Enterprises are well aware of growing security threats to their organizations, but so far have lacked the resources and staff to deal with increasingly sophisticated and malicious cyber attacks, according to Symantec's latest "State of Enterprise Security" study.
The telephone survey conducted in January contacted 2,100 businesses and government agencies in 27 countries and found that 100 percent of them had experienced cyber losses of some type in the past year. Seventy-five percent of organizations said they were hit by a cyber attack in the past year and 36 percent of those rate the attacks as either "somewhat" or "highly effective."
The top three reported losses were theft of intellectual property, theft of customer credit card information or other financial information that resulted in monetary loss in 92 percent of instances. The top three costs, according to the survey conducted for Symantec (NASDAQ: SYMC) by Applied Research, were productivity, revenue, and loss of customer trust.
It concluded that on average, companies and government agencies spent an average of $2 million annually to combat cyber attacks.
"Protecting information today is more challenging than ever," Francis deSouza, Symantec's senior vice president of enterprise security, said in the report. "By putting in place a security blueprint that protects their infrastructure and information, enforces IT policies, and manages systems more efficiently, businesses can increase their competitive edge in today's information-driven world."
However, even the best enterprise security plan and intentions are often trumped by budget realities that keep companies from implementing the security blueprints they conceive.
Respondents on average said they were exploring 19 different IT standards or frameworks to protect their networks and were currently employing at least eight of them. The top standards identified were ISO, HIPAA, Sarbanes-Oxley, CIS, PCI and ITIL. Key areas woefully understaffed
But IT managers said they are understaffed in key areas, with network security (44 percent), messaging security (39 percent) identified as groups that remain woefully understaffed.
Also, the projects that business executives have signed off on to remain competitive and reduce costs -- Platform-as-a-service (PaaS), virtualization, endpoint virtualization and Software-as-a-Service (SaaS)-- also present the most technically complex security issues.
Increasing network security
Saying that, these IT managers are far from naïve when it comes to the enormous risks and potential losses that persistent cyber attacks can have on their organizations.
The study found that 42 percent of enterprises acknowledge that cyber risk is their top priority and concern -- more than terrorism, natural disasters, and garden-variety theft combined. On average, they said, IT departments assign 120 staffers specifically to address security and IT compliance issues.
Even with this increased attention on safeguarding critical data and systems, enterprises continue to report massive cyber attacks that compromise not only customer confidence but, potentially, their ability to remain in business.
Last week, NetWitness, a Virginia-based computer security firm, disclosed that organized hackers had broken into the computers of 2,411 companies and government agencies over the past 18 months. The hackers gained access to personal and corporate information that can be used to infiltrate bank accounts and steal intellectual property.
In January, senior executives at Exxon Mobile (NYSE: XOM), ConocoPhillips (NYSE: COP) and Marathon Oil (NYSE: MRO) confirmed that they were targeted by an extremely aggressive malware campaign attack in 2008 designed to steal key proprietary data -- including multi-million-dollar research to locate the next great oil or natural gas discovery.
Symantec researchers said enterprises need to make protecting critical internal servers their top priority and should implement strategies and technologies that give them the visibility and security intelligence to respond to cyber attacks immediately.
"IT administrators need to protect information proactively by taking an information-centric approach to protect both information and interactions," Symantec officials said. "Taking a content-aware approach to protecting information is key in knowing where sensitive information resides, who has access, and how it is coming in or leaving your organization."