The recent gutting of IT departments during the recent recession may be putting numerous businesses at risk as cyber criminals step up their online attacks.
More than 75 per cent of small and medium sized businesses (SMBs) (and larger enterprises as well) have been victims of at least one form of online attack, according to a recent report released by security products vendor Symantec Corp. of Mountain View, Calif.
Actual damages may vary depending on the size of the organization, but on average the attacks cost a business an about $2 million per year, according to the Symantec 2010 State of Enterprise Security Study.
Researchers also noted that security has “increasingly become more difficult to implement because many organizations are understaffed.”
Related articles
Cybercrime in 2010 – a tale of two perspectives
Governments “contracting out” cyber–attacks to criminal networks
About 29 per cent of the respondents also said cyber attacks have increased in the past year
“What surprised me was the frequency of the attacks. Three fourths of the respondents said they were attacked in the past 12 months, many of them were attacked more than once,” said Mathew Steele, director of strategic technology for the Enterprise Security Group at Symantec.
The 2010 survey covered around 100 firms in Canada, 300 companies in the U.S. and about 1,700 more respondents from Latin America, the Asia Pacific region, Europe and the Middle East.
It is Symantec’s first attempt to capture a snapshot of the global security landscape from the point of view of IT decision makers and managers rather than feedback from automated monitors and remote “honey pots.”
“The personal feedback we received really drove home the sentiment that many firms are struggling under the volume of attacks,” said Steele.
Twenty five per cent of respondents said they did not have any attacks in the past 12 months. About 46 per cent said they had “a few attacks”, about 18 per cent said they were under “regular attack”, 9 per cent were battling a “large number” of cyber attacks and 2 per cent said they had an “extremely large number” of attacks.
Excerpts from the study offer a glimpse into what CIOs, CSOs and IT managers have been trying to trying to grapple with.
Describing the attacks his organization face, a director of IT at a 35,000 person manufacturing company said, “We experience about eight to nine attacks a week on average.”
Smaller organizations are not immune.
According to an IT project manager at a mid-sized federal agency, “You can sit and watch our monitors, and see people try to attack us.”
A management information systems director at a mid-sized firm said, “Everyday, we see viruses, new spyware, and new backdoors. It is beyond crazy.”
The most common losses to cyber attacks are:
- Theft of customer personal information and credit card information
- Downtime and productivity
- Theft of intellectual property
“One IT head of a car dealership told us that every time a customer’s information is stolen it costs them $11,000 per name,” said Steele.
Understaffed and overworked
“Organizations have their hands full with the frequency of attacks and staggering losses,” said Steele.
Unfortunately, he said, data centre realities make it even harder for IT to secure the business.
According to the survey, the top four areas affected by understaffing are security systems management, data loss prevention, network security and endpoint security
These security staffing woes come at the worst time possible when many companies are implementing initiatives such as cloud services, software-as-a-service programs and virtualization that come with added security issues, according to the survey.
Initiatives rated as most problematic from a security standpoint were: infrastructure-as-a-Service; platform-as-a-service, server virtualization, endpoint virtualization and software-as-a-service.
Finally, many organizations are buried with IT compliance requirements. The study found that some companies are currently exploring 19 separate IT standards or frameworks and are currently using eight of them.
Smaller firms at a disadvantage
When it comes to keeping tabs on security and compliance issues, many small and mid-sized firms are at a disadvantage, according to Bruce Cowper, chief security advisor for Microsoft Corp.
“A lot of small businesses do not have someone responsible on a day-to-day basis for its IT infrastructure. They just don’t have the time and manpower,” he said.
Cowper also said that the current trend indicates that being small is no longer a protection more and more small businesses are now being targeted by cyber criminals.
As small businesses move their operations to the Internet and social networks in order to reach new market potentials, they also open themselves to a host of new threats.
Cowper said, in recent years, cyber criminals have shifted their focus from attacking the IT infrastructure to zeroing in on the application layer and any apps used within the organization.
“Business tools used by workers daily have become very vulnerable to malware that enter the system through business and social networking sites.”
Because malware no longer targets the infrastructure, it becomes harder to detect, according to Steele from Symantec.
Malware aimed at the infrastructure is more likely to create systems disruptions that alert IT security staff.
“You still see denial of service attacks still but more often hackers slip malware through e-mails and compromised sites. Trojans in stealth mode sit quietly in workers’ machines, logging keystrokes or stealing client data,” Steele said.
Malware kits, now readily available on the Internet, can easily turn company computers in to dangerous botnets, he said.
Recommendations
The Symantec study came out with four recommendations to mitigate cyber risks:
Protect the infrastructure – Organizations need to secure endpoints, messaging and Web environments. Defending critical internal servers and implementing backup and recovery programs should also be a priority.
Protect the information – IT administrators should take an information-centric approach to protect both information and interactions. Where sensitive information in concerned, administrators should know where information resides, who has access to it and how is it coming and leaving the organization.
Develop and enforce IT policies – Companies need to develop and enforce policies that automate the compliance process. These should span across locations, departments and process. The policies and workflow should identify threats and remediate incidents as they occur or anticipate them before they happen.
Manage systems – Organizations need to manage systems by implementing secure operating environments, distributing and enforcing patch levels, and monitoring and reporting on system status.
