09 January 2008 | 3,515 views

GFI Survey – 4 in 10 US Companies are NOT Secure!

Prevent Network Security Leaks with Acunetix

GFI has recently conducted a survey concering corporate security in the US for small and medium sized enterprizes (SMEs).

Despite the best efforts of many small and medium sized companies, a recent US survey shows that four in 10 companies believe that their networks are not secure. Thirty-two percent of the companies also reported that they had suffered a breach in the past 12 months alone citing virus attacks and Internet downloads as the leading cause of the security breach.

The survey, conducted by eMediaUSA on behalf of GFI Software, an international network security software developer, was given to 455 IT executives from U.S. based small and medium sized businesses (SMBs).

Commenting on the results, Andre Muscat, GFI’s Director of Engineering, said: “Email viruses top the ‘greatest threat to network security’ list and this does not come as a surprise. It is one of the easier attack routes and this is confirmed by those respondents who reported a breach. While companies are aware of, and are focused on, tackling viruses and malware, they appear to be giving sparse attention to other equally dangerous threats such as data theft and leakage from endpoints such as connected USB sticks, iPods and PDAs on the network.”

Further results on the survey can be found in the full survey here:

smbsurvey.pdf

Source: GFI



Recent in General News:
- Google’s Chrome Apps – Are They Worth The Risk?
- Twitter Breach Leaks 250,000 User E-mails & Passwords
- More Cyberterrorism – Taiwan Political Party Accuses China of Hacking

Related Posts:
- IT Managers Under-Estimate Impact Of Data Loss
- Money Lost Due to Cybercrime Down Again This Year!
- The Enemy Within The Firewall

Most Read in General News:
- Hacking Still Can’t Outdo Stupidity for Data Leaks - 125,063 views
- eEye Launches 0-Day Exploit Tracker - 85,051 views
- One Of The World’s Most Prolific Music Piracy Groups Busted - 43,464 views

Low-cost VPS Hosting

19 Responses to “GFI Survey – 4 in 10 US Companies are NOT Secure!”

  1. Patrick Ogenstad 9 January 2008 at 12:00 pm Permalink

    Though there is a huge different in thinking you are secure compared to have something to backup those claims with.

    It would have been interesting if they had asked: “How would you rate your knowledge in network security and protecting a network”?

  2. Nobody_Holme 9 January 2008 at 12:01 pm Permalink

    4/10 admit it… i’m thinking its more like 9/10 really had breaches in the last 12 months… although some of them probably didnt notice.

  3. Sir Henry 9 January 2008 at 3:02 pm Permalink

    @Patrick:

    That would be the better question to ask. At that point, you could then figure out the rough statistics and probabilities based upon their lack of knowledge.

    @Pantagruel:

    I agree with you on this completely. Either they do not know, or they are not in full disclosure.

  4. Pantagruel 9 January 2008 at 3:04 pm Permalink

    Quote:
    ‘.. they appear to be giving sparse attention to other equally dangerous threats such as data theft and leakage from endpoints such as connected USB sticks, iPods and PDAs on the network ..’

    Unfortunately this is true, I just happened to try whether an USB stick would work (or not) on one of the many computers which are supposed to grant limited access. I was quite dismayed that 1) no one bothered asking if I was allowed to touch the computer in question (a few funny looks but all walked past me) and 2) the stick was accessible. A reboot showed the BIOS to be pw protected, but they simply forgot to deactivate the USB ports on the front of the machine (or install some auth program to regulate device access).
    Shame on the admin/installer

  5. sids911 9 January 2008 at 4:32 pm Permalink

    6 Out of 10 Companies are Secure?????

    Well, people are surely investing more in False Sense of Security!

  6. Ubourgeek 9 January 2008 at 4:32 pm Permalink

    I concur with with Nobody_Holme – the number is probably much higher than 4/10. I retired from Federal service for the private sector and thus far I have been surprised (and disturbed) by the poor security posture demonstrated by most private entities.

    Cheers,

    U.

  7. goodpeople 9 January 2008 at 4:49 pm Permalink

    Well, it seems that we all have a hard time believing this study.

  8. Sir Henry 9 January 2008 at 4:50 pm Permalink

    @Pantagruel:

    Your real world example just illustrates how companies still think that all the threats are coming from the outside. What they do not realize is that security needs to be equally strong on the inside, as it is on the outside. That and the thought process needs to change from the assumption that if anything occurs on the inside of the company, that is is simply a nefarious individual who always had malign intent. The latter is an ignorant stance that does not take into consideration that end user education is simply not happening; that if you allow devices from the outside to be indiscriminately used without some type of security check point, you are failing your security policy.

