Increased use of mobile devices, especially smartphones, in addition to the transition to virtualization, are key factors weighing on enterprises trying to sort out security strategy and budgets, according to a survey of 688 information and security managers.
Do smaller businesses think they’re immune to security threats?
According to the Ponemon Institute’s “State of the Endpoint” study released this week, there are serious signs that IT operations and IT security often fail to work as a team. Forty percent say collaboration is “poor or non-existent” and 48 per cent call it “adequate, but can be improved.” Virtualization, mainly VMware and Microsoft Hyper-V, are increasingly the software platforms their organizations support, and 55 per cent say virtualization does require “additional security measures,” with most turning for help with that to the virtualization vendor or vendors with specialized virtualization security components.
But a surprising 41 per cent indicated responsibility for virtualization security isn’t clearly defined by department or function. Additionally, 21 per cent said IT security was responsible, 15 per cent said IT operations was and 11 per cent said it was the job for IT compliance.
Mobile devices — especially the use of employee-owned devices for work purposes — are also putting new stress on the IT department, according to the survey, which was sponsored by Lumension. The survey shows that mobile devices, especially smartphones, are counted as among “the greatest rise of potential IT security risk.”
Use of personal mobile devices for work appears to be growing rapidly. Seventeen percent of the survey’s respondents said more than 75 per cent of the organization’s employees use their personal devices in the workplace; 20 per cent said more than half did.
Roughly half allow some level of connectivity to the corporate network and indicated they “secure them in a manner similar to that already in place for corporate devices;” 12 per cent claimed security standards were even stricter. Twenty-one percent said they allow no such use, while a similar number said they are planning to allow it.
A quarter of the survey’s respondents said they use mobile-device management (MDM) of some kind today and 45 per cent indicated that use would increase in the next 12 months. And whereas only 9 per cent in 2010 cited mobile devices such as smartphones as an area of the greatest risk to the enterprise, this year 48 per cent did.
Microsoft operating systems and applications — still predominant in corporate use — are seen as most vulnerable to overall IT risks, though slightly less than 2010 when the question was also asked. There is also deep concern about possible vulnerabilities in third-party applications. And there’s growing nervousness about the Apple Mac operating system, with 25 per cent listing it in their top-three greatest concerns. That’s up from 15 per cent last year who said they were worried about the Mac and malware.
In addition, 41 per cent of IT managers are now “very concerned” about Mac malware infections, and another 44 per cent are “increasingly concerned.”
Malware in general continues to be the plague disrupting IT security, according to the survey. About a third cited a “major increase” in all types of malware incidents over last year, and 22 per cent claimed there was a “slight increase.” The vast majority of the organizations in the survey use anti-virus software, according to the survey and found it useful, though 21 per cent dissed antivirus/anti-malware as “not effective at all.”
But according to the survey, 43 per cent said there were more than 50 “malware attempts or incidents” that their IT organizations had to deal with monthly. That was up from 27 per cent that said that last year. Thirty-two percent said IT coped with between 26 to 50 monthly malware attempts and incidents, 13 per cent said 11 to 25, and only 12 per cent cited less than that.
About 90 per cent cited “web-borne malware attacks” as a source, with “zero-day attacks” the incident that was “the biggest headache.” Thirty-six percent believe their organization have been subject to “targeted attacks” aimed specifically at them for purpose of infiltrating the organization.