IT professionals are troubled by the risk of data leakage associated with employee smartphones and are focusing on bolstering endpoint security, according to a new study.
Mobile devices will pose the biggest threat in 2014, according to a survey of 676 IT and IT security professionals conducted recently by the Ponemon Institute. About three-quarters of those surveyed cited the risk posed by mobile devices as their biggest concern, up from just 9 percent in 2010.
Meanwhile, targeted attacks, designed with custom malware that can maintain a lengthy presence on corporate systems, is close behind as a troubling trend, the survey found. About 40 percent of those surveyed said their firm was the victim of a targeted attack in the past year, according to the survey, which was commissioned by vulnerability management vendor Lumension Security.
[Related: The 10 Coolest Security Startups Of 2013]
"According to these knowledgeable respondents, endpoint security risk is more difficult to manage than ever," said Larry Ponemon, chairman and founder of the Ponemon Institute. "The reason is the growing number of employees and other insiders using multiple mobile devices in the workplace, followed by the increase in personal devices connected to the network and the growing popularity of public cloud services such as Dropbox."
The study found that malware incidents are straining IT security budgets, with more than half of the respondents indicating they have been forced to increase budgets to meet the growing threat. The bulk of the malware infections are driven by known, financially motivated malware strains, followed by drive-by attacks, the survey found. IT security pros said the next frequently encountered threat was rootkits followed by targeted attacks.
Attacks are becoming more automated and easier to carry out, giving IT teams at managed security service providers more problems to deal with, said Lanny Cornwell, chief technology officer at F1 Computer Solutions. Cybercriminals increasingly are targeting small businesses, and solution providers are responding by conducting risk evaluations with their clients to help reduce configuration weaknesses and vulnerabilities, Cornwell said.
"Everybody is aware and concerned about the current threats that are becoming increasingly sophisticated," Cornwell said. "You can get your hands on any malicious code that you would like."
The increase in mobility has employees sharing more files using Box, Dropbox and other cloud services. Policies designed to restrict employees from using those services for corporate data are becoming harder to enforce, the survey found.
The respondents said risks increase with the use of Adobe Flash Player, Acrobat and Reader followed by Google Docs, Microsoft applications, and third-party applications and browser components that are rarely maintained with the latest security patches.
System administrators often attempt to address weaknesses at the endpoint, but the task is daunting even at midsize businesses where the number of devices that need to be addressed seems to be constantly increasing, said Nash Pherson, senior systems consultant at St .Paul, Minn.-based solution provider Now Micro. Pherson said organizations need to have good processes in place to be effective at patch management, a key component of reducing risks.
"Keeping the devices updated and consistent is a constant struggle," Pherson said.
How will companies spend their IT budgets to meet the threats? Ponemon said whitelisting technology was cited most in the study, followed by data loss prevention software. Emerging platforms that can identify advanced threats was next, followed by mobile device management.
PUBLISHED DEC. 18, 2013