'State of Security' Report Shows Organizations Recognize Pervasiveness and Resiliency of Cyber Criminals Yet 79 Percent Experienced a Significant Incident in Past 12 Months
SANTA CLARA, Calif. - March 6, 2012 - McAfee today announced the State of Security report showing how IT decision-makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It also reveals companies' IT security priorities around processes, practices and technology for 2012. As the corporate data environment expands, effective information security is possible only by creating a Strategic Security Plan (SSP) which incorporates a comprehensive threat analysis and an in-depth, layered security risk mitigation approach. The survey looked to identify some of the key trends facing enterprises in developing their SSPs.
Security Maturity
The survey respondents categorized themselves into various
states of security maturity. These categorizations help to
understand the mindset of the companies as they view
enterprise information security. The terms below are used
to describe the level of security maturity of participating
organizations:
-
Reactive - uses an ad hoc approach to defining security
processes and is event driven. 9 percent of the surveyed
companies claim to be at this stage.
-
Compliant - has some policies in place, but has no real
standardization across security policies. The
organization adheres to some security standards or the
minimum required. 32 percent of the surveyed companies
claim to be at this stage.
-
Proactive - follows standardized policies, has
centralized governance, and has a degree of integration
across some security solutions. 43 percent of the
surveyed companies claim to be at this stage.
- Optimized - follows security industry best practices and maintains strict adherence to corporate policy. The organization utilizes automated security solutions which are highly integrated across the enterprise. 16 percent of the surveyed companies claim to be at this stage.
"Every organization needs to take a layered approach to security, utilizing both processes and solutions designed to prevent compromise. Complicating the challenge of managing risk and securing data is the fact that 'the enterprise' now extends far beyond office walls and perimeter firewalls," said Jill Kyte, vice president at McAfee. "Companies are giving network access to business partners and contract workers, and in some cases, even to customers. Workers access the enterprise network remotely using mobile devices, many of which are personally owned and not controlled by the company whose network they access. Moreover, data and applications are being moved into public and hybrid cloud environments where the data owners have little direct control over security and all of this requires a business to have a Strategic Security Plan."
The key findings included:
-
Organizations are confident about identifying the most
critical threats to their environments and knowing where
their critical data resides. However, most companies are
not confident about quantifying the potential financial
impact of a breach should one occur.
-
Organizational awareness and protection against
information security risks is very important. However,
one-third of the "Optimized" companies are uncertain
about their IT security posture in terms of awareness and
protection. Despite having formal strategic plans, 34
percent of the companies believe they are not adequately
protected against information security risks which could
impact their business.
-
A majority of the respondents tell us that as they
develop Strategic Security Plans, they include
consideration of potential threats and the associated
risk to business and financial analysis. Yet, four out of
five of the companies experienced a significant security
incident in the past 12 months.
-
Almost a third of organizations surveyed have either not
purchased or not yet implemented many of the
next-generation security technologies that are designed
to address current-day threats, despite more than 80
percent of the organizations identifying malware, spyware
and viruses as major security threats.
-
Two out of every five organizations have either an
informal or ad hoc plan or no security strategic plan in
place. The size of the organization matters when it comes
to having a formal SSP. Six of every ten large
enterprises have a formal SSP, two out of every three
mid-size enterprises has a formal SSP, while this ratio
dips to only one in two small enterprises.
-
Organizations in North America and Germany are more
likely to have a formal SSP than those organizations in
other regions of the world. This may be attributed to the
regulatory environments in those countries.
- Top priorities for 2012 include implementing stronger controls to protect sensitive data and ensuring business continuity. The lowest priority is to reduce capital and operating expenditures for security infrastructure, which in turn indicates that organizations are willing to spend on the right kind of security solutions.
Conclusions
While organizations are working on their strategic security
plans and putting in their best efforts toward protecting
business systems and critical data, there is much room for
improvement all the way around.
-
Step up to a higher security maturity level. Only 16
percent of the survey respondents classify their
organizations as being at the "Optimized" level. Worse,
however, is the fact that 9 percent of the organizations
are "Reactive" in their approach to IT security.
-
Executive involvement is crucial. While IT and security
personnel may take the lead in developing the plan, it's
important to have insight from those who best understand
the business systems and the data they use. Moreover,
executive involvement is critical to set the tone for the
importance of security throughout the organization.
-
Test early, test often, and make adjustments as needed.
What good is a plan if it is developed and put on a
shelf? If it is never tested? Unfortunately we learned
that 29 percent of "Compliant" companies never test how
they would respond to an incident. What's more, the fact
that 79 percent of the surveyed companies had security
incidents in the past year indicates that there are gaps
in the security plans that must be addressed.
-
Use budget allocations wisely. Though every manager would
like to have a bigger budget to be able to apply more
safeguards, the "Optimized" companies have found ways to
reach the highest level of performance with the same
level of funding (percentage-wise) as the companies who
are less prudent with their budgets.
-
Use the right tools for the current threats. The survey
shows that 45 percent of the companies haven't deployed
next-generation firewalls. Mobile security is another
area that should not be ignored, yet 25 percent of the
organizations have not purchased any tools for this
purpose.
- Focus on protecting the lifeblood of the company-the sensitive corporate data. The top priorities for 2012 include implementing stronger controls to protect sensitive data and ensuring business continuity. Additional high-priority activities are all meant to improve each organization's overall security posture. This is encouraging because without timely recognition and mitigation of security threats, an organization may be the next news headline-and nobody wants that dubious distinction.
About the Survey
The survey was conducted by Evalueserve and included
responses from 495 organizations. Countries included in the
survey were: United States, Canada, United Kingdom,
Germany, France, Brazil, Australia, Singapore, and New
Zealand and range in size from a minimum of 1,000 employees
to more than 50,000 employees. The report is available at:
www.mcafee.com/ssp
About McAfee
McAfee, a wholly owned subsidiary of Intel Corporation
(NASDAQ:INTC), is the world's largest dedicated
security technology company. McAfee delivers proactive and
proven solutions and services that help secure systems,
networks, and mobile devices around the world, allowing
users to safely connect to the Internet, browse and shop
the Web more securely. Backed by its unrivaled Global
Threat Intelligence, McAfee creates innovative products
that empower home users, businesses, the public sector and
service providers by enabling them to prove compliance with
regulations, protect data, prevent disruptions, identify
vulnerabilities, and continuously monitor and improve their
security. McAfee is relentlessly focused on constantly
finding new ways to keep our customers safe. http://www.mcafee.com
About Evalueserve
Evalueserve is a global specialist in knowledge processes
with a team of more than 2,600 professionals worldwide. As
a trusted partner, Evalueserve analyzes, improves and
executes knowledge-intensive processes and leverages its
proprietary technology to increase efficiency and
effectiveness. We have dedicated on-site teams and scalable
global knowledge centers in Chile, China, India and
Romania, which provide multi-time zone and multi-lingual
services.
Evalueserve's knowledge solutions include customized research and analytics services for leading-edge companies worldwide. By partnering with us, clients benefit from higher productivity, improved quality, and freed-up management time. We provide our clients with better access to knowledge and information across all parts of their organization, thereby adding to their capabilities.
Note: McAfee is a registered trademark or trademark of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. ©2012 McAfee, Inc. All rights reserved.
McAfee, Inc.
Sal Viveros, +44-(0)7921-891-506
Sal_Viveros@mcafee.com
or
H3O Communications
Heather Edell, 415-618-8814
heather@h3ocommunications.com