While IT administrators often are off the mark when it comes to some of their security concerns, they're right on target when they list the top threat to their networks -- viruses and worms.

A recent survey of 133 major North American companies shows that IT administrators and chief security officers are most concerned about worms and viruses attacking their systems, according to Gartner, Inc., a major industry analyst firm based in Stamford, Conn. And while analysts say techies are smart to worry about malware, another Gartner report says they're sometimes off on the wrong track.

''When you look at what organizations struggle with day-to-day, viruses and worms are definitely at the top of the list,'' says Rich Mogull, a research vice president at Gartner. ''Though insider threats and a few other problems may be more devastating, if you don't manage viruses and worms, you're not going to be able to carry out business on a daily basis.''

Mogull says if you judge the threats by potential damage, then insider threats might top the list. But those kinds of attacks, thankfully, are less frequent. Worms and viruses top the list through sheer volume.

Ken Dunham, director of malicious code at iDefense, Inc., a security intelligence company based in Reston, Va., says malware is highly dangerous because it uses our own weaknesses against us.

''The reality is that malicious code is more about the exploitation of corporate weaknesses,'' says Dunham. ''You might have issues with a lack of communication and unpatched systems. That makes malicious code a core problem.''

Here is how the IT managers in Gartner's survey rated the threats to their organizations:

  • Viruses and worms;
  • Outside hacking or cracking;
  • Identity theft and phishing;
  • Spyware;
  • Denial of service;
  • Spam;
  • Wireless and Mobile Device Viruses;
  • Insider Threats;
  • Zero-Day threats;
  • Social engineering, and
  • Cyber terrorism.

    But Gartner analysts say at least one threat on that list shouldn't be there.

    The analyst firm recently released a report noting the top five over-hyped IT security threats. Some risks have been greatly exaggerated, largely by security vendors looking to increase their bottom line, says Mogull.

    ''The analysts who put that list together looked at hype and tried to determine if the hype was equal to the threat,'' says Mogull. In at least five cases, Gartner analysts concluded that it was not.

    Here is Gartner's list of over-hyped IT threats:

  • Internet Protocol (IP) telephony is unsafe;
  • Mobile malware will cause widespread damage;
  • 'Warhol worms will make the Internet unreliable for business traffic and virtual private networks;
  • Regulatory compliance equals security, and
  • Wireless hotspots are unsafe.

    ''Many businesses are delaying rolling out high productivity technologies, such as wireless local area networks (WLANs) and IP telephony systems, because they have seen so much hype about potential threats,'' says Lawrence Orans, principal analyst at Gartner.

    ''We've also seen the perceived need to spend on compliance reporting for Sarbanes-Oxley hyped beyond any connection with the reality of the legislation,'' adds John Pescatore, vice president and Gartner Fellow, in the written report.

    Gartner's Mogull says there are different issues behind each over-hyped threat.

    With hot spots, Mogull says there definitely is risk, but it's not as great as many people believe it to be. ''If you follow good security practices, you don't have to worry about that too much,'' he says. ''If you have an SSL or a VPN connection, like you would connecting to any corporate network, they can't sniff that traffic because it's encrypted.''

    As for compliance issues, the investments that vendors are talking about may far exceed your needs.

    ''It's not that you don't need to be compliant, but if you follow good security practices, then you're 90 percent compliant,'' adds Mogull. ''Basically, what we've seen is that everyone in the world is trying to jump on this compliant band wagon. In some cases, you may need to make investments, but overall, we recommend you be smart about how you do security, and you look at closing gaps. Don't ignore compliance but be aware that there's an incredible amount of hype around it.''

    When it comes to worrying about mobile devices and worms, Mogull and other analysts at Gartner say not to worry nearly so much.

    ''There have been a couple viruses, but no mass propagation of malicious code,'' says Mogull. ''Anti-virus companies love to issue press releases on this because there's a lot more mobile devices than PCs in the world... or at least there will be soon.

    ''IT should secure mobile devices but they shouldn't be investing in anti-virus software for PDAs,'' adds Mogull. ''Focus on secure connections and securing data in case a PDA is lost in an airport.''

    What it comes down to is ignoring the hype.

    ''Beware of the hype. Understand what the real security issues area,'' adds Mogull. ''Just because there are a couple of news articles or a billion vendors knocking down your door, it doesn't mean it's actually a security problem for you.''

    Dunham at iDefense says there's an awful lot to worry about when it comes to security, in general. It's a matter of figuring out what to worry about the most.

    ''As more and more threats emerge, it's getting to be very complicated and difficult for anybody to prioritize the greatest risks,'' says Dunham. ''They're looking for ways to survive the daily deluge of threats. It's all about prioritization today.''