Enterprise security is the classic “caught between a rock and a hard place” scenario. On one hand, the attacks are frequent and often quite effective. The losses mount quickly — $2.8 million annually for large enterprises.  Organizations face lost productivity, lost revenue, and a loss of customer trust.  

On the other hand, providing enterprise security is excruciatingly difficult  Even with massive staffs (230 or more for large enterprises), enterprises feel understaffed. And new data center initiatives – such as cloud computing and virtualization – make the job of providing enterprise security more difficult with each passing day. Despite these difficulties, the “Symantec 2010 State of Enterprise Security Report” shows organizations are holding their own and highlights simple steps IT managers can take to win the security battle.

Applied Research fielded the survey by telephone in January. The respondents came from three groups:

  1. Small enterprise  (500 – 999 employees)
  2. Mid-sized enterprises (1,000 – 4,999 employees)
  3. Large enterprises (5,000+ employees)

The 2,100 respondents came from a wide variety of industries and included a mix of CIOs, CISOs, and senior IT management in 27 countries. 

Enterprise security is IT’s top concern

Forty-two percent of organizations ranked cybersecurity as their top risk, beating out such notables as traditional crime, natural disasters, and terrorism. On average, IT assigns 120 staffers to security and IT compliance. In large enterprises the number is even higher – 232.

Nearly all (94 percent) expect to implement changes to their cybersecurity efforts in 2010, with almost half (48 percent) forecasting major changes.

Enterprises are experiencing frequent attacks

Seventy-five percent of all enterprises have experienced cyberattacks in the past 12 months. Forty-one percent said these attacks were “somewhat/highly effective.” When asked about specific types of attacks, 57 percent reported somewhat to extremely fast growth, with “external malicious attacks” the fastest growing type.

Costs of cyberattacks are high

The study found all of the enterprises surveyed had experienced cyberlosses in 2009. The most common losses were:

  • Theft of customer personally-identifiable information
  • Downtime of environment
  • Theft of intellectual property
  • Theft of customer credit card information

These led to serious costs to 92 percent of the cases, most commonly:

  • Lost productivity
  • Lost revenue
  • Loss of customer trust

Enterprises reported an average combined cost of $2 million annually. For large enterprises, the cost was especially high – almost $2.8 million annually.

Enterprise security is becoming more difficult

Organizations have their hands full with the high frequency of attacks and staggering losses. Unfortunately, data center realities are making it even harder for IT to secure the enterprise.

Enterprise security is understaffed. The most impacted areas are:

  1. Security systems management
  2. Data loss prevention
  3. Network security
  4. Endpoint security

These security staffing woes come just as IT is rolling out initiatives that make providing security more difficult:

  • Infrastructure-as-a-service
  • Platform-as-a-service
  • Server virtualization
  • Endpoint virtualization
  • Software-as-a-service

So, two of the hottest new technologies – cloud computing and virtualization – are also the technologies most apt to make security staff’s jobs more difficult.

Finally, enterprises are buried with IT compliance efforts. The study found that enterprises are currently exploring a staggering 19 separate IT standards or frameworks and are actually currently using eight of them. The top frameworks/standards mentioned were:

  •   ISO
  •   HIPAA
  •   Sarbanes-Oxley
  •   CIS
  •   PCI DSS
  •   ITIL

Recommendations

Organizations need to protect their infrastructure by securing their endpoints, messaging and web environments. In addition, defending critical internal servers and implementing the ability to backup and recover data should be priorities. Organizations also need the visibility and security intelligence to respond to threats rapidly. 

IT administrators should protect information proactively by taking an information-centric approach to protect both information and interactions. Taking a content-aware approach to protecting information is key in knowing where sensitive information resides, who has access, and how it is coming in or leaving your organization. 

Organizations need to develop and enforce IT policies and automate their compliance processes. By prioritizing risks and defining policies that span across all locations, customers can enforce policies through built-in automation and workflow and not only identify threats but remediate incidents as they occur or anticipate them before they happen.

Finally, organizations need to manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.

For more information on Symantec’s 2010 State of Enterprise Security study, click this link to visit the Symantec online newsroom.