Eighty-eight percent of companies understand IT security is becoming more important, and have put a proactive strategy in place, according to a new study by new study by AT&T.
AT&T surveyed 504 IT executives at companies with annual revenues greater than $25 million. But if “proactive” and “prepared” meant the same thing, that percentage of those with a strategy puts AT&T’s respondents in a rarified category among U.S. companies.
According to Kaspersky Labs’ Global IT Risks Survey for 2012, 40 percent of businesses feel unprepared for digital security threats; only 44 percent protect sensitive data with encryption; 44 percent allow free access to corporate data with a laptop and 33 percent allow open access via smartphone. “The measures being taken by IT specialists are woefully inadequate,” that study concluded. “Only a little more than half of the respondents believe their company is really secure.”
The real issue is the antiquated secure-the-perimeter approach most companies take, according to William Murphy, CTO and managing director of financial services firm Blackstone Group L.P.
“Historically people have focused on building thicker and taller walls to keep people from getting into an environment,” he said. “With the proliferation of mobile and social [networking] it becomes easier for the adversaries to target people individually. No matter how thick your walls are, if someone leaves open the castle door, you’re stuck.”
Responsibility for business-continuity plans has always lived in the datacenter. It is only since the advent of heavily consolidated and virtualized infrastructures that security has moved in as well—as IT staffs consolidate and reorganize to match the newly datacenter-dependent infrastructures they support.
In the case of the AT&T study, “proactive” appears to mean that those polled can identify security as a priority issue with their organizations, and that the company has a business-continuity plan in place.
Even among AT&T’s respondents, 63 percent said breaches in data security are their most important concern during 2013, while 84 percent said mobile networks and devices increase the risk.
Other surveys back up those findings. U.S. corporations are spending more money, time and attention on security, but both the risk and the cost continue to rise, according to Ponemon Institute’s Cost of Data Breach study published last month. Companies polled by Ponemon reported an average annual cost of $8.9 million per year for data breaches, a 6 percent increase compared to the year before.
The most common cause of data breaches is malicious attack, but negligence and glitches in systems or processes account for two-thirds of the attempts that are successful, according to Ponemon. Still, proactivity can help cut down on the risk and the costs. Having a dedicated information-security officer in IT, an incident-response plan and an active search for penetration attempts from outside can reduce the risk of a breach by 25 percent, the study showed.
What those things can’t do is secure laptops, tablets and smartphones, whose inability to be fully secured makes them a continual risk. Despite the risk, only 13 percent of Ponemon respondents used stricter security standards for mobile devices than for PCs.
Just as with perimeter security, the focus on mobile security should be on actual threats, not keeping unauthorized devices out of the network, Murphy said: “When you do that people just circumvent the precautions by emailing things to themselves or whatever.” Security spending, he added, “should probably be more in what’s happening in the infrastructure so you can better handle the real threats—phishing and spearphishing and malware. Then if there is a breach, or potential for a breach it can be contained extremely quickly.”