GFI has recently conducted a survey concering corporate security in the US for small and medium sized enterprizes (SMEs).
Despite the best efforts of many small and medium sized companies, a recent US survey shows that four in 10 companies believe that their networks are not secure. Thirty-two percent of the companies also reported that they had suffered a breach in the past 12 months alone citing virus attacks and Internet downloads as the leading cause of the security breach.
The survey, conducted by eMediaUSA on behalf of GFI Software, an international network security software developer, was given to 455 IT executives from U.S. based small and medium sized businesses (SMBs).
Commenting on the results, Andre Muscat, GFI’s Director of Engineering, said: “Email viruses top the ‘greatest threat to network security’ list and this does not come as a surprise. It is one of the easier attack routes and this is confirmed by those respondents who reported a breach. While companies are aware of, and are focused on, tackling viruses and malware, they appear to be giving sparse attention to other equally dangerous threats such as data theft and leakage from endpoints such as connected USB sticks, iPods and PDAs on the network.”
Further results on the survey can be found in the full survey here:
Source: GFI
Patrick Ogenstad says
Though there is a huge different in thinking you are secure compared to have something to backup those claims with.
It would have been interesting if they had asked: “How would you rate your knowledge in network security and protecting a network”?
Nobody_Holme says
4/10 admit it… i’m thinking its more like 9/10 really had breaches in the last 12 months… although some of them probably didnt notice.
Sir Henry says
@Patrick:
That would be the better question to ask. At that point, you could then figure out the rough statistics and probabilities based upon their lack of knowledge.
@Pantagruel:
I agree with you on this completely. Either they do not know, or they are not in full disclosure.
Pantagruel says
Quote:
‘.. they appear to be giving sparse attention to other equally dangerous threats such as data theft and leakage from endpoints such as connected USB sticks, iPods and PDAs on the network ..’
Unfortunately this is true, I just happened to try whether an USB stick would work (or not) on one of the many computers which are supposed to grant limited access. I was quite dismayed that 1) no one bothered asking if I was allowed to touch the computer in question (a few funny looks but all walked past me) and 2) the stick was accessible. A reboot showed the BIOS to be pw protected, but they simply forgot to deactivate the USB ports on the front of the machine (or install some auth program to regulate device access).
Shame on the admin/installer
sids911 says
6 Out of 10 Companies are Secure?????
Well, people are surely investing more in False Sense of Security!
Ubourgeek says
I concur with with Nobody_Holme – the number is probably much higher than 4/10. I retired from Federal service for the private sector and thus far I have been surprised (and disturbed) by the poor security posture demonstrated by most private entities.
Cheers,
U.
goodpeople says
Well, it seems that we all have a hard time believing this study.
Sir Henry says
@Pantagruel:
Your real world example just illustrates how companies still think that all the threats are coming from the outside. What they do not realize is that security needs to be equally strong on the inside, as it is on the outside. That and the thought process needs to change from the assumption that if anything occurs on the inside of the company, that is is simply a nefarious individual who always had malign intent. The latter is an ignorant stance that does not take into consideration that end user education is simply not happening; that if you allow devices from the outside to be indiscriminately used without some type of security check point, you are failing your security policy.
One thing I have seen in regard to device control is that the checks are becoming more intelligent. No longer do you simply have to block all removable media devices. Now there are fingerprints for each type of USB device that, in turn, can be white or blacklisted depending upon the security policy. That would help immensely on the inside by way of the company telling the end user that only x type of USB devices will be allowed and/or provided by the company. I think, in addition to this, a valuable function would be to store serial numbers or some type of identifier for the USB device so that, in the event of a breach or outbreak, it can be quickly and easily identified within the system as to the origin.
goodpeople says
Time for a little math here.
We all know that half of all security issues com from the inside. So if 4 out of 10 companies had security breaches coming from the outside, we can safely assume that 8 out 10 companies don’t have their security in order.
James says
the only secure computer is one with no input/output
James says
and im not sure such a machine would be that user friendly.
Sir Henry says
@James:
I am sure that such a machine would be extremely boring, too. I am such an addict when comes to being online.
goodpeople says
Oh, the computer can have input nd output. As long as it’s not connected to anything else than the power grid. The external connections is where the danger lies.
And for being an addict.. I don’t go on vacation where my PDA doesn’t have GPRS coverage.. :-/
Pantagruel says
@Sir Henry.
Absolutely true. The sad thing is that the perimeter security is quite ok, the division in question is behind a badge reader and very few people slip in in someone else’s ‘slipstream’ . People did receive some education about not letting in unknown colleague’s who seem to have forgotten their badge.
Again true, only a few years ago we started experimenting with device controle and it was quite simple. Anything but the stick acquired from the solution provider would work, severely hampering donglefied software (I personally hate that stuff). After some switched our dept’s latest solution is indeed more intelligent, allowing other devices to be entered into the white list (or blacklisting when users misplace their stick) and logging of transmissions is supported.
No in/output puts us back in the proverbial dark-ages, somewhat useless with the amopunt of data we generate and process using a computer.
Nobody_Holme says
@Ubourgeek
I hate to mention it, but most US government groups get owned on a regular basis…
If security outside is that much worse, I’m quite worried.
Also, there can never be true security without a deadly lack of interaction. Its a conundrum faced by all security experts (of all times since like, the gate guards on some ancient castle, say, and that food wagon with a spy driving it).
eM3rC says
This article seems very fascinating to me. I think the numbers of vulnerable computers (in companies of course) would be much higher than 40%. Of the companies that I have worked at, many of the computers were not protected by any kind of malware software, while other only had an 8 year old version of norton. To battle this I think many companies should be warned of the malware world and how serious it actually is.
As our society begins to become more and more dependent on computers the complexity of the threats will constantly change and become more hazardous. It needs to be brought into focus now and addressed to the best of companies abilities regardless of the cost (could hundred dollars is a far better loss than all the companies records).
@Sir Henry
I am not surprised you were able to get in. I bet of the computers reviewed security wise you would be able to get into 99% of them. Shows you how good their ITs are.
J. Lion says
Well – security is only for the big companies. It won’t happen to us. (fingers crossed)
Sir Henry says
@J.Lion:
If your company has sensitive data, or a need to keep some portion of its data private or secure, then security it not only for big companies. I really do not think security it only for big companies, simply for the fact that data, regardless of the company size, has commensurate value to someone out in the wild.
eM3rC says
@Sir Henry/J. Lion
Total agreement with you. If a company posses any kind of sensitive data (ie any customer information which is pretty much every company in existence) it should do whatever it can to protect its clients. Although it may seem like an extra cost for the company it is worth every cent.