While the cybersecurity situation is improving slightly, IT still has a lot more work to do. From educating the workforce and enforcing policies to securing employee-purchased devices and classifying information so it can be more cost-effectively protected, IT is still locked in an arms race with more and more sophisticated attackers.

According to Symantec's 2011 State of Security Survey, for the second year in a row, IT said security is the leading business risk they face, ahead of traditional crime, natural disasters and terrorism. However, organizations are getting better at fighting the war against cybersecurity threats. While the majority of respondents suffered damages as a result of cyberattacks, more respondents reported a decline in the number and frequency of attacks compared to 2010.

There were some positive findings: 71 percent of organizations experienced attacks in the past 12 months, compared to 75 percent in 2010. The percentage who reported an increasing frequency of attacks fell from 29 percent in 2010 to 21 percent in 2011, and 92 percent of companies had losses from cyberattacks in 2011, down from 100 percent last year.

“Mobile computing, social media use, and the consumerization of IT are providing new challenges as organizations increase their cybersecurity efforts,” said Sean Doherty, VP and CTO of Enterprise Security at Symantec. “There’s no question that attackers are using more insidious, sophisticated and silent methods to steal data and wreak havoc. Organizations today have more to lose than ever before and need to keep adopting the security innovations and best practices that the industry is delivering to stay protected.”

Organizations more concerned about cybersecurity

Security continues to be a huge concern for organizations. While businesses face a variety of risks including natural disasters, traditional crime, and even terrorism, the top three concerns are related to data and network security. Respondents rank cyberattacks as their top concern, followed by IT incidents caused by well-meaning insiders, and internally generated IT related threats.

The survey also found more and more businesses believe that keeping their operations and information secure is of vital importance: 41 percent said cybersecurity is somewhat or significantly more important than 12 months ago. In contrast, only 15 percent think it is somewhat or significantly less important.

Cybersecurity drivers changing

As organizations deal with the proliferation of smartphones and tablets in the enterprise, as well as the immense popularity of social media, they are grappling with new security challenges: 47 percent of respondents said mobile computing was affecting the difficulty of providing cybersecurity, followed by social media (46 percent), and the consumerization of IT (45 percent).

Organizations report that the threats they’re facing are evolving, as well. Hackers are still their top concern, cited by 49 percent, followed by well-meaning insiders (46 percent). New to the list this year are targeted attacks, such as Stuxnet, that zero in specifically on a single organization for political or economic reasons.

Most businesses experience cyberattacks

It’s no secret that businesses continue to experience cyberattacks: 29 percent of companies experience attacks on a regular basis and 71 percent saw attacks in the past 12 months. Furthermore, 21 percent said the frequency of attacks is increasing.

The top attack vectors are malicious code, social engineering, and external malicious attacks. Interestingly, these are also the fastest growing attack vectors.

Most companies experienced losses from cyberattacks. The top three reported losses were downtime, theft of employee’s identity information, and theft of intellectual property. These losses translated to monetary costs 84 percent of the time. The top costs were productivity, revenue, lost data, and brand reputation.

The survey found that 20 percent of small businesses lost at least $100,000 last year due to cyberattacks. That figure was even higher for large enterprises, with 20 percent incurring $271,000 or more in damages.

What are businesses doing?

According to their own assessment, 52 percent of the respondents said they are doing somewhat or extremely well in addressing routine security measures, while 51 percent reported that they are doing somewhat or extremely well in responding to security attacks or breaches. They’re not doing quite as well in areas of compliance and pursuing strategic initiatives or innovative security measures.

In order to address these shortfalls, businesses are increasing staffing levels and budgets for the IT department. They are adding the most staff in areas of network, Web and endpoint security. Security budgets are also growing in Web and network security, as well as data loss prevention. It’s clear that organizations are stepping up their efforts in improving their protection.

Recommendations

Organizations need to develop and enforce IT policies. By prioritizing risks and defining policies that span across all locations, businesses can enforce policies through built-in automation and workflow to protect information, identify threats, and remediate incidents as they occur or anticipate them before they happen.

Businesses need to protect information proactively by taking an information-centric approach to protect both information and interactions. Taking a content-aware approach to protecting information is key in identifying and classifying confidential, sensitive information, knowing where it resides, who has access to it, and how it is coming in or leaving your organization.

Proactively encrypting endpoints will also help organizations minimize the consequences associated with lost devices.

To help control access, IT administrators need to validate and protect the identities of users, sites and devices throughout their organizations. Furthermore, they need to provide trusted connections and authenticate transactions where appropriate.

Organizations need to manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.

IT administrators need to protect their infrastructure by securing all of their endpoints -- including the growing number of mobile devices -- along with messaging and Web environments. Defending critical internal servers and implementing the ability to back up and recover data should also be priorities. In addition, organizations need visibility, security intelligence and ongoing malware assessments of their environments to respond to threats rapidly.

About Symantec’s 2011 State of Security Survey

Applied Research fielded this survey by telephone in April and May 2011. The results are based on 3,300 responses in 36 countries. The company surveyed C-level professionals, strategic and tactical IT, and individuals in charge of IT resources from companies with a range of five to more than 5,000 employees.

Of the total responses, 1,225 were from companies with 1,000 or more employees. The survey included respondents in 36 countries in North America, EMEA (Europe, Middle East and Africa), Asia Pacific and Latin America.