At least three-quarters (75%) of organsiations suffered from a security breach in 2009, costing them each an average of $2-million.
This is one of the findings of Symanetc's 2010 State of Enterprise Security study, which reports that 42% of organisations rate security their top issue.
Organisations also reported that enterprise security is becoming more difficult due to understaffing, new IT initiatives that intensify security issues and IT compliance issues.
The study is based on surveys of 2 100 enterprise CIOs, CISOs and IT managers from 27 countries in January 2010.
"Protecting information today is more challenging than ever,” says Grant Brown, security specialist at Symantec. “By putting in place a security blueprint that protects their infrastructure and information, enforces IT policies, and manages systems more efficiently, businesses can increase their competitive edge in today’s information-driven world.”
Study highlights include:
* Security is of great concern to global enterprises. Forty-two percent of enterprises rank cyber risk as their top concern, more than natural disasters, terrorism, and traditional crime combined. Reflecting that perception, IT is intently focused on enterprise security. On average, IT assigns 120 staffers to security and IT compliance. Enterprises rated “better manage business risk of IT” as a top goal for 2010, and 84% rated it absolutely/somewhat important. Nearly all the enterprises surveyed (94%) forecasted changes to security in 2010, with almost half (48%) expecting major changes.
* Enterprises are experiencing frequent attacks. In the past 12 months, 75% of enterprises experienced cyber attacks, and 36 percent rated the attacks somewhat/highly effective. Worse, 29% of enterprises reported attacks have increased in the last 12 months.
* Every enterprise (100%) experienced cyber losses in 2009. The top three reported losses were theft of intellectual property, theft of customer credit card information or other financial information, and theft of customer personally identifiable information. These losses translated to monetary costs 92% of the time. The top three costs were productivity, revenue, and loss of customer trust. Enterprises reported spending an average of $2-million (R15-million) annually to combat cyber attacks.
* Enterprise security is becoming more difficult due to a number of factors. First, enterprise security is understaffed, with the most impacted areas being network security (44%), endpoint security (44%), and messaging security (39%). Second, enterprises are embarking on new initiatives that make providing security more difficult. Initiatives that IT rated as most problematic from a security standpoint include infrastructure-as-a-service, platform-as-a service, server virtualisation, endpoint virtualisation, and software-as-a-service. Finally, IT compliance is also a huge undertaking. The typical enterprise is exploring 19 separate IT standards or frameworks and are currently employing eight of them. The top standards include ISO, HIPAA, Sarbanes-Oxley, CIS, PCI, and ITIL.
Symantec has a number of recommendations for improving security:
* Organisations need to protect their infrastructure by securing their endpoints, messaging and Web environments. In addition, defending critical internal servers and implementing the ability to back up and recover data should be priorities. Organisations also need the visibility and security intelligence to respond to threats rapidly.
* IT administrators need to protect information proactively by taking an information-centric approach to protect both information and interactions. Taking a content-aware approach to protecting information is key in knowing where sensitive information resides, who has access, and how it is coming in or leaving your organisation.
* Organisations need to develop and enforce IT policies and automate their compliance processes. By prioritising risks and defining policies that span across all locations, customers can enforce policies through built-in automation and workflow and not only identify threats but remediate incidents as they occur or anticipate them before they happen.
* Organisations need to manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.