“It’s no longer a question of whether a company is at risk, but how serious the risk is – or whether the company might already be infected.” It was with this sobering statement that Matthias Zacher, senior consultant at IDC, began his presentation of the market intelligence firm’s recent study, “IT Security in Germany 2011.” Zacher went on to cite the millions of attacks IT systems and networks endure every day. Meanwhile, Tivoli sales manager Sascha Buhr reported that security teams from IBM analyze some 1.5 billion security incidents ascertained in global network traffic every year, 150 to 200 of which are of extreme interest – that is, capable of causing serious damage.
The technical means available to systematically harm companies are rapidly increasing. New attack scenarios involving cloud computing, mobile applications, and social media like Facebook and Twitter certainly aren’t making the lives of security managers any easier. Indeed, these developments have forced security managers to set up suitable defensive measures. IDC’s market analysts asked 202 German companies, each with more than 200 employees, how capable they are of dealing with threats posed by cybercriminals, network attacks, spyware, and other threats. Where are the security holes, and how do companies rate their own security readiness?
To give you a short preview, IT security is “extremely important” or at least “important” to almost 90% of all IT organizations, and providers will be pleased to hear that most companies (70%) want to spend more on security. IDC ascertained that a clear majority of these organizations are looking to increase their expenses by an average of 10%.
The “enemy” within
It should come as little surprise that the weakest links in the security chain, accounting for 50% of the risk factors cited, are in-house and external employees. The companies surveyed described a lack of security awareness and deliberate misconduct as their greatest internal risks, and as the cause of an attack or disruption. “Around 60% of the companies have formulated security rules regarding the use of mobile devices, for example, or are planning to in the next 12 to 24 months,” Zacher reports. “However, it’s rare to find a company that actually adheres to these policies.” It seems that simply putting something in writing is not always enough to see it through. Meanwhile, the respondents saw smartphones, laptops, and computer workstations as the second, third, and fourth highest risk factors, respectively.
According to 42% of the organizations surveyed, the greatest challenges lie in defending against new attack scenarios and dealing with the requirements of cloud computing. Following close behind is mobile device security – or, perhaps more accurately, the insecurity of pocket-size computers – at a considerable 39%. “In getting a handle on the variety of mobile devices available, security management solutions for these tools will be essential,” Zacher states. Fewer than four of every 10 companies in the survey currently use such software, but the number is trending strongly upward. “In light of the increasing number of employees who work while on the move, companies have apparently recognized how device management solutions can make their lives easier,” Zacher adds.
Next page: Apps – another risk factor
Apps – another risk factor
In addition to managing different mobile platforms, the quality of the apps that run on them presents another risk factor. Every month, around 30,000 more of the mini-programs appear on the two leading app marketplaces alone, Android Market and Apple’s App Store. Zacher sums up the resulting concerns with a question: “Who can be expected to ensure the quality of such a flood of programs?”
The integration of social media applications and Web 2.0 tools also comes with its fair share of security holes. Particularly concerning to Zacher is the combined use of accounts for business and private purposes. Here, two aspects of security need to be taken into account: What information is being provided, and is the identity of the person distributing it valid? “Setting up multiple accounts in order to simulate a digital identity, contact a company’s employees, and obtain confidential information is child’s play,” Zacher explains, citing the finding that less than one-third of the companies surveyed have established guidelines regarding the secure use of social media and Web 2.0.
Zacher urges professional IT operators to start by working on their employees’ basic understanding of this subject. “Security shouldn’t be viewed as a one-time investment, but as an ongoing process,” he states. The IDC consultant also considers it necessary to identify different categories of breakdowns: Mistakes in programming or design, vulnerabilities in system configurations, and simple human error can all serve as gateways ready to be exploited by malicious entities. According to Zacher, cloud computing, mobility, and social media now require holistic security strategies that make fast action possible – or, ideally, include early-warning systems.
Finally, IDC’s market analysts also wanted to know how safe companies feel in facing these threats. Confidence is evidently not in short supply: 21% of the organizations surveyed described their protection against external attacks as “absolutely secure,” with another 60% rating themselves as “highly secure.” Meanwhile, 15% attested to having achieved “partial security,” and just 4% considered themselves “insecure” against such attacks. The question remains, of course, as to how accurate these self-assessments turn out to be when it really comes down to it.