Cyber risks and actual attacks have grown significantly in the past two years and are expected to continue to grow in the next two years. Almost all the organisations in a recent survey (98%) have experienced tangible loss as a result.
Symantec's 2009 Managed Security in the Enterprise Report found that this growth in risks and attacks comes at a time when it is difficult for IT to address the problems due to inadequate budgets, increased regulatory pressures and staffing woes.
As a result, most US enterprises (61%) are moving to adopt managed security services. The study is based on surveys of 1 000 IT managers in US and European enterprises in January 2009.
"IT management in large enterprises is caught between a rock and a hard place," says Jeff Ogden, senior director: consulting at Symantec. "Cyber security is a growing problem, yet organisations are having trouble addressing the problem. Managed security services provide a way for many organisations to close the gap and ensure that their information and assets are protected."
Cyber threats are growing rapidly. Nearly half of US enterprises (46%) report that cyber threats have somewhat/significantly increased in the past two years and are expected to somewhat/significantly increase in the next two years. In fact, 88% of those surveyed saw cyber attacks in the past two years, with 31% seeing attacks on a regular basis and 10% seeing a large/extremely large number of attacks.
To put the problem in context, when asked to rank various risks in order of significance to their organisation, those ranking cyber attacks as number one or number two outpaced all other risks by a wide margin (twice as many as natural disasters and traditional crime and four times as many as terrorism).
Not surprisingly, these attacks drive significant losses. Nearly all (98%) experienced some sort of loss, with 46% experiencing downtime, 31% experiencing theft of customer or employee personally-identifiable information and 25% seeing theft of corporate data.
Ogden says: "The statistics of this survey suggest that South Africa could be equally if not more at risk. Telecommunications infrastructure is still developing, with new licences and new ISPs entering the market, as well as a growing Internet user community. This exposes South Africa to more malicious activity as regulations are applied to new services. These factors can be added to the same stresses experienced by the surveyed nations – those of shrinking budgets and lack of manpower.
"There is a clear trend in the survey that points at business risk increasing significantly when staff reductions are made. Operational tasks can be neglected and improvement projects left idle. Out-tasking to specialist supplier to fulfill on operational needs and provide specialist skills for all or part of a project can result in a more efficient service at a reduced cost. For example, a project to review firewall security could be out-tasked to a vendor who could be part of the project, but also assist with routine tasks at the same time."
Half those surveyed (49%) report that it is getting somewhat/significantly more difficult to provide IT security. Respondents cited a variety of factors, including the increase in threats, inadequate staffing, growing regulatory requirements and insufficient budgets.
Of these, staffing is especially problematic. Two in five organisations say they are somewhat/significantly understaffed, primarily because of difficulties finding qualified applicants, layoffs and lack of funds in the current economic situation. Exacerbating the problem is the fact that existing staff's skill sets are too narrow and it is difficult to retain the best security staff.
With the problem outgrowing IT's ability to provide security internally, it is not a surprise that many (61%) of those surveyed are embracing managed security services to bridge the security gap. The reasons cited by IT management include the ability to provide 24×7 coverage, lower overall costs, access to security expertise and an enhanced ability to mitigate security risks.