More IT managers worry about cyber attacks than they do about traditional crime, natural disasters, or terrorism, according to a State of Enterprise Security report released by Symantec last month.
Nearly half of them cited cyber attacks as their biggest concern, and three quarters reported their companies suffered attacks -- some of them highly effective -- in the last year. As a result, they said, they lost personally identifiable information about customers, credit card information, and intellectual property. In addition, their systems were down.
They also complained of being understaffed and said they were learning 19 separate compliance efforts aimed at meeting various federal and state security regulations. These include HIPAA for health care, Sarbanes-Oxley for financial information, ISO, PCI-DSS and several others.
Symantec's survey covered 2,100 executives and senior managers from small, medium, and large businesses in 27 countries.
It does not stand alone. Reports last month from two other security vendors also show that when it comes to cybersecurity, IT managers have plenty to worry about. In May of 2007, according to ScanSafe, now owned by Cisco, a representative customer encountered 77 compromised web sites. Two years later, that number was up to 1,024. The number of Trojans encountered by the customer went from zero to 307.
According to IBM's X-Force, around 7.5% of the Internet is considered "socially unacceptable, unwanted, or flat-out malicious."
Fewer Holes in Web Applications?
One bright spot is the slowing number of disclosures of new security holes in Web applications, which have been the biggest threat on the Web for the last four years, even though a record number of them -- 6,601 -- were still reported last year. Attacks against Microsoft software -- Word and Excel files, ActiveX controls -- have also slowed.
But that's because the low hanging fruit is running out, X-Force said. Malicious code writers aren't resting. Here's the software they're targeting the most now:
* Adobe PDFs -- at the end of the last year, according to ScanSafe, PDF's accounted for 80% of all Web-based exploits
* Web plug-ins
* Social networking sites
And here are the industries they've been attacking the most:
* Energy and oil, where, according to ScanSafe, data theft Trojans last year were up 356%
* Chemicals and pharmaceuticals, where data theft Trojans last year were up 322%
* Credit cards and finance
Malicious code is growing more complex, and cybercriminals are working harder to hide their work. Anonymous proxies are up, and URLs for legitimate Web sites are being found embedded in malicious Web sites in order to raise the bad sites' profiles in search engines.
Companies are being attacked using collections of sophisticated tools that include phishing e-mails with links to customized malware that are designed to exploit zero-day threats (threats for which the software vendor, if there is one, has no patch).
Despite all the worrying, though, IT managers may have to worry even longer. A survey released this month
by Citi Investment Research shows that spending on enterprise security is expected to be flat this year, despite an increase in IT budgets of around 2 percent.