Enterprise security an ongoing challenge: Symantec

Staffing, cloud computing and IT compliance are top challenges facing enterprise security this year, according to the 2010 State of Enterprise Security report recently released by Cupertino, Calif.-based Symantec Corp.

The study, based on a survey of 2,100 enterprise CIOs, CISOs and IT managers from 27 countries, finds enterprise security “becoming more difficult due to a number of factors” and highlights three specific areas of concern.

One, enterprise security is understaffed, with the most affected areas being network security (44 per cent), endpoint security (44 per cent) and messaging security (39 per cent), the report stated. Second, initiatives that IT rated as most problematic from a security standpoint include infrastructure-as-as-a-service, platform-as-a-service, server virtualization, endpoint virtualization and software-as-a-service. Third, the typical enterprise is exploring 19 separate IT standards and frameworks and are currently employing eight of them. The top standards include ISO, HIPAA, Sarbanes-Oxley, CIS, PCI and ITIL.

Every enterprise surveyed experienced cyber losses in 2009, with the top three losses being theft of intellectual property, of customer credit card information (or other financial information) and of customer personally identifiable information. These losses, the survey found, translated to monetary costs 92 per cent of the time. The top three costs were productivity, revenue and loss of customer trust.

Enterprises are also forecasting upcoming changes to security, with 94 per cent of respondents anticipating changes to security in 2010 and 48 per cent “expecting major changes” to take place, the survey found. These major changes include increased utilization of virtualization within the enterprise and moving portions of enterprise infrastructure to some type of cloud-based service, according to Matthew Steele, director of strategic technology at Symantec. “We are also seeing a lot updating of existing security technologies and … big drives on the compliance side,” he said.

To tackle security challenges related to virtualization, Steele recommends enterprises architect their security based on the information they want to protect and provide a similar security structure for the data wherever it is located. “I’m not saying that is easy to do, but if you focus on the target of the attack and understand you want to protect the data and understand where that data lives, you can start to at least have a model where you can adapt the security profile of the infrastructure as that data moves,” he said.

Ottawa-based independent security consultant Brian O’Higgins said the challenges enterprises face with security are likely even larger than Symantec’s report suggests. Seventy-five per cent of enterprises experienced cyber attacks in the last 12 months, according to Symantec’s report. “I expect it’s probably closer to 100 per cent that have actually been subject to an attack,” said Higgins.

Cyber attacks are like “background radiation,” Higgins pointed out. “If the company doesn’t know about it, maybe it wasn’t a very successful attack, but … if you have an Internet presence, there is all this background radiation. A good deal of it is just attacking you continually,” he said.

Higgins agrees that cloud computing and virtualization will bring about the biggest changes and challenges to enterprise security in the upcoming year. “As enterprises move more and more toward cloud services, we are open to more security problems,” he said.

And, enterprises are continually rolling out service offerings and use current styles of security, he pointed out. “Any new technology requires new security. We are at a point where new technology is happening before the security is catching up. That’s a bad sign for the future,” he said.

Francis Ho, executive member of the Federation of Security Professionals, doesn’t foresee drastic changes to how Canadian organizations will approach security this year. “In terms of cyber attacks, it’s business as usual in the sense that we are always going to get hit and we need to defend against it,” he said. 

But Ho does expect a “large focus” on compliance issues, particularly PCI, within the Canadian market as a result of gaps revealed in the last year. “Now that you know where your gaps are, you will be focusing this year on closing those gaps,” said Ho.

Canada-specific findings released in Symantec’s report include:
 
* Two thirds of respondents believe “cyber attacks were the greatest risk to the organization.”
 
* Seventy-eight per cent report their “manpower capacity for security systems management was growing.” 
 
* Thirty-three per cent “experienced a higher than usual number of denial-of-service attacks in 2009.”