34 Percent of Security Pros Say Their Budgets Are Inadequate

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

According to the results of a recent survey of 207 U.S. security professionals dealing with malware analysis, 34 percent of respondents expressed concern over not having enough budget for the right tools to defend against advanced malware, up from 18 percent in a similar survey two years ago.

The survey, conducted by Opinion Matters on behalf of ThreatTrack Security in December 2015, also found that 37 percent of security analysts don't have enough highly-skilled security staff to defend their networks from advanced malware.

"With high-profile data breaches emerging one after the other, growing security accountability within enterprises and the exponential growth in cybersecurity investments, the last two years have been transformational for the security industry," ThreatTrack president John Lyons said in a statement. "But despite access to more tools, security analysts -- the most critical resource within an enterprise's cyber defense -- remain ill-equipped, underfunded and understaffed in their daily battle against advanced malware."

Only 20 percent of respondents said their defenses against hackers have improved over the past year.

Respondents said the most difficult technical challenges they face in defending their networks are complexity of malware (56 percent), volume of malware (47 percent), over-alerting by cyber security systems (35 percent), and inability to correlate data or threat intelligence to specific attacks (24 percent).

Still, 62 percent of respondents said they could "personally guarantee" their company's customers that their data will be safe in 2016.

Twenty-six percent of respondents have been asked to remove malware from a computer or device used by a member of their senior leadership team after it was used to visit an infected porn site, 59 percent have been asked to remove malware after the user clicked on a malicious link in a phishing email, 29 percent have been asked to remove malware after the computer or device was used by a family member of the user, and 33 percent of have been asked to remove malware after an infected USB drive or smartphone was attached to the user's computer.

Among respondents at organizations with a CISO, 30 percent cited the lack of budget as a major challenge, compared to 45 percent of respondents at organizations without a CISO. And among security analysts at organizations with a CISO, 71 percent would personally guarantee their customer data will be safe in 2016, compared to just 42 percent of security analysts at organizations without a CISO.

Separately, PandaLabs says it detected more than 84 million new malware samples in 2015 among a total of 304 million samples worldwide, meaning that more than 27 percent of all malware samples ever recorded were produced in 2015.

Trojans were the main source of malware in 2015 at 51.45 percent, followed by viruses (22.79 percent), worms (13.22 percent), potentially unwanted programs (10.71 percent), and spyware (1.83 percent).

"We predict that the amount of malware created by cyber criminals will continue to grow," PandaLabs technical director Luis Corrons said in a statement. "We also can’t forget that the creation of millions of Trojans and other threats corresponds to the cybercriminals' needs to infect as many users as possible in order to get more money."

And Tripwire cybersecurity researcher Craig Young told eSecurity Planet by email that the data from PandaLabs unfortunately indicates that crime does pay. "The malware industry has evolved into a complex criminal economy with a community of specialists ranging from programmers and translators to service providers and money mules," he said.

"Individual malware campaigns have been cited as bringing in revenue in the hundreds of millions of dollars per month, attracting many unemployed or underemployed technical experts from around the globe," Young added.

Recent eSecurity Planet articles have looked at three questions every CISO should answer, and examined the importance of end user security training.