In 2011 Kaspersky Lab, in partnership with B2B International, carried out a survey covering IT professionals working for large and medium-sized businesses. The aim of the survey was to find out what IT specialists thought of corporate security solutions, to ascertain their level of knowledge about current threats, the sort of problems they most often face, their ability to evaluate the risks associated with cyber-threats, etc.
A year later, the two companies conducted a similar survey expanding the geography and the number of respondents. This gave us the opportunity not only to assess the situation in the sphere of corporate security in 2012 but also to compare the results with those obtained the previous year and to note the main trends.
More than 3,300 senior IT professionals from 22 countries took part in the survey. All respondents had an influence on IT security policy, and a good knowledge of both IT security issues and general business matters (finance, HR, etc.). Globally, respondents were drawn from companies of three sizes: Small Business (SB, 10-99 computerized seats), Medium Business (MB, 100-999 seats) and Enterprise Organization (E, 1000+ seats).
The main findings
According to half of those surveyed, cybercrime in its various forms is the second biggest threat to business. Despite the fact that this view has changed very little since last year, the measures being taken by IT specialists are woefully inadequate - only a little more than half of the respondents believe their company is really secure. The same applies to related areas such as intellectual property theft and industrial espionage.
If we take a closer look at the emerging security issues, we see that IT professionals are most often faced with malware, spam and unauthorized attempts to penetrate the system. Internal threats also need to be singled out. The most serious problems in this area are caused by software vulnerabilities as well as problems linked to the use of mobile devices to access the corporate network. The seriousness of this latter issue has increased over the past year, with one-third of respondents describing the lack of control over mobile devices a serious problem. Meanwhile, more than half of those surveyed admitted they had begun to pay more attention to the issue. 10% of respondents said they had experienced critical information leaks due to the loss or theft of a mobile device.
The part of the survey that dealt with security policies for mobile devices showed that one third of companies allow their employees to use them with full access to the corporate network and its resources. By doing so, they are creating a gaping hole in their security. When it comes to corporate security policies for personal devices, the findings are not very encouraging either: only 9% plan to introduce tough restrictions. A significant proportion of the respondents (36%) stated that their companies would approve of using personal devices for work-related tasks.
Targeted attacks pose yet another major threat to company infrastructure. Over the past year several incidents have occurred that have made IT specialists start taking the issue seriously. In particular, 11% of respondents believe that this threat will be their main concern in the future and one third of specialists are sure their companies will be attacked sooner or later.
Many IT professionals cited budget constraints and the lack of a clear understanding among senior managers when it came to their department’s objectives and goals, not to mention an insufficient number of trained personnel. At the same time 31% of those surveyed admitted that they had never heard about any of the most common cyber-threats, including direct threats to their companies. Thus, it is not just a matter of hiring new employees; existing staff also need to be educated.
Find the entire study in the attached pdf document