Ponemon Study: Workers Ill-Equipped For Cyber Threats

An overwhelming majority of organizations don't feel adequately prepared to defend themselves against increasingly sophisticated malware attacks and many are less prepared than they were a year ago, according to the latest Ponemon Institute study, released Monday.

The State of Endpoint Risk study, co-sponsored by the Ponemon Institute and security firm Lumension, assessed how effective organizations are in adopting effective endpoint security measures while determining some of the biggest obstacles to reducing risk. The study surveyed 564 respondents involved in their organizations' day-to-day IT functions.

’Probably most surprising this year is that companies are doing themselves no favors by not using the technologies they themselves have identified as most effective at combating endpoint security risks and threats,' said Larry Ponemon, Ponemon Institute chairman and founder.

’Hand in hand with that is a need for IT security pros to convince senior management of the perils of ignoring the threats of this new information risk environment," he added. "There is a real need to put the appropriate technologies and personnel in place to best-position organizations of all sizes and in all industries for success in the ongoing battle to ward off cyber threats as we head into 2011.’

According to the study, 64 percent of IT executives contend that they are not more secure than they were a year ago or are uncertain.

Additionally, despite the growing insecurity and lack of preparation, almost half (48 percent) of IT executives maintain that operating expenses are increasing, driven, in part, by costs related to increased malware attacks and other cyber threats. Of the respondents who say that costs are increasing, 59 percent contend that malware attacks are a "very significant" factor in those drivers.

The lack of confidence and security throughout the workplace comes as the workforce becomes more mobile and accustomed to unrestricted access to their organizations' network from almost anywhere in the world.

Meanwhile, hackers are increasingly focusing on third-party and Web-based applications as their primary attack vectors, and subsequently, organizations are reporting that they are increasingly a target for malware attacks.

Altogether, 62 percent of respondents said that their organization has been subjected to at least 50 malware attack attempts each month, averaging at least one or more per day. In addition, 98 percent said that they had a viruses or malware network intrusion, while 95 percent said that they had desktops, laptops or other mobile devices stolen. Another 89 percent said that sensitive company data was lost due to insider negligence, while 61 percent said that they suffered a data breach because of a malicious insider.

Overall, organizations realized that the threat landscape has shifted away from data centers, operating systems and network infrastructures. Instead, organizations expressed strong concerns regarding proliferation of difficult-to-detect cyber threats. Other salient and growing threats include attacks delivered over mobile and remote platforms as well as malware disturbed via third party applications.

Next: Respondents Think Current Security Technologies Could Be Better

Despite the increasing prevalence of malware threats targeting workplace applications and platforms, respondents in general were not optimistic about their ability to defend themselves from malware attacks and other cyber threats in light of slashed budgets and unenforceable workplace security policies.

The study found that workers thought that widely used security technologies, such as anti-virus and anti-malware, could be more effective at adequately mitigating threats. More than half of organizations relied on intrusion detection (57 percent) and patch and remediation management (53 percent), however only 19 percent believed that intrusion detection was one of the most effective ways to reduce risk, while only 38 percent said that patch management was one of the most effective.

However, 70 percent of users said that vulnerability assessment was one of the most effective methods in reducing IT risk, although only about half (51 percent) say that they employ that approach. Other technologies considered effective, but less used include application whitelisting, used by 29 percent, and endpoint management and security suites, used by 40 percent.