondents are supposedly concerned about.
The report has a great more detail, too much to include here. It's always interesting to see what other companies are doing when you set your own priorities.
Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contributing Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.