Mobile & virtual environments among top security woes

Securing productivity tools on personal mobile devices is one of the greatest concerns of IT security professionals, yet few have strategies in place to improve security.

Securing productivity tools on personal mobile devices is one of the greatest concerns of IT security professionals, yet few have strategies in place to improve security, a study reveals.

IT security teams are more concerned about threats brought on by their organisation’s reliance on personal mobile devices, virtualization technologies and cloud computing than traditional malware attacks, according to the latest State of the Endpoint study by the Ponemon Institute.

While IT’s focus on the enablement of business productivity is a mind shift expected by other business leaders, inadequate collaboration and a lack of resources for security create a perfect storm for hackers to capitalize on, says the report commissioned by security firm Lumension.

For the third consecutive year, IT reports growing caution in the overall security of their network, with 66% of respondents saying their networks are not more secure than last year, compared with 64% in 2010 and 59% in 2009.

The report says the main reason for this is vulnerable endpoints, ineffective policies for both technology implementation and organisational prioritisation of security and the inability to educate employees on security best practices.

While many organisations continue to invest in traditional technology solutions, more and more recognise they are not able to reduce endpoint risk effectively, the report says.

There is also little alignment with other business areas and, as a result, organisations are wasting valuable time, money and resources, the report says, while continuing to expose their IT environment to unnecessary risks.

The study found that malware continues to be a threat and operational cost driver for IT, but their ability to reduce it is being challenged as the focus shifts to enabling business productivity.

Respondents said the average number of malware incidents has nearly doubled in the past year with a significant increase in the frequency of Web-born malware attacks. There were more than 50 attempts a month, IT occurring per month within their organisations.

Nearly a third of respondents noted a major uptick in the frequency of malware incidents over past year, 43% estimated that they deal with more than 50 malware attempts on a monthly basis, and 23% said zero-day attacks are there biggest headache with targeted attacks coming in a close second.

The most surprising finding of this year’s report, said Larry Ponemon, chairman of the Ponemon Institute, is the fact that even though malware attacks continue to increase, IT’s concern in this area is decreasing and they are not spending their budgets on basic malware prevention strategies.

“Nor are they collaborating with security to formulate centralised plans for the enterprise network. Most of their concern this year seems to reside on the new technologies entering the workplace, such as mobile devices, cloud computing and virtualisation,” he said.

The report says the greatest potential IT security risks include third-party applications, mobile devices and platforms, negligent insider actions, cloud computing and social media.

While most respondents expect their organisations’ use of cloud will increase, 41% said they do not have a security strategy in place for assets stored in the cloud.

The study found that security budgets remain as one of most concerning items for 2012 according to 32% of respondents, while 40% said collaboration between security and IT remains poor or is non-existent, 16% said they are concerned over insufficient collaboration with business operations, and 13% said they were worried about the lack of an organisation-wide security strategy.

“Organisations continue to lose the battle when it comes to staying ahead of today’s threat landscape, as the study results confirmed for us,” said Patrick Clawson, chief executive, Lumension.

This is further compounded by a lack of collaboration among IT operations and IT security leaders to support information sharing, as well as ineffective anti-malware technologies currently being used to protect today’s IT endpoint risks, he said.

“We are encouraging our customers and the larger security industry to further educate end-users to help in the fight against malware to improve the pain points associated with employees using mobile platforms, social media and cloud computing applications in the enterprise,” said Clawson.

Read more on IT for consulting and business services