Cyber security is the top risk for businesses for the second year running, ahead of traditional crime, natural disasters and terrorism, according to Symantec's 2011 State of Security survey.
The top three concerns are related to data and network security, with more than 3,000 respondents in 36 countries ranking cyber attacks as the top concern. This is followed by IT incidents caused by well-meaning insiders and internally generated IT-related threats.
However, this year's survey found organisations are getting better at fighting threats, with many respondents reporting a decline in the number and frequency of cyber attacks from 2010.
Only 71% of respondents saw attacks in the past 12 months, compared with75% in 2010. Respondents reporting an increasing frequency of attacks fell from 29% in 2010 to 21% in 2011.
The number of companies experiencing losses because of cyber attacks fell from 100% in 2010 to 92% in 2011.
The survey found an increasing number of businesses believe keeping their operations and information secure is of vital importance, with 41% of respondents saying cyber security is somewhat or significantly more important than 12 months ago.
Organisations are still investing more in protecting physical assets such as laptops, which are continually falling in value, and not enough on securing information assets, which are rapidly increasing in value, said Greg Day, chief technology officer for security at Symantec.
While the number of incidents are going down because organisations are getting better at general defences, the attacks that are getting through are costing more, he says, because they tend to be targeted, with attackers keeping at it until they get in.
Organisations adopting to mobile technologies
The survey revealed organisations are adopting new computing models and technologies.
Nearly half of respondents said mobile computing was affecting the difficulty of providing cyber security, followed by social media (46%), and the consumerisation of IT (45%).
Organisations said the threats they face are continually evolving. Although hackers are still a top concern, followed by well-meaning insiders, new to the list this year are targeted attacks, such as Stuxnet, that zero-in on a single organisation for political or economic reasons.
"Organisations today have more to lose than ever before and need to keep adopting the security innovations and best practices the industry is delivering to stay protected," said Sean Doherty, chief technology officer of enterprise security at Symantec.
More than half of respondents said they are doing somewhat or extremely well in addressing routine security measures, and 51% reported that they are doing somewhat or extremely well in responding to security attacks or breaches.
However the survey revealed they are not doing as well in areas of compliance and pursuing strategic initiatives or innovative security measures.
Businesses are increasing staffing levels and budgets for the IT department to address these shortfalls. Most staff are being added in areas of network, web and endpoint security.
Security budgets are also growing in web and network security, as well as data loss prevention (DLP). This suggests organisations are stepping up their efforts in improving their protection, the survey report said.
However, investment is still fairly low down on the list in the UK, said Greg Day. Companies are investing in mobile security followed by web and network security because this is where they see the potential for business growth.
The fact that investment in DLP is still low suggests organisations still do not understand the value of data, said Day.
Recommendations from Symantec's 2011 State of Security survey
- Organisations need to develop and enforce IT policies. By prioritising risks and defining policies that span across all locations, businesses can enforce policies through built-in automation and workflow to protect information, identify threats, and remediate incidents as they occur or anticipate them before they happen.
- Businesses need to protect information proactively by taking an information-centric approach to protecting information and interactions. Taking a content-aware approach to protecting information is key in identifying and classifying confidential, sensitive information, knowing where it resides, who has access to it and how it is coming in or leaving the organisation. Proactively encrypting endpoints will also help organisations minimize the consequences associated with lost devices.
- To help control access, IT administrators need to validate and protect the identities of users, sites and devices throughout their organisations. They also need to provide trusted connections and authenticate transactions where appropriate.
- Organisations need to manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.
- IT administrators need to protect their infrastructure by securing all of their endpoints - including the growing number of mobile devices - along with messaging and web environments. Defending critical internal servers and implementing the ability to back-up and recover data should also be priorities. In addition, organisations need visibility, security intelligence and ongoing malware assessments of their environments to respond to threats rapidly.