How Do IT Security Professionals Prioritize

Transcription

1 WHITE PAPER How Do IT Security Professionals Prioritize Headlines versus Reality: Survey Report

2 Table of Contents Executive Summary 3 Recommendations 3 Survey Statistics 4 Methodology 6 About BeyondTrust BeyondTrust Software, Inc.

3 Executive Summary High profile cyber attacks, like hurricanes, have their own names and generate a lot of coverage on the cyber security beat. Threats like Stuxnet, Aurora, and Night Dragon have received a lot of attention of late, but of more immediate concern to most IT security professionals are the threats they don t hear about in the news. A survey by BeyondTrust, a provider of IT security and unified vulnerability management solutions, reveals that the majority of IT professionals surveyed view common malware and spyware threats to their networks and IT assets as their number-one concern, not the headline-making attacks. This report analyzes the results of BeyondTrust s Headlines vs. Reality survey of 1,677 respondents, including IT and IT security administrators and managers, and C-level executives from companies big and small in a number of industry verticals. The survey identifies what threats they re most concerned about, where they believe their IT assets are vulnerable, and what security improvements they would make if they got a hypothetical 20 percent increase in their budgets. The survey reveals that those high-profile attacks, while significant, often are aimed at specific targets and are of little threat to the broader community. Stuxnet, for instance, was a computer worm discovered in July 2010, that did attack Microsoft Windows computers a ubiquitous operating system, of course but it was primarily aimed at disrupting the nuclear enrichment program of Iran. Sixty percent of the infected computers were in that country. Likewise, Operation Aurora in 2009 was a worm originating in China and targeting a number of high tech and defense contractor firms including Symantec, Adobe Systems, and Northrup Grumman. Its most high profile target was Google, which accused the perpetrators of hacking the Gmail accounts of Chinese dissidents. Aurora was a big story but it was still relatively limited. Lastly, Night Dragon was a cyber attack focused on companies in the oil, gas, and petrochemicals industries. If you were in any of those industries, that was a big threat, but if not, your attention was best directed elsewhere. Those named threats were of little concern to IT professionals in the BeyondTrust survey. Stuxnet was identified as a large or very large threat to only 12 percent of respondents, Aurora by only 12 percent, and Night Dragon by only 10 percent. Instead, 55 percent of respondents identified common malware and spyware as a large or very large threat to their organization. The survey drilled further down into their top concerns (based on a select all that applies response): 48 percent of respondents are concerned over a lack of human and technological resources to improve security. 42 percent of respondents are worried about improper configurations that could leave them vulnerable. 42 percent said they are worried over their inability to protect against Zero Day vulnerabilities, which are unidentified or unpatched threats 41 percent said they are concerned over a lack of security insight into compliance issues and vulnerabilities and attacks. Organizations are usually subject to industry and government security requirements. Recommendations TAKE A MULTI-PRONGED APPROACH Organizations need a multi-pronged approach to protecting themselves from common malware and spyware attacks that includes better patch management, tighter configuration control, and improved network security management. Sometimes, organizations have so many patches they re advised to apply that they have to prioritize which ones to apply first, leaving them potentially vulnerable to the patches they don t get to BeyondTrust Software, Inc.

4 UPGRADING HELPS IT professionals are also constantly busy performing software configuration management (SCM) to apply software updates or migrate to newer version of software. The Operation Aurora attacks, for instance, were most successful attacking the outdated Internet Explorer 6 Web browser; if they had upgraded to IE 8, they would have been better protected. Likewise, the latest network security tools will usually be more effective than older ones. BUDGET WISH LISTS FURTHER SUPPORT PRIORITY STACK To determine how organizations would try to improve protection against malware and spyware, BeyondTrust asked respondents how they would spend a hypothetical 20 percent increase in their IT security budgets (based on a select all that applies response): o 65 percent said they would invest it in security reporting and dashboard management technologies. o 63 percent said they would invest in patch management. o 60 percent said they would invest in configuration compliance. o 52 percent said they would hire additional personnel. o 39 percent said they would invest in regulatory compliance reporting. Alas, for most of the respondents, that 20 percent budget boost will remain hypothetical. The survey showed that only 21 percent of respondents received an increase in their IT security budgets the next year, while 57 percent saw no increase and 22 percent suffered a budget cut. Survey Statistics Chart 1 Overview High-profile attacks, while significant, often are aimed at specific targets and are of little concern to the broader community. Named threats, such as Stuxnet, Operation Aurora, and Night Dragon are of little concern to IT professionals. Chart 1 Conclusion Stuxnet was identified as a large or very large threat to only 12 percent of respondents, Aurora by only 12 percent and Night Dragon by only 10 percent. Instead, 55 percent of respondents identified common malware and spyware as a large or very large threat to their organization BeyondTrust Software, Inc.

5 Chart 2 Overview IT Security professionals are really concerned about security foundations. Chart 2 Conclusion Leading concerns include lack of security resources (human, hardware, or software) (47%), improper configurations (42%), and inability to protect against zero-day vulnerabilities (42%). Chart 3 Overview To determine how organizations would try to improve protection against malware and spyware, BeyondTrust asked respondents how they would spend a hypothetical 20 percent increase in their IT security budgets. Chart 3 Conclusion Top spend areas include security reporting and dashboard management technologies (65%), patch management (63%), and configuration compliance (60%) BeyondTrust Software, Inc.

6 Chart 4 Overview For most of the respondents, that 20 percent budget boost will remain hypothetical. Chart 4 Conclusion The survey showed that only 21 percent of respondents received an increase in their IT security budgets for the next year, while 57 percent saw no increase and 22 percent suffered a budget cut. Methodology In order to get as accurate a picture of the IT security landscape as possible, BeyondTrust surveyed a broad cross-section of organizations. Respondents came from the energy, financial services, government, healthcare, high tech, and retail sectors. Twenty-nine percent of respondents are from organizations with 4,000 employees or more. The Headlines vs. Reality survey delivers insight into the vulnerabilities that organizations face and how they work to protect themselves from the ever-changing and ever-challenging threats from cyber criminals and other network security risks. Out of necessity, IT professionals have an increasingly clear idea of what threats exist; (it s tough to ignore the headlines), but in addition to managing security, they re also tasked with trying to use IT to strengthen their business, and reach and serve customers. High-profile attacks may not affect them directly, but the attention those cases get raises awareness of the importance of IT security. As this subject continues to enter the forefront of business, more focus will be brought to implementing the very best security practices and solutions available, not just what budgets presently allow BeyondTrust Software, Inc.

7 About BeyondTrust With more than 25 years of global success, BeyondTrust is the pioneer of Privileged Identity Management (PIM) and vulnerability management solutions for dynamic IT environments. More than half of the companies listed on the Dow Jones Industrial Average rely on BeyondTrust to secure their enterprises. Customers include eight of the world s 10 largest banks, seven of the world s 10 largest aerospace and defense firms, and six of the 10 largest U.S. pharmaceutical companies, as well as renowned universities. The company is privately held, and headquartered in San Diego, California. For more information, visit beyondtrust.com. Contact Info North American Sales sales@beyondtrust.com EMEA Sales Tel: + 44 (0) emeainfo@beyondtrust.com CONNECT WITH US Facebook.com/beyondtrust Linkedin.com/company/beyondtrust Corporate Headquarters 550 West C Street, Suite 1650 San Diego, CA BeyondTrust Software, Inc.