    One thing I have seen in regard to device control is that the checks are becoming more intelligent. No longer do you simply have to block all removable media devices. Now there are fingerprints for each type of USB device that, in turn, can be white or blacklisted depending upon the security policy. That would help immensely on the inside by way of the company telling the end user that only x type of USB devices will be allowed and/or provided by the company. I think, in addition to this, a valuable function would be to store serial numbers or some type of identifier for the USB device so that, in the event of a breach or outbreak, it can be quickly and easily identified within the system as to the origin.

  9. goodpeople 9 January 2008 at 6:25 pm Permalink

    Time for a little math here.

    We all know that half of all security issues com from the inside. So if 4 out of 10 companies had security breaches coming from the outside, we can safely assume that 8 out 10 companies don’t have their security in order.

  10. James 9 January 2008 at 6:43 pm Permalink

    the only secure computer is one with no input/output

  11. James 9 January 2008 at 6:45 pm Permalink

    and im not sure such a machine would be that user friendly.

  12. Sir Henry 9 January 2008 at 6:46 pm Permalink

    @James:

    I am sure that such a machine would be extremely boring, too. I am such an addict when comes to being online.

  13. goodpeople 9 January 2008 at 7:20 pm Permalink

    Oh, the computer can have input nd output. As long as it’s not connected to anything else than the power grid. The external connections is where the danger lies.

    And for being an addict.. I don’t go on vacation where my PDA doesn’t have GPRS coverage.. :-/

  14. Pantagruel 10 January 2008 at 11:27 am Permalink

    @Sir Henry.

    Absolutely true. The sad thing is that the perimeter security is quite ok, the division in question is behind a badge reader and very few people slip in in someone else’s ‘slipstream’ . People did receive some education about not letting in unknown colleague’s who seem to have forgotten their badge.

    Again true, only a few years ago we started experimenting with device controle and it was quite simple. Anything but the stick acquired from the solution provider would work, severely hampering donglefied software (I personally hate that stuff). After some switched our dept’s latest solution is indeed more intelligent, allowing other devices to be entered into the white list (or blacklisting when users misplace their stick) and logging of transmissions is supported.

    No in/output puts us back in the proverbial dark-ages, somewhat useless with the amopunt of data we generate and process using a computer.

  15. Nobody_Holme 11 January 2008 at 11:58 am Permalink

    @Ubourgeek
    I hate to mention it, but most US government groups get owned on a regular basis…
    If security outside is that much worse, I’m quite worried.

    Also, there can never be true security without a deadly lack of interaction. Its a conundrum faced by all security experts (of all times since like, the gate guards on some ancient castle, say, and that food wagon with a spy driving it).

  16. eM3rC 7 February 2008 at 5:21 am Permalink

    This article seems very fascinating to me. I think the numbers of vulnerable computers (in companies of course) would be much higher than 40%. Of the companies that I have worked at, many of the computers were not protected by any kind of malware software, while other only had an 8 year old version of norton. To battle this I think many companies should be warned of the malware world and how serious it actually is.

    As our society begins to become more and more dependent on computers the complexity of the threats will constantly change and become more hazardous. It needs to be brought into focus now and addressed to the best of companies abilities regardless of the cost (could hundred dollars is a far better loss than all the companies records).

    @Sir Henry
    I am not surprised you were able to get in. I bet of the computers reviewed security wise you would be able to get into 99% of them. Shows you how good their ITs are.

  17. J. Lion 11 February 2008 at 11:04 pm Permalink

    Well – security is only for the big companies. It won’t happen to us. (fingers crossed)

  18. Sir Henry 11 February 2008 at 11:10 pm Permalink

    @J.Lion:

    If your company has sensitive data, or a need to keep some portion of its data private or secure, then security it not only for big companies. I really do not think security it only for big companies, simply for the fact that data, regardless of the company size, has commensurate value to someone out in the wild.

  19. eM3rC 12 February 2008 at 2:05 am Permalink

    @Sir Henry/J. Lion

    Total agreement with you. If a company posses any kind of sensitive data (ie any customer information which is pretty much every company in existence) it should do whatever it can to protect its clients. Although it may seem like an extra cost for the company it is worth every cent.